Monday, April 25, 2011

Why do governments have trouble retaining cyber warriors

Twitter launches Iranian #Cyberwar

Notice that it is RT yet I never said the word "ohai" in my life. I also don't use tweetdeck and there is no telling what is in that link ~ all I know that there is an awful lot of this bullshit in my stream which is currently frozen. 

This should be illegal as it fraud, impersonation, and when these cyberarmies insert malicious code it becomes cybercrimes.    This need to end! 

Elyssa Durant, Ed.M.

Intelligence Analyst
Black & Berg CyberSecurity 
United States of America

@komiscan What's up with that file? Looks suspicious ro me!

they are both trolls! Idiots?

MER (@Not2Fear)
2011-04-24 23:39
@kmallan you guys are so elaborately ridiculous.
kevin allan (@kmallan)
2011-04-24 23:33
@Not2Fear did you a favor and unfollowed you for your comfort! hope you enjoyed the song #masterofmanythings #lulz
MER (@Not2Fear)
2011-04-24 23:20
@kmallan well you are harming and harassing me! I am not a troll, I'm not a bot, with your comments on the STUPIDITY of ME posting VIDEO.
kevin allan (@kmallan)
2011-04-24 23:15
@Not2Fear trust me friend im not fucking with you when i do youll get so many replies youll pass out! im here to harm or harass no one!
MER (@Not2Fear)
2011-04-24 23:04
@kmallan riiiiiight so you can say whatever you want...
kevin allan (@kmallan)
2011-04-24 23:00
@Not2Fear simple block me i could give a fuck stupid
MER (@Not2Fear)
2011-04-24 22:59
kevin allan (@kmallan)
2011-04-24 22:54
@Not2Fear show me the tweet stupid besides @endtyrannynow_ is much smarter than you credit him~insist on fucking with me?
MER (@Not2Fear)
2011-04-24 22:43
@endtyrannynow_ oh, no. I have no proof. All I know is that he threatened to hack me all day, and now my ish is effed.
CLANCULARIUS (@endtyrannynow_)
2011-04-24 22:18
@Not2Fear in @kmallan defense show proof of the hack
MER (@Not2Fear)
2011-04-24 22:15
@endtyrannynow_ @kmalln right. can we know what that is, then? will he plz PLZ accuse me of something after hacking me?
CLANCULARIUS (@endtyrannynow_)
2011-04-24 22:12
@Not2Fear I ensure you friend @kmalln carries no such intentions unless you carry some sort of infaction.
MER (@Not2Fear)
2011-04-24 22:01
@DaggerChuck, lemme introduce you to @kmallan && @ElyssaD, who obviously have nothing better to do than troll thru my @twitter stream...

Elyssa Durant, Ed.M.

United States of America

Sunday, April 24, 2011

filemon1 || Reverse Engineering #infosec


This page doesn't appear to be an article and therefore may not display well in the Article View. You may want to switch to the Full Web Page view.

If you know there should be an article here, help improve the article parser by reporting this page. Thanks!

How to reverse engineer a Windows 95 target

Version 0.01

by Fravia+ (MSRE), August 1997

Part A: Introduction to filemon - 01 August 1997

Courtesy of Fravia's page of reverse engineering

Well, a very interesting essay... I wrote it myself! :-) This essay will be divided in four (or more) parts:
A = Introduction to filemon B = reverse engineering without source code C = Filemon reversed D = Back to Main E = VXD vagaries and mysteries
Although already disponible, this essay is still under construction and will be modified and ameliorated until the wording below will disappear (I reckon until mid-september)


How to reverse engineer a Windows 95 program
Part A: Introduction to filemon.exe

(c) Fravia (MSRE), 1997. All rights reserved

Print as html document, else use courier 8

Sorry for the language, I'm not a native English speaker.
Sorry for the "rough" version, it's still under construction... I am publishing this essay in its incomplete form, only because so many have insisted. The complete version will not be ready before mid-September and will contain many changes and improvements .
This essay is a "quick and dirty" introduction to Windows 95 reverse engineering, it requires almost NO knowledge of windows programming, and a low to moderate knowledge of assembler coding. If you are already a good software reverse engineer this essay may disappoint you, being a little too much on the elementary side, yet I believe that a good comprehension of the basic of this trade is the main secret for advanced reverse engineering.

You may have already read the short essay (divided in two parts) that I published one year ago, reverse engineering Filemanager for Windows 3.1. Since we are all now dealing mostly with Windows 95 programs (it's not our choice - alas - but a Micro$oft's imposition that everybody accepts, against any sound logic :-) it suits us well to examine the "deep" structure of filemon.exe, Version 2.0, by By Mark Russinovich and Bryce Cogswell, a pretty useful program, released with its c source code at the beginning of the year. You may want to download also the LAST version of this good tool (version 3.0), released in July, at, where you'll find also its companion utility regmon.exe and the Windows NT versions of both tools with complete c++ source code. Yet for this essay download from my site version 2 of filemon.exe with its source code, this is all what you'll need.

As usual, when you start a cracking session, first of all run the program, try all its options (there are not many options inside this target) and, last but not least, print the complete C source code (15 "A4" sheets). Since we have already the C source code of this program this lesson will be a "false" reverse engineering exercise: we are not going to find anything hidden or new, nor many secret tricks in here... yet I believe that many of you will find pretty useful our work below, since analogous structures will more or less be present inside UNKNOWN code, inside other targets, that you'll try to reverse engineer on your own.
Another (very) interesting point in this program is its use of a virtual device driver (VXD) for the filtering of all file system accesses... VXD reverse engineering is a branch in its own rights, as you will see.
Here you go: all the files you'll find inside

Searching ZIP: FILSRC.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 0 Stored 0 0% 07-03-97 13:16 00000000 --wD GUI/ 0 Stored 0 0% 07-03-97 13:16 00000000 --wD VXD/ 766 DeflatN 350 55% 28-03-96 08:55 cc319149 --w- GUI/APPICON.ICO 16015 DeflatN 7090 56% 16-03-97 20:47 ce4c6ba6 --w- GUI/FILEVXD.VXD 58368 DeflatN 4905 92% 16-03-97 20:49 75a1fd27 --w- GUI/FILEMON.NCB 0 Stored 0 0% 07-03-97 13:16 00000000 --wD GUI/RELEASE/ 38912 DeflatN 1764 96% 16-03-97 20:49 266898dd --w- GUI/FILEMON.MDP 7176 DeflatN 1522 79% 27-11-96 14:34 4ccc82e0 --w- GUI/FILEMON.MAK 4786 DeflatN 1396 71% 16-03-97 20:48 54b79e51 --w- GUI/FILEMON.RC 2312 DeflatN 623 74% 16-03-97 20:13 fea19b03 --w- GUI/RESOURCE.H 22356 DeflatN 6422 72% 16-03-97 20:22 58b0c5ab --w- GUI/FILEMON.C 16015 DeflatN 7090 56% 16-03-97 20:47 ce4c6ba6 --w- GUI/RELEASE/FILEVXD.VXD 38912 DeflatN 18466 53% 16-03-97 20:48 4d4d1cee --w- GUI/RELEASE/FILEMON.EXE 420 DeflatN 255 40% 24-11-96 21:09 bd0b63d3 --w- VXD/MAKEFILE 1199 DeflatN 259 79% 16-03-97 20:47 1c1c6d4c --w- VXD/FILEVXD.DEF 1620 DeflatN 961 41% 16-03-97 20:47 20fd9fad --w- VXD/FILEVXD.SYM 1480 DeflatN 373 75% 16-03-97 20:47 031f6484 --w- VXD/FILEVXD.EXP 16015 DeflatN 7090 56% 16-03-97 20:47 ce4c6ba6 --w- VXD/FILEVXD.VXD 6212 DeflatN 1699 73% 16-03-97 20:47 ce4845f1 --w- VXD/FILEVXD.MAP 15675 DeflatN 6009 62% 16-03-97 20:47 7702cbad --w- VXD/FILEMON.OBJ 1384 DeflatN 364 74% 16-03-97 20:47 1ec43719 --w- VXD/FILEVXD.LIB 313 DeflatN 194 39% 05-12-95 02:01 317f17cc --w- VXD/FILEVXD.VRC 452 DeflatN 283 38% 23-11-96 18:36 0ea560c5 --w- VXD/FILEVXD.RES 82944 DeflatN 5012 94% 16-03-97 20:47 f7db1ed0 --w- VXD/FILEVXD.PDB 84457 DeflatN 12255 86% 24-11-96 04:47 6f9a8ab8 --w- VXD/TEST.FIL 35430 DeflatN 7703 79% 16-03-97 20:45 2fc85672 --w- VXD/FILEMON.C 1139 DeflatN 509 56% 16-03-97 20:24 e642c40b --w- VXD/IOCTLCMD.H 1557 DeflatN 582 63% 16-03-97 20:25 395d7317 --w- VXD/FILEMON.H ------ ------ --- ------- 455915 93176 80% 28
We'll reverse engineer two files: filemon.exe and filevxd.vxd. We'll begin with filemon.exe. The reverse engineering of this program will be COMPLETE, since its various parts will be useful -for you- in order to learn some of the different aspects and techniques (and tricks) of our trade. Be patient and wade slowly through the code of this target, I'll keep you on the right path.
'Dead listing' reverse engineering, as +ORC calls it, is a slow "puzzle solving" process: the intellectual challenge can be extremely interesting, btw.
We will NEVER use Winice in this essay, as it is NOT NECESSARY to use our powerful debugger to understand EVERYTHING a target does, as you'll see reading this essay.

