Archive for the ‘Uncategorized’ Category

Moved to Blogspot

September 7, 2011

I finally decided to move on blogspot. So for Tutorials, News, Analysis and much more go to: http://antelox.blogspot.com

Bye bye WordPress!

Just another MSN’s fake address

May 30, 2010

Hi all

another fake address I have discovered these days. It’s of the same family of my first previous post regard this field.

The address today is: NikiaPortisienrh@hotmail.com

The behaviour is the same of the previous contacts analyzed other times. Let’s go to see a chat form:

As you can see after a couple of messages, the contact invites the victim to go to an address to see the pseudo-girlfriend in cam, after that the victim has accepted one invite. The link sended by the fake account is: http://shortlinks.co.uk/1mc3
This link redirects the victim at a main URL where the fraud acts: http://www.webcamcrush.com/StephiesAss20. This URL is presents also in Personal Message form.

As you can understand the page is the same of the other fake accounts of the previous analysis, as it had announced. Here a screenshot:

To the right there is a form to chat with the girl. So, typing ” Hi! “, you recive immediately an error which says: Error: You must complete age verification process to communicate with this member. Click here to verify your age!


The link “Click here to verify your age!” acts as a fake age verify, because it serves to accept the invite

infact clicking it we’ll redirect to this page:

Scroll down and you can see a classic registation form, which asks you Name, Surname, E-Mail, etc…

Here the screenshot regards the credit fraud:

So friends, this is all! Block and delete this address and similar!

See you in the next post. Bye. =)

Other fake MSN’s address

April 9, 2010

Hi,
I discovered other fake MSN’s address. There isn’t much to say because they are similar to the previous fake address. I will only tell you the address and their malicious site respectively.

margaretekuter24@hotmail.com –>
http://www.freecamlink.net/a2vhj –> redirect to
http://webcammunitylive.com/?i=fec3e5eea65247c then –>
http://webcammunity.com/cam/danielahot1/?AFNO=1-490

romabjorkman64@hotmail.com –>
http://www.freecamlink.net/a2vqg –> redirect to
http://webcammunitylive.com/?i=fec3e5eea65247c then –>
http://webcammunity.com/cam/Karlla/?AFNO=1-490

lavetakettinger70@hotmail.com –>
http://www.freecamlink.net/a2vpj –> redirect to
http://webcammunitylive.com/?i=fec3e5eea65247c then –>
http://webcammunity.com/cam/StrikingEyes/?AFNO=1-490

grazynaamistadi97@hotmail.com –>
http://www.freecamlink.net/a8n6r redirect to –>
http://webcammunitylive.com/?i=c97edfdd517d54a then –>
http://webcammunity.com/cam/Margie/?AFNO=1-497

Only one thing, the third url is always changing each time that you visit the first link. It redirect always to different girls. 😉

Bye, see you to the next post. =)

ARM Opcode

March 21, 2010

Strong ARM (SA1110) Opcodes

Command Hex Example
——————————————————————————————————–
B xxxxxxEA branch
BEQ xxxxxx0A b if zero (Z)
BNE xxxxxx1A b if not equal (-Z)
BGE xxxxxxAA b if greater or equal (N*V/-N*-V)
BHI xxxxxx8A b if higher (-C*-Z)
BLT xxxxxxBA b if less than (N*-V/-N*V)
BCC xxxxxx3A b if carry clear
BCS xxxxxx2A b if carry set
BVC .
BVS .
BPL xxxxxx5A
BMI xxxxxx4A b if negative, set N
BHS .
BLO .
BLS xxxxxx9A b if lower or same (C/Z)
BGT xxxxxxCA b if greater than (N*V*-Z/-N*-V*-Z)
BLE xxxxxxDA b if less or equal (Z/N*-V/-N*V)

00022714 B loc_22734 06 00 00 EA
000226B8 BLE loc_226E4 09 00 00 DA

——————————————————————————————————–

BL xxxx00EB
BLEQ xxxx000B

——————————————————————————————————–

MOV (reg,value) xxxxA0E3 Mov R1,#0 0010A0E3
Mov R0,#1 0100A0E3
MOVEQ (reg,value) xxxxA003 Moveq R5, #0 0050A003
MOVNE (reg,value) xxxxA013
MOVGE (reg,value) xxxxA0A3
MOVHI (reg,value) xxxxA083

7F 0C A0 E3 MOV R0, #0x7F00
27 3B A0 E3 MOV R3, #0x9C00

value = erste 2 bytes * mX (x = Byte 4)

m1 := $40000000;
m2 := $10000000;
m3 := $4000000;
m4 := $1000000;
m5 := $400000;
m6 := $100000;
m7 := $40000;
m8 := $10000;
m9 := $4000;
mA := $1000;
mB := $400;
mC := $100;
mD := $40;
mE := $10;
mF := $4;

——————————————————————————————————–

MOV (reg,reg) xxxxA0E1 Mov R4,R0 0040A0E1
Mov R7,R1 0170A0E1
MOVEQ (reg,reg) xxxxA001
MOVNE (reg,reg) xxxxA011

00 38 A0 E1 MOV R3, R0,LSL#16
23 38 A0 E1 MOV R3, R3,LSR#16

——————————————————————————————————–

MOVS R10, R11,ASR#31 CB AF B0 E1
MOVS R11, R1,ASR#31 C1 BF B0 E1

——————————————————————————————————–

CMP (reg,val) 00 00 53 E3
CMP R0,#0 00 00 50 E3
CMP R5,#0 00 00 55 E3
CMPEQ