Elementary must know, the SaveFile approach

Some elementary MUST KNOW that you should head before starting a cracking session:
At the beginning there are no names... only a sea of numbers, hundred of different locations... that's your target "in the wild", roaming around with unnamed procedures, before you tame it to clarity.
Soon some little islands will appear... their form still indeterminate... slowly you'll understand what some procedures of your target (should) do... for instance here in filemon (as in almost all programs you'll disassemble) it's pretty easy to individuate the "FileSaving" function, using simple search masks inside the dead listing.
Searching you'll quickly get to this part of your dead listing:

:00401CF3 C744244804824000 mov [esp + 48], 00408204 ;"Save File Info..." :00401CFB C7442454FC814000 mov [esp + 54], 004081FC ;"*.fil"
Now just dead list "back", to the beginning of this function:
:00401C20 81EC7C060000 sub esp, 0000067C ;correct stack
Since this function starts at :00401C20, we can at once substitute (search and replace) any "call 00401C20" (which is not a very useful tag for our dead listing perusing) with a much more meaningful tag: "call 00401C20=savefile".
Note how our substitution did NOT eliminate the location number, you better keep always such number locations together with your new tags, because during your cracking sessions you will necessarily commit quite a lot of mistakes, that you'll correct later. Keeping the original location numbers together with your new assigned 'provisory' names will help you a lot when needed.
Inside filemon's dead listing we will find only two occurrences of a call to our "FileSaving" routine but working on your own targets, later, you'll soon discover how abstruse (and puzzling) code snippets will suddenly be comprehensible thank to these - very simple - substitutions
Let's have a look at the relevant filemon's code:
This snippet of code calls twice the SaveFile function of our target... by the way, since this kind of routines are typically called from the main menu of the main window ("Save" and "Saveas" inside the "File" main menu option), this snippet will be very probably inside a WM_COMMAND structure... more about this later)... here is the part of code calling SaveFile:
: :00401569 6A00 push 00000000 ;BOOLEAN FALSE :0040156B A1B8964000 mov eax, [004096B8] ;get second par :00401570 8BB42458010000 mov esi, [esp + 00000158] ;get HWND hWnd :00401577 50 push eax ;push second par :00401578 56 push esi ;push HWND hWnd :00401579 E8A2060000 call 00401C20=savefile :0040157E 83C40C add esp, 0000000C :00401581 E97E010000 jmp 00401704 :00401586 6A01 push 00000001 ;BOOLEAN TRUE :00401588 A1B8964000 mov eax, [004096B8] ;get second par :0040158D 8BB42458010000 mov esi, [esp + 00000158] ;get HWND hWnd :00401594 50 push eax ;push second par :00401595 56 push esi ;push HWND hWnd :00401596 E885060000 call 00401C20=savefile :0040159B 83C40C add esp, 0000000C :0040159E E961010000 jmp 00401704
You notice that I have already transformed "call 00401C20" in "call 00401C20=savefile". You may use the same "search and replace" technique also for memory locations you have understood the significance of. Usually you'll be lucky every time that a KNOWN return value of a KNOWN windows function will be stored in a specific memory location. This will allow you to prepare easily an immediate "search and replace" of the same location in the whole dead listing, whereby you'll substitute awkward number-locations with your tags, explaining their exact meaning
Yet you'll be able to clear the meaning of quite a lot of code even if you DO NOT KNOW the exact meaning of a value stored inside a memory location... the important thing is that you know where that value is used... let's make an example, look at the code above once more.
This small code snippet let us understand that the "homemade" function SaveFile of our target accepts THREE parameters (note the three pushes before each call).
One of the three parameters is, clearly, a boolean parameter, either 0 or 1... can you guess what this could be... in a "save file" operation? It's the "saveas" parameter in alternative to "save", a typical boolean parameter for saving operations... we don't even need the confirmation of the c code...
Nice... and the other two parameters? The first one (in the C call, the last one in assembly) is HWND hWnd, of course, and the other one, the "middle" one? We know, from the C source, that's HWND ListBox, but we could ALREADY have searched and replaced all memory locations "[004096B8]" - in the whole dead listing - with something like "[004096B8]=SaveFileSecondPar", and believe me, this would have made quite a BIG difference in a huge 7-8 megabytes dead listing where you don't even understand what the hell the programmer was trying to do, nor where have been hidden, inside the huge codewoods, the snippets of the target's code you are looking for.

OK, we have finished our quick examination of the small snippet above... would you like to know what it was exactly? It correspond to the following 6 lines of "c" code, placed inside the main "switch" tree (for WM_COMMAND) of the MainWndProc:

case IDM_SAVE: SaveFile( hWnd, hWndList, FALSE ); return 0; case IDM_SAVEAS: SaveFile( hWnd, hWndList, TRUE ); return 0;

Let's start cracking: the first function
Now let's start together anew, take your sheets with the C source code have a general look, prepare your favourite cocktail (may I suggest a traitor?) and then jump with me inside the disassembled target...
If you just read the disassembled code that follows, with my comments, you'll notice pretty easily how the c source code has been "translated" in assembler.
The first windows' function in the C source code is ABORT, let's examine first of all its "C" code:
/******************************************************************** *        FUNCTION:        Abort: *        PURPOSE:        Handles emergency exit conditions. *********************************************************************/ void Abort( HWND hWnd, TCHAR * Msg ) {        MessageBox( hWnd, Msg, "filemon", MB_OK );         PostQuitMessage( 1 ); }
Note the 4 parameters of the Messagebox function: from left to right: hWnd, Msg, "progname", MB_OK... as you'll now see, in assembly they will be pushed in REVERSE ORDER: MB_OK, "progname", Msg, hWnd,
And here is the code of our target
//********************** Start of Code in Object .text ************** Program Entry Point = 004024E0 (Filemon.exe File Offset:000018E0) :00401000 8B442408 mov eax, [esp + 08] ;get msg in eax :00401004 6A00 push 0 ;push right parameter: MB_OK (=0) :00401006 8B4C2408 mov ecx, [esp + 08] ;get hWnd in ecx :0040100A 68C0804000 push 004080C0 ;push StringData "filemon" :0040100F 50 push eax ;push msg :00401010 51 push ecx         ;push hWnd :00401011 FF1590B24400 Call dword ptr [0044B290] ;call USER32.MessageBoxA :00401017 6A01 push 1 ;push 1 for PostQuit :00401019 FF1588B24400 Call dword ptr [0044B288] ;call USER32.PostQuitMessage :0040101F C3 ret                         ;finis
What does this little introductory example mean from a reverse engineering point of view? It means, for a start, that EVERY TIME you find a "call USER32.MessageBoxA" function, in your disassembled listing you may substitute IMMEDIATELY the 4 pushes preceding it with:
First push: whatever MessageBoxStyle has been called (Here 0 = MB_0K)... see below the complete list
Second push: Title of the MsgBox
Third push: Msg
Fourth push: hWnd

You dig it?
It's the same old story we already (should) know from dos reverse engineering actually:
All it happens when passing parameters to a C++ function is that you push the rightmost parameter first, then the next rightmost parameter, and so on, until the leftmost parameter has been pushed. Then the function is called... say you call the C library function strcpy to copy SourceString to DestString... in c++ you would type:

strcpy (DestString, SourceString);
The same call in assembler works like this
lea ax,SourceString        ;rightmost parameter lea bx,DestString        ;leftmost parameter push ax                        ;push rightmost first push bx                        ;push next one call _strcpy                ;copy the string using pre-made code add sp,4                ;DISCARD used parameters
Everything depends from the CALLING CONVENTION!
The C calling convention pushes rightmost first and discards parameters from stack;
The Pascal calling convention pushes leftmost first and the called program discards the parameter from the stack.

It's therefore quite important to understand first of all wich convention uses your target, which is pretty easy, since you just need to have a look to a known windows function.

The old good MessageBox function
But we are not yet finished with our messagebox function,, I'll use this very function in order to explain you "in the deep" a single Windows' function, it's up to you, obviously, to learn as much as you can about the more important windows' functions... I know, I know, it's an awful operating system, yet we MUST STUDY IT, unfortunately, in order to reverse it whenever we feel like it. In the following example, regarding MessageBox, you'll find a description useful for reverse engineering purposes, the descriptions you'll find inside the WinAPI references of the main languages compilers are similar, but they are aimed at programmers that usually DO NOT need to know how to disassemble their program effectively and therefore are not always useful, nor complete. In fact the basical syntax for messagebox is the following:

int MessageBox(hwndParent, lpszText, lpszTitle, fuStyle)  HWND hwndParent; /* handle of parent window */ LPCSTR lpszText; /* address of text in message box */ LPCSTR lpszTitle; /* address of title of message box */ UINT fuStyle; /* style of message box */ The MessageBox function creates, displays, and operates a message-box window. The message box contains an application-defined message and title, plus any combination of the predefined icons and push buttons described in the fuStyle parameter. Parameter        Description hwndParent Identifies the parent window of the message box to be created. If this parameter is NULL, the message box will have no parent window. LpszText Points to a null-terminated string containing the message to be displayed. LpszTitle Points to a null-terminated string to be used for the dialog box title. If this parameter is NULL, the default title Error is used. fuStyle         Specifies the contents and behavior of the dialog box. This parameter can be a combination of the following values: Value        Meaning MB_ABORTRETRYIGNORE        The message box contains three push buttons: Abort, Retry, and Ignore. This value is 0x00000002L MB_APPLMODAL         The user must respond to the message box before continuing work in the window identified by the hwndParent parameter. However, the user can move to the windows of other applications and work in those windows. MB_APPLMODAL is the default if neither MB_SYSTEMMODAL nor MB_TASKMODAL is specified. This value is 0x00000000L MB_DEFBUTTON1         The first button is the default. Note that the first button is always the default unless MB_DEFBUTTON2 or MB_DEFBUTTON3 is specified. This value is 0x00000000L MB_DEFBUTTON2         The second button is the default. This value is 0x00000100L MB_DEFBUTTON3         The third button is the default. This value is 0x00000200L MB_ICONASTERISK         Same as MB_ICONINFORMATION. This value is 0x00000040L MB_ICONEXCLAMATION         An exclamation-point icon appears in the message box. This value is 0x00000030L MB_ICONHAND         Same as MB_ICONSTOP. This value is 0x00000010L MB_ICONINFORMATION         An icon consisting of a lowercase letter "I" in a circle appears in the message box. This value is 0x00000040L MB_ICONQUESTION A question-mark icon appears in the message box. This value is 0x00000020L MB_ICONSTOP A stop-sign icon appears in the message box. This value is 0x00000010L MB_OK         The message box contains one push button: OK. This value is 0x00000000L MB_OKCANCEL         The message box contains two push buttons: OK and Cancel. This value is 0x00000001L MB_RETRYCANCEL         The message box contains two push buttons: Retry and Cancel. This value is 0x00000005L MB_SYSTEMMODAL         All applications are suspended until the user responds to the message box. Unless the application specifies MB_ICONHAND, the message box does not become modal until after it is created; consequently, the parent window and other windows continue to receive messages resulting from its activation. System-modal message boxes are used to notify the user of serious, potentially damaging errors that require immediate attention (for example, running out of memory). This value is 0x00001000L MB_TASKMODAL         Same as MB_APPLMODAL except that all the top-level windows belonging to the current task are disabled if the hwndParent parameter is NULL. This flag should be used when the calling application or library does not have a window handle available but still needs to prevent input to other windows in the current application without suspending other applications. This value is 0x00002000L MB_YESNO         The message box contains two push buttons: Yes and No. This value is 0x00000004L MB_YESNOCANCEL         The message box contains three push buttons: Yes, No, and Cancel. This value is 0x00000003L
As you can see, the possible values are 0,1,2,3,4,5,10,20,30,40,100,200,100, 2000
(there are also other values, more rare: F, FO, F00, 3000, 8000, C000, 20000... you'll find them out either experimenting a little or reverse engineering a lot :-)
Returns The return value is zero if there is not enough memory to create the message box. Otherwise, it is one of the following menu-item values returned by the dialog box: Value         Real value Meaning ERROR (0)         fcked IDOK (1) OK button was selected. IDCANCEL (2) Cancel button was selected. IDABORT         (3) Abort button was selected. IDRETRY         (4) Retry button was selected. IDIGNORE (5) Ignore button was selected. IDYES (6) Yes button was selected. IDNO (7) No button was selected. If a message box has a Cancel button, the IDCANCEL value will be returned if either the ESC key is pressed or the Cancel button is selected. If the message box has no Cancel button, pressing ESC has no effect. Comments When a system-modal message box is created to indicate that the system is low on memory, the strings pointed to by the lpszText and lpszTitle parameters should not be taken from a resource file, because an attempt to load the resource may fail. When an application calls the MessageBox function and specifies the MB_ICONHAND and MB_SYSTEMMODAL flags for the fuStyle parameter, Windows displays the resulting message box regardless of available memory. When these flags are specified, Windows limits the length of the message-box text to three lines. Windows does not automatically break the lines to fit in the message box, however, so the message string must contain carriage returns to break the lines at the appropriate places. If a message box is created while a dialog box is present, use the handle of the dialog box as the hwndParent parameter. The hwndParent parameter should not identify a child window, such as a control in a dialog box. See Also FlashWindow, MessageBeep

OK, we have seen "in the deep" a single Windows' function, you would be well advised to prepare yourself some "information sheets", like the above one, for your own use, about the most important and more frequent windows functions, WITH the values of the constants that windows uses... you'll see how easy it is to understand what an unknown part of a program is doing just examining how it handles the DIFFERENT possible return values...
This is obviously not the case here... remember what we are doing, we are just examining an "ABORT" error function, an anormal function that will show the user only a short error message and offer him the OK button to click onto... you could modify the code at

:00401004 6A00 push 0 ;push right parameter: MB_OK (=0)
:00401004 6A01 push 1 ;push right parameter: MB_OKCANCEL (=1)
Yet modifying this code would not make much sense: you would see two push buttons: OK and Cancel, only in the event of an error (a pretty futile reverse engineering exercise :-)

The InitApplication function of filemon
Now that we have seen the ABORT function of filemon, let's work on the next routines of our target... be patient and follow me: if you read carefully this short essay you'll master the rudiments of windows reverse engineering.

The following function, inside our C source code, is WinMain... since WinMAin is a KNOWN function (which usually calls InitInstance and InitApp before entering a ghetmaessage loop), WinMain will be one of the LAST code snippets that we'll reverse, we'll see first a lot of other, more or less "home-made" procedures that we'll "solve" first (once more: we have the c source code of this target, yet my aim is to teach you how to reverse engineer targets you DO NOT have the source code of, we'll soon operate AS IF we did not have any source code at all, bear with me :-)
We'll pass to the next procedure, the one after Winmain. This is a standard InitApp procedure (as you'll see in the FOURTH) part of this lesson) here is its C source code:

/**************************************************************************** * FUNCTION: InitApplication(HANDLE) * PURPOSE: Initializes window data and registers window class ****************************************************************************/ BOOL InitApplication( HANDLE hInstance ) { WNDCLASS wc;         // Fill in window class structure with parameters that describe the         // main (statistics) window.                = 0;         wc.lpfnWndProc                = (WNDPROC)MainWndProc; !!!!         wc.cbClsExtra                = 0;         wc.cbWndExtra                = 0;         wc.hInstance                = hInstance;         wc.hIcon                = LoadIcon( hInstance, "ICON" );         wc.hCursor                = LoadCursor( NULL, IDC_ARROW );         wc.hbrBackground        = GetStockObject( LTGRAY_BRUSH );         wc.lpszMenuName        = "LISTMENU";         wc.lpszClassName        = "filemonClass";         if ( ! RegisterClass( &wc ) )                 return FALSE;         return TRUE; } FUNCTION: InitApplication(HANDLE) * Referenced by a CALL at Address:0040102B BOOL InitApplication( HANDLE hInstance)
This function fills in the window class structure with parameters that describe the main (statistics) window of our target... it's one of the main "initializing" functions of our target
:004010B0 8B442404 mov eax, [esp + 04]         ;get hInstance :004010B4 83EC28 sub esp, 00000028 :004010B7 C744240000000000 mov [esp], 00000000 :004010BF 89442410 mov [esp + 10], eax :004010C3 56 push esi ;save esi :004010C4 C744240890114000 mov [esp + 08], 00401190 ;See below what is this :004010CC C744240C00000000 mov [esp + 0C], 00000000 :004010D4 C744241000000000 mov [esp + 10], 00000000 :004010DC 68E4804000 push 004080E4 ;StringData "ICON" :004010E1 50 push eax ;push hInstance :004010E2 FF15F4B24400 Call dword ptr [0044B2F4] ;USER32.LoadIconA :004010E8 89442418 mov [esp + 18], eax ;save return value :004010EC 68007F0000 push 00007F00 ;7F=IDC_ARROW :004010F1 6A00 push 00000000 ;NULL :004010F3 FF15F8B24400 Call dword ptr [0044B2F8] ;USER32.LoadCursorA :004010F9 8944241C mov [esp + 1C], eax ;save return value :004010FD 6A01 push 1 ;1=LTGRAY_BRUSH :004010FF FF15CCB14400 Call dword ptr [0044B1CC] ;GDI32.GetStockObject :00401105 C7442424D8804000 mov [esp + 24], 004080D8 ;StringData "LISTMENU" :0040110D C7442428C8804000 mov [esp + 28], 004080C8 ;StringData "filemonClass" :00401115 89442420 mov [esp + 20], eax ;save return in esp+20 :00401119 8D442404 lea eax, [esp + 04] ;get WNDCLASS wc
if ( ! RegisterClass( &wc ) )
return FALSE;
return TRUE
:0040111D 50 push eax ;push WNDCLASS wc :0040111E FF15FCB24400 Call dword ptr [0044B2FC] ;USER32.RegisterClassA :00401124 663D0100 cmp ax, 0001 ;did we get it through? :00401128 5E pop esi :00401129 1BC0 sbb eax, eax ;if zero return false :0040112B 83C428 add esp, 00000028 :0040112E 40 inc eax ;else return true :0040112F C3 ret
Well, let's see what happens when we get back from this procedure:
:WinMain of filemon calls InitApplication :00401020 83EC1C sub esp, 0000001C :00401023 53 push ebx :00401024 56 push esi :00401025 8B742428 mov esi, [esp + 28] :00401029 57 push edi :0040102A 56 push esi :0040102B E880000000 call 004010B0 ;call InitApplication(HANDLE) :00401030 83C404 add esp, 4         ;correct esp :00401033 85C0 test eax, eax ;was it zero? :00401035 750B jne 00401042         ; if InitApplication(hInstance) OK ; continue WinMain :00401037 33C0 xor eax, eax         ;else return FALSE :00401039 5F pop edi :0040103A 5E pop esi :0040103B 5B pop ebx :0040103C 83C41C add esp, 1C :0040103F C21000 ret 10
Therefore the above snippet is:
if (! InitApplication(hInstance))                 return FALSE;
Which is a part of WinMain, btw.

The trick for finding MainWndProc
God, I realize now that I should begin to explain the whole WNDCLASS structure... please study it yourself... if you bought (as you should have done) the COMPLETE Borland C++ Version 4.52 for less than 4 UK pounds (see here), you'll have all important specs at your fingertips from the huge API helpfiles (7 million bytes for Win32 and 3 million bytes for Win31).
I'll explain here only part of the API calls... The most important element here, for us, is that WNDCLASS' member lpfnWndProc POINTS TO THE CALLBACK WINDOW PROCEDURE!
Let's approach the above code (of InitApplication) slowly... What was the value "401190" at 10C4?

:004010C4 C744240890114000 mov [esp + 08], 00401190
That is the location of the MainWndProc!
Windows is so kind to tell us, in many occasions, WHERE the "obligatory" functions of an unknown program start!
If Peter Urbanik, the author of Wdasm, would listen to us, instead of uselessly updating his program every couple of weeks, he would work on this to get a spectacular tool for reverse engineering!
OK, every single WNDCLASS call of a windows program carries inside itself the location of the caller... in this case (as in most initialization parts of code) WNDCLASS is called at initialization by a little initialization routine (here in filemon called InitInstance) which is in turn called by the main "homemade" procedure of our target, here in filemon called MainWndProc... nice to know, isn't it?
There is more: since WNDCLASS has a parameter lpszClassName, which points to a null-terminated string that specifies the name of the window class (in the case of filemon "filemonClass"), it's pretty easy to find all occurrences of WNDCLASS inside any unknown target just examining its strings (and you can use good old Frattaroli's strings.zipto do it) ... nice isn't it?

What have we more up there? Let's see

:004010EC 68007F0000 push 00007F00 ;IDC_ARROW
hCursor Identifies the class cursor. This member must be a handle to a cursor resource. There are many resources of each type, for the joy of a good reverse engineer...
Here you go! experiment a little (change it with Hexworkshop inside filemon.exe, play with your targets! In this specific case you wont see much, though, because this is the "ghost" "loaded" cursor of filemon... you should change the SetCursor function's parameter to change the cursor of an application)
32512 (0x7F00) = IDC_ARROW        ;that's what we have 32513 (0x7F01) = IDC_IBEAM        ;Text I-beam cursor. 32514 (0x7F02) = IDC_WAIT        ;that's the hourglass ... 32560                = IDC_APPSTARTING
Another parameter:
:004010FD 6A01 push 00000001 ;LTGRAY_BRUSH
Since GRAY BRUSH is 2 and DARKGRAY BRUSH is 3, you may experiment as well with some colors... If you substitute :004010FD 6A01 with :004010FD 6A03 you'll indeed see (for a moment) your DKGRAY_BRUSH "behind" the filling of the main window of filemon, once more this is the "initializing" routine, which is called at the beginning of our target's life, many parameter will be "reconfirmed" later on.
What's more up there? Yes: RegisterWindowClass... once created, the WNDCLASS data must be "registered" in order to pass to the subsequent CreateWindow function... Let's have a look at the code of WinMain that will be performed if the InitApplication routine returns successful...
:WinMain after InitApplication :00401042 8B442438 mov eax, [esp + 38] :00401046 50 push eax :00401047 56 push esi :00401048 E8E3000000 call 00401130=InitInstance :0040104D 83C408 add esp, 00000008 :00401050 85C0 test eax, eax :00401052 750B jne 0040105F ;if InitInstance successful ;continue WinMain :00401054 33C0 xor eax, eax ;else return FALSE :00401056 5F pop edi :00401057 5E pop esi :00401058 5B pop ebx :00401059 83C41C add esp, 0000001C :0040105C C21000 ret 0010

A Windows is born
This huge operating system will now perform its most characteristic work: create a Window. Prepare yourself another cocktail, this will take quite a while...
/**************************************************************************** * FUNCTION: InitInstance(HANDLE, int) * PURPOSE: Saves instance handle and creates main window ****************************************************************************/ HWND InitInstance( HANDLE hInstance, int nCmdShow ) {        HWND hWndMain;         hInst = hInstance;         hWndMain = CreateWindow( "filemonClass", "Win95 File Monitor", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance, NULL );         // if window could not be created, return "failure"         if (! hWndMain)                 return NULL;                  // make the window visible; update its client area; and return "success"         ShowWindow(hWndMain, nCmdShow);         UpdateWindow(hWndMain);         return hWndMain; }
This HWND "hWndMain" translates to:
CreateWindow (...) :00401130 8B442404 mov eax, [esp + 04] ;get hInstance :00401134 56 push esi ;save esi :00401135 6A00 push 00000000 ;last NULL lpvparameter :00401137 A3E8994000 mov [004099E8], eax ;save hInstance (HEY! A memory loc!) :0040113C 50 push eax ;push hInstance :0040113D 6A00 push 00000000 ; NULL hmenu :0040113F 6A00 push 00000000 ; NULL hwndparent :00401141 6800000080 push 80000000 ; CW_USEDEFAULT :00401146 6800000080 push 80000000 ; CW_USEDEFAULT :0040114B 6800000080 push 80000000 ; CW_USEDEFAULT :00401150 6800000080 push 80000000 ; CW_USEDEFAULT :00401155 680000CF00 push 00CF0000 ; WS_OVERLAPPEDWINDOW :0040115A 68EC804000 push 004080EC ; "Win95 File Monitor" :0040115F 68C8804000 push 004080C8 ; "filemonClass" :00401164 6A00 push 00000000 :00401166 FF15E8B24400 Call dword ptr [0044B2E8]; USER32.CreateWindowExA, Ord:55h :0040116C 8BF0 mov esi, eax ;get the handle to the new window in esi :0040116E 85F6 test esi, esi ;test it :00401170 7504 jne 00401176 ;if created OK, continue to showwindow :00401172 33C0 xor eax, eax ;else return NULL (i.e. FALSE) :00401174 5E pop esi :00401175 C3 ret

Ok, let's have a look at this important function:
HWND CreateWindow(lpszClassName, lpszWindowName, dwStyle, x, y, nWidth, nHeight, hwndParent, hmenu, hinst, lpvParam) LPCSTR lpszClassName; /* address of registered class name */ LPCSTR lpszWindowName; /* address of window text */ DWORD dwStyle; /* window style */ int x; /* horizontal position of window */ int y; /* vertical position of window */ int nWidth; /* window width */ int nHeight; /* window height */ HWND hwndParent; /* handle of parent window */ HMENU hmenu; /* handle of menu or child-window identifier */ HINSTANCE hinst; /* handle of application instance */ void FAR* lpvParam; /* address of window-creation data */  lpszClassName is "filemonClass" (what we have registered) lpszWindowName is "Win95 File Monitor" (what you see in the main window of filemon) dwStyle is WS_OVERLAPPEDWINDOW = 00CF0000 (which creates an overlapped window having the WS_OVERLAPPED, WS_CAPTION, WS_SYSMENU, WS_THICKFRAME, WS_MINIMIZEBOX, and WS_MAXIMIZEBOX styles) int x is CW_USEDEFAULT
This value specifies the initial x-position of the window. For an overlapped or pop-up window, the x parameter is the initial x-coordinate of the window's upper-left corner, in screen coordinates. For a child window, x is the x-coordinate of the upper-left corner of the window in the client area of its parent window. If, like here in filemon, this value is CW_USEDEFAULT, Windows selects the default position for the window's upper-left corner and ignores the y parameter. CW_USEDEFAULT is valid only for overlapped windows... if you firmly believe that Mark Russinovich and Bryce Cogswell should have let their program appear in the top left corner of the screen instead of using the default position then go ahead! Modify whatever you want!
Int y is CW_USEDEFAULT, as above for the y-position         nWidth is CW_USEDEFAULT
This value specifies the width, in device units, of the window. For overlapped windows, the nWidth parameter is either the window's width (in screen coordinates) or CW_USEDEFAULT. If nWidth is CW_USEDEFAULT, like here in filemon, Windows selects a default width and height for the window (the default width extends from the initial x-position to the right edge of the screen, and the default height extends from the initial y-position to the top of the icon area). CW_USEDEFAULT is valid only for overlapped windows.
nHeight         is CW_USEDEFAULT, as above for the height hwndParent         is NULL. This value identifies the parent or owner window of the window being created. Overlapped windows must NOT have a parent (hParent must be NULL) hMenu is NULL, handle of menu identifier hInstance is the value in eax, and identifies the instance of the module to be associated with the window. LpvParam is the WM_CREATE param
Well, what returns CreateWindow? The return value is the handle of the new window if the function is successful. Otherwise, it is NULL. Everything is OK with old good filemon, let's continue...

A window has been "made" it's name is hWndMain let's show it to the world

:ShowWindow(hWndMain, nCmdShow); make the window visible & update its client area :00401176 8B44240C mov eax, [esp + 0C] ;get nCmdShow :0040117A 50 push eax ; nCmdShow :0040117B 56 push esi ; hWndMain (handle was in esi) :0040117C FF15ECB24400 Call dword ptr [0044B2EC] ;USER32.ShowWindow, Ord:022Ch UpdateWindow(hWndMain); :00401182 56 push esi ; hWndMain (handle was in esi) :00401183 FF15F0B24400 Call dword ptr [0044B2F0] ;USER32.UpdateWindow, Ord:024Fh :00401189 8BC6 mov eax, esi ;return to WinMain with hWndMain in eax :0040118B 5E pop esi ;let's have the old esi back :0040118C C3 ret
If you never programmed before, you could legitimately ask yourself why the hell we have to show and update a window we have created a minute ago... see: ShowWindow specifies how the window is to be shown... hide=0, normal=1, otherzoom=2, maximize=3, otherunzoom=4, show=5 etc... therefore the value in esp+0C determines HOW the windows will appear, and it has been already determined calling WinMain, which has following parameters: int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow), the last "int" one being the nCmdShow... have a look in the code following the program entry point for this.
Once show, the window must be updated. The UpdateWindow function updates the client area of our window by sending a WM_PAINT message to the window if the update region for the window is not empty. The function sends a WM_PAINT message directly to the window procedure, bypassing the application queue. If the update region is empty, no message is sent.
We are now finished with the InitInstance procedure, have our nice main window, must move on: back to WinMain!
:WinMain continued :0040105F 8D44240C lea eax, [esp + 0C] ; :00401063 6A00 push 00000000 :00401065 6A00 push 00000000 :00401067 8B3500B34400 mov esi, [0044B300] :0040106D 6A00 push 00000000 :0040106F 50 push eax :00401070 FFD6 call esi :00401072 85C0 test eax, eax :00401074 742B je 004010A1 :00401076 8B3D94B24400 mov edi, [0044B294] :0040107C 8B1D8CB24400 mov ebx, [0044B28C]
Well, we'll continue with another lesson, we have almost 50.000 bytes here!
(c) Fravia+ 1997. All rights reserved.
You are deep inside Fravia's page of reverse engineering, choose your way out:
filemon2 filemon3 filemon4 filemon5

homepage links anonymity +ORC students' essays tools cocktails
antismut search_forms mailFravia
is reverse engineering legal?

Original Page:

Shared from Read It Later

Elyssa Durant, Ed.M.

United States of America

THE tools page at Fravia-+

tools.htm , THE tools page at Fravia's!

5) An Hexeditor, we use mostly PSEDIT (DOS, powerful) or Hexworkshop (Windoze), you'll find hexeditors everywhere and you'll crack all sorts of hexeditors reading +HCU's Project 1.

Many crackers find a very useful hexeditor.

6) Filemon & Regmon & Vxdmon... shareware (with source code!). You'll find them for download on my own site too, see below. Once you use and understand the utility of filemon you may also want to check my essay about filemon reverse engineering" too!

7) A good wordprocessor (MS-Word 97 won't do for huge files, I use old powerful Wordperfect version 4.2 (DOS) or Ultraedit (Windoze)

8) A brain, see if you manage to find one somewhere
All other tools on this page may be very useful as well at times... download what you fancy and enjoy!

Forgotten realms

Hey! I almost forgot... actually when you'll have to perform real work "inside the dark codewoods" you could need this Muster as well)

Tools to calculate inter alia in Hexadecimal

Hey! I almost forgot... actually when you'll have to perform real work "inside the dark codewoods" you better use the BEST TOOL for our calculations: base calculator (ver 1.3) by John Zaitseff (GNU freeware!) as well (zipped: 148.156 bytes)

Hey! I almost forgot... actually when you'll have to perform real work "inside the dark codewoods" you could need this base converter as well (An Hexworkshop add-on: zipped: 58.717 bytes)

Tools to catch a window (or box) through its DIMENSIONS

Hey! I almost forgot... actually when you'll have to crack windows that have a predefinite width and height you could need this ruler as well (zipped: 24.323 bytes)

Well, actually, even better... when you'll have to crack windows that have a predefinite width and height you could use this winshow utility as well (zipped: 57.958 bytes), the original module has been ameliorated by Frog's Print, porting it to hexvalues inter alia, and you'll find his version inside this zip as well

Tools to fish strings

Hey! I almost forgot... actually when you'll have to find and extract strings in unicode from your targets you could need this peek utility as well (zipped: 24.323 bytes)

Other pretty good pages for "tooling"
Just a small choice... everything is on the web!

Some VERY good tools for stalking (inter alia) on the Basilisk's tools page
Some good tools for hexediting (among other things) on LordSomer's page
Couple of good tools for Windows95 Registry (thoroughly explained) on Michael's page
Tools for Virus programming (which is useful in order to learn Assembly) on Jwool's page
Very good tools on a very good page, at Mammon's
Very good tools on a very good page, at Stone's
Tools and icecreams (quite a lot) on Aesculapius' page
Tools and icecreams (quite a lot) on ACP's main page
One of the best sites that you'll find for tooling around is LordCaligo's main page

I know that some of the following links are down... Censorship and syn-attacks have broken some minor "luggage" pages of mine... I'm repairing everything (albeit slowly)... but you'll be able to find the missing tools elsewhere using these NAMES and performing an archie search or a ftp search

spray asm 5.623 the *TOOL* to dump memory... +ORC's recommended
stepdos zip 19.088 intercept the int_21... zipped with the stepdos.asm file!... +ORC's recommended
int13 asm 16.253 for those annoying disk accesses
sniff zip 9.699 I made this tool myself... a brute "sniffer" for "dead" files
memscan zip 9.492 the first "visual" cracker tool... +ORC's recommended
kgb zip 6.137 Horak's masterpiece for intercepting interrupts... zipped with the *.asm file!... +ORC's recommended
map zip 23.959 Clockwork's MAP... complete with Nigel nagscreens... crack it with +ORC's lesson 3.2
psedit zip 67.308 Psedit version 4.4., by Gary Craider... +ORC's recommended
codebar zip41.103The key to the magic world of barcodes (see +ORC's lesson C.1)
joetools zip 90.702Tools & Files you need for Uncle Joe's Crackbook - UNP is also here
Resdump zip11.889Little utility newbyes'll need to crack windows programs (see my Taskman lessons)

Hiew zip40.624 Learn how to use it... substitutes (and how!) DEBUG and SYMDEB*

Old PSP version 2.1430.046Ancient copy of Paint Shop Pro, useful for +ORC's lesson 9.2
ums1.zip125.493 A very old (uncracked) strategic game, see +ORC's lesson 3 in order to crack it yourself
Peek version 11 11.492 String extracting useful utility, gets Unicode strings inside windoze's targets too 345.242 Hexeditor and more
watch.zip19.890Useful snooper utility by Mike Williams (Version 2) 40.624 Good old symdeb, what would we do without thee?

strings.zip40.624A Dos string utility that cuts the mustard

winshow.zip57.958fish a window through its width and height (Frog's Print modified version included :-)
cust.zip1.459.190The Customizer! Modify any window parameter! Send your own API calls! Play with grayed buttons! (Very easy Cinderella protection, ideal crack for newbies)
ucfpd114.zip63KA very powerful unpacker (not for beginners though)
isdcc.zip52KA powerful Installshield decompiler, by adq 4.620grep! The dos ported unix command! You learn to use this well (and you understand how these 4000 bytes works) and you'r almost a Perl/unix Fravia buff! :-)

A complete c compiler: turboc version 1 by Borland (594.717 bytes pkunzip with the -d option)

A complete disassembled disassembler for your jokes and pokes! 103 KbSang Cho's [pure C] "code for decoding": a complete disassembler with source code? Yeah! 66 KbSang Cho's win32program disassembler: a complete disassembler with source code? Yeah!

A complete exe to c (old and beta) renderer 217.923, an old experiment made in Jerusalem :-) 103.496 Windows Code Back disassembler... +ORC's recommended
Bizatch1 zip 96.674 The first WINDOWS95 virus! (Courtesy of Vlad) With source code!
Bizatch1 zip 96.674 Another copy 1.300.000 V 35b Russki GOOD Interactive Disassembler, the one that works with DOS4GW 200.122 Download it and crack it with +ORC's lesson 1 38.234 This solves the problem of the new exe-packers: interacts with softice 27.304 Donglespy: to start studying dongle_cracking in Windows 95 (BTW:it's "pipeta!") 30.234 As the name says (+ORC recommended)
gwbasic 60.436 A very old Microsoft basic interpreter (Version 3.2): what for? Who knows ;-)? 2?514 As the name says (+ORC recommended) 300.453 This is a copy of the IABROWSE.EXE program you should have cracked for the 1996 +HCU (see+ORC's lessons C1, C2 and C3), better than nothing, if you cannot find a complete CD-ROM with this protection scheme (You'll find ia.ini in my orc.htm page).  52.913 Show me my heaps! 22.711 You thought ps.exe was a good killer?Mark Russinovich's register monitor! 102.536 Win95 OS is STUPID! have a look at what happens at your monstruous register (deep inside windows 95) every time a program runs! (Can be pretty useful for our trade :-)! 516.442 Well, an INCREDIBLY useful tool for our trade! Don't forget to check the 'search' DLL facilities! 115.549 Not a tool: a very old (poor AI, yet very good for two humans) napoleonic strategic game! (needs quite some reverse engineering to find out its funny commands!)! 60.260 Well, virtual drivers need checking too! Mark Russinovich's File system monitor! 94.324 Have a look at how many files are accessed every time a (suspect) program runs! (a really useful tool for our trade :-)
I was so excited about this very good program that I completely reversed it, see my filemon serie essays!

useful tools
homepage links +ORC students' essays +HCU database anonymity counter measures
CGI antismut cocktails search_forms AntiMicro$oft mail_Fravia
Is reverse engineering legal?

(c) Fravia 1995, 1996, 1997, 1998, 1999. All rights reserved

Original Page:

Shared from Read It Later

Elyssa Durant, Ed.M.

United States of America

Bot Reversing and Trapping Techniques || Fravia+

botstart.htm Fravia explaining easy bots'reversing and trapping techniques


"BOTS" section
The bots essays are here!
(see below)

Fravia's Nofrill
Web design

September 1999
This is a 'living' workshop on bots trapping and reversing, see my javascript page for "broad" site protection techniques.
As deep wrote in his bot-essay: "There are many Perl bots available on the net, but I'm fairly certain that you will not find one that does exactly what you want. There's also a convention amoung bot writers not to give bots to people who do not understand them - it's considered irresponsible. Of course, once you've learned how to build bots, you can be as irresponsible as you like". Exactly, and that is the reason you will find more knowledge only if you will contribute and work on your own.

Study (on your own if possible) and then send contributions (like the very important essays below)

[Go to the introduction] ~ [Go to the essays!]


An introduction, an explanation, a "teaser" for those that did not know...
The term "bot" is, according to DeadelviS, a short for "robot", which sounds much cooler than "program"

As Andrew Leonard explains, like mechanical robots, bots are guided by algorithmic rules of behavior - if this happens, do that; if that happens, do this. But instead of clanking around a laboratory bumping into walls, software robots are executable programs that maneuver through cyberspace bouncing off communications protocols. Strings of code written by everyone from teenage chat-room lurkers to top-flight computer scientists, bots are variously designed to carry on conversations, act as human surrogates, or achieve specific tasks - such as seeking out and retrieving information. And... bots can also be used as weapons.

(This section of mine regards web robots - spiders, wanderers, and worms. Cancelbots, Lazarus, Automoose. Chatterbots, softbots, userbots, taskbots, knowbots, mailbots. MrBot and MrsBot. Warbots, clonebots, floodbots, annoybots, hackbots, and Vladbots. Gaybots, gossipbots, gamebots. Skeleton bots, spybots, and sloth bots. Xbots, meta-bots. Eggdrop bots)

This Bot trapping (bot wars) section was started in May 1998

It's up to you to help us with your own work or not: it is my intention to offer you enough material on this page to allow you to start.
See: I'll NEVER charge money for accessing my site: I charge the only "money" that's worth something on this web of ours: knowledge!

I want you to contribute with YOUR knowledge!
Remember, if you build on other people's shoulders, you must offer your own shoulders for others to build upon!

Hey! How d'I get in?
You'll have to devise your own bot (and it better behave well, or else!)... try to dig it, please, because some of the first answers I'm getting from this section are disheartening! You should not just COPY an existing dull and simple bot, you should produce a good bot and send it to my main site (please tell me when, because I haven't got the time to check all the tracks :-) I'll (try to) trap it, have a look and, if it proves to be a good work, I'll publish your source code if you want me to... alternatively, if you prefer, you send me a good essay on "bot's wars" or "bot's design", or "bot's trapping", and I'll gladly publish it. But it better be good and YOUR OWN WORK (you'll have all the credit, as usual), should I find out that you copied stuff from somewhere without telling, I'll slowbomb you for quite a while... :-)

Hey! I wanna see a real bot in action before joining!
Yessir! And if you knew nothing of this stuff you'll be fascinated (and even if you already knew... :-)
Besides, this will show you ALSO a very important searching trick... see, old good Fravia+ already teaches you quite a lot even WITHOUT you getting into the "real" stuff... :-)
You'll now (at once if I were you) approach the "iliad" Searchbot (a very useful one, btw):

Original Page:

Shared from Read It Later

Elyssa Durant, Ed.M.

United States of America

Yeah! I did it! I did it ALL!

Larry Jenkins (@Darth_Sideous)
2011-04-24 15:41
@sonyazink @ElyssaD I decided to go offline plus fb privacy policies are an issue, I'd say concern, and they are (cont)
Sonya Zink (@sonyazink)
2011-04-24 15:17
@Darth_Sideous may i ask what your reason(s) was? i got error 'not authorized' when trying to make wikileaks comments =( @ElyssaD #hug
Larry Jenkins (@Darth_Sideous)
2011-04-24 15:08
I quit last yr on May 31, now i use it only for black ops :-) RT @sonyazink: @ElyssaD my facebk boycot: 2/11 (cont)

Elyssa Durant, Ed.M.

United States of America

Black Ops My A$$ Conversation Thread

cocktail.htm: Fravia's lost depot of cocktails and microprocessor prayers

CRACKERS' COCKTAILS & [other paraphernalia]


(Updated June 1999)

Submit your recipes, I'll publish them

(Apparently nowadays each cracker has a particular cocktail to suggest)

Crackers' cocktails

__+ORC's Martini-Wodka__

+ORC has described the preparation of his mytical "Zen" Martini-Wodka in his lessons at least 100 times, here, resumed for you, his "HOW TO":  Get an "highball" glass (cylindrical "milk" glass: holds about 200-285 ml.) -  Two ice cubes -  Dry Martini from Martini Rossi (1/3 glass) -  Wodka Moskowskaia (only russian Wodka will do) (1/3 glass) -  Schweppes Indian Tonic (1/3) glass -  Lemon zest (from Malta???) -  Green Olive (from Tuskany ???) Sip slowly, look at the data, meditate, crack anything in sight.

__Fravia's Traitor__

I'll give you the recipe of a very good cocktail, called "the Traitor"  in the lagoons where I come from because you drink it happily till it's too late to stop: -  Orange Juice (use good oranges, not the sloppy spanish ones) -  Gin (Gordon Gin, nothing else) -  Nutmeg -  Honey Well, the 4 ingredients should "disappear", i.e. Orange Juice and Gin should annihilate, and Nutmeg and Honey too.  The perfect "Traitor" is a masterpiece of balance between the 4 ingredients... just try it, you'll love it. I believe it helps particularly when you try to find wich call  triggers a protection.

__Atheist's best__

Atheist (Atheist(at)usa(point)net) has not yet proposed so  many good cracking trick, but his  cocktail is really faboulous, I tried it: -  Ice cubes -  1/2 glass Wodka -  1/6 glass Maraschino -  2/6 glass Lemon Juice You prepare now ANOTHER glass with champagne (only) Now pour and mix everything together: you'll get TWO glasses of this incredible cocktail. Atheist says that he can crack *everything* after one glass, and  that he does not care if he cannot after both of them.

__ACP's Zombie__

Well, a good cracker (acp(at)xforce(point)net) poposes a good cocktail, here you go: 1) 1 kewl glass of russian vodka (of course :-) 2) 2 kewl ice-cubes... 3) a spoon of Chocolate Rum 4) 2 drops of fresh lemon  mix it all up, and you're ready to go!     __Apathy's white russian __ Well, a nice one (Apathy(at)operamail(point)com), here you go with  Apathy's own variation of the classic White Russian:  Take a good size glass (14 oz.) - basically a large milk glass and fill it as such: 1/4 Vodka (Russian is always the best - I can unfortunately only  find Smirnov where I live) 1/4 Spiced Rum (I'm sure any brand will do, but I have always found Cruzan and Captain Morgan's to be the best) 1/4 Kahlua  1/4 Light Cream (heavy cream if you like really rich drinks) nutmeg  The nutmeg quantity varies from person to person... Hell, you can put an  entire bottle in if you like (I can guarentee you will have a very  interesting night if you do  :-)   Sip your cocktail... sit back... put in some Pink Floyd... crack to  your hearts content.    __Makoli's Makoli __ Well, who said that we should only drink 'western' cocktails?  (makoli(at)hotmail(point)com) (a reality Fravia), gives us the  following: Yes, that's right: makoli is the name of a drink! I guarantee it will cut trough the murk of even the shadiest  misinformation. Here's how to make your own. I'm sorry, the amounts aren't exact,  but as you learn to drink it you'll also learn how to make it.  raw rice   -   big bagful sugar      -   about equal in volume to the rice water      -   decide amount later  Wash the rice briefly, and grind it up into a powder. Though it doesn't  really matter, the final size should be at least as small as a quarter  of a rice grain.  Mix the ground rice, sugar and lots of water, enouch to cover the rice  several times over.  Cover and leave it all to stand until bubbles come. When it smells too  strong to consider edible, it's ready!  Make sure to stir it before you pour it, and also to swirl it with your  little finger periodically while you drink it. Otherwise the solid stuff settles out!  See the beautiful cartoon by Moebius: "Escale sur Pharagonescia" to  understand what would happen if you don't strikez your Koks, sorry, if you  don't stir your Makoli... :-)     __NiTrO's two__ Well, chocolate and strawberry, like in the Cuban film... (NiTrO_real(at)yahoo(dot)co(dot)uk), gives us the  following two cocktails:   NiTrO's Nitro10 cl. Stroh 80Hot chocolateWhipped creamRasped chocolate Pour Stroh 80 and hot chocolate into coffee cup.  Top with whipped cream, and put rasped chocolate aftertaste.Stir with teaspoon. Type: CocktailSeason: WinterTemperature: Hot -------------------------------------------------------------------------------------------------------------- NiTrO's Tender5 cl Vodka (Russian, of course:)5 cl Malibu liquer 5 cl Raspberry juice (or strawberry)5 cl Ananas juice10 cl cream Mix with crushed ice in shaker.  Pour unstrained into highball glass.  Serve with a straw.Type: CocktailSeason: AllTemperature: Cold    Other paraphernalia Come to think of, it, sipping our cocktails  you may also pray the x86 processors... here a nice one by Matt Pietrek:Our Caller, who art on the stack frame Hallowed be thy Parameters Thy Address Space come Thy I/O be done In Registers, as it is in Memory Give us this day our periodic timeslices And forgive us our page faults As we forgive those who pass invalid parameters Lead us not to unconditional JMPs But deliver us from segment registers For thine is the Address Space, the Registers, and the I/O ports Jmp $ Ret   Matt Pietrek, 1998  Not enough? Here you have the Ten Commandments for C Programmers  By Henry Spencer (added in December 1998)  Not enough? Here you have the IN THE BEGINNING: History of Windows  Proposed by Chimaera (added in June 1999)    "Indeed, La! 'tis a noble child; a crack, madam"  SHAKESPEARE:  Coriolanus, I,  iii.  You'r deep inside Fravia's pages of reverse engineering, choose your way out:  homepage    links    +ORC   students' essays   anonymity    antismut   tools    counter measures    enemy tracking     corporate survival    search_forms    mail_Fravia   Is reverse engineering legal?     (c)  Fravia 1995, 1996, 1997, 1998, 1999. All rights  reserved


You have reached the cached page for
Below is a snapshot of the Web page as it appeared on 4/12/2011 (the last time our crawler visited it). This is the version of the page that was used for ranking your search results. The page may have changed since we last cached it. To see what might have changed (without the highlights), go to the current page.
You searched for: elyssa durant We have highlighted matching words that appear in the page below.
Bing is not responsible for the content of this page.

The Team:

Mike Dammann

Kate Wina Mac (Her Group on Facebook)

Elyssa Durant, Ed.M. Certified by "Foundation for Health Coverage Information" (Follow her on Twitter)

Jude Vosika

Trevor (Follow him on Twitter)

For information on what is going on in the world around you, visit: - Truth Spread Like Fire

Project World Awareness

The World's Prophecy - Secret Societies And How They Operate

Mission Statement:

Our goal is to provide the world with a platform to exchange information, gather information, share information, clear up uncertainties, connect with the likeminded and find solutions together to move into the future without the enslavement planned for us by the global elite.

Copyright 2010 All Rights Reserved.

Saturday, April 23, 2011

Data breach fines can risk more harm than good, experts say

Data breach fines can risk more harm than good, experts say

By George V. Hulme, CSO
April 22, 2011 09:56 AM ET

Are regulatory and security breach fines protecting the consumer, or beginning to unduly drive security policy? As penalties begin to be levied against organizations who have been attacked, or employees violated data policy, some experts now question whether the government is penalizing one of the victims in a crime, rather than helping to mitigate the risk of identity theft -- as the laws were first intended.

Consider the move by the Massachusetts Attorney General against restaurant chain owner the Briar Group LLC. A few weeks ago the attorney general announced that it reached an agreement with Briar Group to pay $110,000 in penalties. The settlement stems from allegations that the restaurant chain didn't adequately protect customer payment data after a malicious application was installed on its systems. The malware was on its network from April, 2009 through December, 2009. The allegations against the chain say that the group didn't change employee login information and continued to take credit and debit cards after it discovered the breach, this statement from the Massachusetts Attorney General says. The compliant also alleges that the chain failed to properly secure its remote access utilities and wireless network.

Also see: Data breach notification fatigue: Do consumers (eventually) tune out?

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Are regulatory and security breach fines protecting the consumer, or beginning to unduly drive security policy? As penalties begin to be levied against organizations who have been attacked, or employees violated data policy, some experts now question whether the government is penalizing one of the victims in a crime, rather than helping to mitigate the risk of identity theft -- as the laws were first intended.

Consider the move by the Massachusetts Attorney General against restaurant chain owner the Briar Group LLC. A few weeks ago the attorney general announced that it reached an agreement with Briar Group to pay $110,000 in penalties. The settlement stems from allegations that the restaurant chain didn't adequately protect customer payment data after a malicious application was installed on its systems. The malware was on its network from April, 2009 through December, 2009. The allegations against the chain say that the group didn't change employee login information and continued to take credit and debit cards after it discovered the breach, this statement from the Massachusetts Attorney General says. The compliant also alleges that the chain failed to properly secure its remote access utilities and wireless network.

Also see: Data breach notification fatigue: Do consumers (eventually) tune out?

Certainly not security practices to applaud. However, experts contend -- because of the lousy inherent insecure state of applications and IT systems -- enterprises can have all of the right security technologies, policies, and procedures in place and still end up on the wrong end of a state action. "These database breach notification laws were not intended to set standards of care," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "They were initially intended to help consumers, who had their information breached, to avoid identity theft," he says

"The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach," he adds.

Mike Wiltermood, chief executive officer at Enloe Medical Center, based in Chico, California, might agree. Enloe decided to fight a fine it received last year after it reported that the center had discovered that on several different instances the medical records of one patient were inappropriately accessed. The medical center says it discovered the violations through its own monitoring, investigation, and self-reporting of the incident to California authorities. The result? The California Department of Public Health (CDPH) opted to fine Enloe anyway.

The center didn't think the state's actions were justified.

"Enloe Medical Center goes above and beyond the requirements of the law to protect patient privacy, which is the reason we were able to detect the breach," said Wiltermood a statement. "From our perspective, Enloe Medical Center's early detection of the patient information breach, along with our long-standing safeguards and privacy processes, were not taken into consideration as the law clearly allows when CDPH chose to apply the $130,000 administrative penalty," Wiltermood said.

Denial of Service Attacks: A Hall of Shame

Denial of Service Attacks: A Hall of Shame

Distributed denial of service (DDoS) attacks like the ones that nailed WordPress blogs in early March have been around for decades, but it's only in the last dozen years that they've had enough impact to grab public attention.

With the rise and commercial availability of botnets that provide a distributed platform from which to launch these attacks the means to carry them out are accessible.

BEYOND DDOS: PayPal CISO says DDoS attacks just one of many threats

Due to the cost, though, they have to be carried out by a motivated adversary bent on harm since there is little way to reap monetary profit from them aside from blackmailing potential victims with threats of crippling their servers.

Here are some of the notable DDoS attacks of the past few years:

Windows PCs become tools for denial-of-service attacks

In 2000, DDoS attacks on Yahoo!, eBay, eTrade, and CNN were launched from commandeered Unix machines in businesses and universities, but a few weeks later the malware directing the attacks called Trinoo shifted to Windows PCs.

DDoS attack highlights 'Net problems

Internet root servers were attacked in 2002, but the attacks were blunted enough for the servers to recover without a major take-down of the Internet itself. After the attack, limits on the Internet Control Message Protocol (ICMP) messages these servers will accept were set to ensure that type of attack in the future wouldn't succeed. The 13 root servers targeted run as the master directory for lookups that match domain names with their corresponding IP addresses

Estonia suffers massive denial-of-service attack

A spree of DDoS attacks against Web sites in Estonia in May of 2007 crippled Web sites for the prime minister, banks, and less-trafficked sites run by small schools. But most of the affected Web sites were restored quickly, and the government called for greater response mechanisms to cyber attacks within the European Union. Russia was accused of the attacks, but they could not be traced back to a single source there.

Storm worm strikes back at security pros

During the height of the Storm worm attacks in 2007, a security researcher revealed that the people behind it or the worm itself was launching DD0S attacks against researchers trying to figure out a way to defeat it. The worm was able to figure out which users were trying to probe its command-and-control servers, and it retaliated by launching DDoS attacks that shut down their Internet access for days, said Josh Corman, now an analyst with the 451 Group.

Georgia cyberattacks linked to Russian organized crime

DDoS attacks aganst the country of Georgia were seen as a way to soften up the country in preparation for a five-day military invasion by Russia in 2007. About a year later the U.S. Cyber Consequences Unit, an independent research institute concluded the attacks were launched by Russian criminal gangs in sympathy with the Russian government.

Twitter DDoS attack politically motivated

DDoS attacks in August of 2009 that affected Twitter, Facebook, LiveJournal and several Google sites may have been an attempt to silence a blogger named Cyxymu from the Eastern European country of Georgia who was an outspoken supporter of his country. Facebook CSO Max Kelly has said the attack was coordinated to keep the blogger's voice from being heard.

Mikko Hypponen, the Chief Research Officer of Internet security firm F-Secure, said of the attacks, "Launching DDoS attacks against services like Facebook is the equivalent of bombing a TV station because you don't like one of the newscasters."

DDoS attack on DNS hits Amazon and others just before Christmas and Amazon Web Services servers were hit by a DDoS attack Dec. 23, 2009 , as North American consumers rushed to finish online shopping ahead of the end-of-year holiday season.

Anonymous takes down in WikiLeaks protest

A loosely organized group of Internet hacktivists called Anonymous took down Visa's website Dec. 7, 2010 after organizing similar attacks on Mastercard and PayPal. Anonymous, had been encouraging volunteers to download software called LOIC (Low Orbit Ion Cannon), which let them centrally control these systems and direct them into a DDoS. The point of the attacks was to put pressure on financial companies that recently cut ties with the WikiLeaks website over its publication of more than a quarter million U.S. Department of State classified cables.

Read more about wide area network in Network World's Wide Area Network section.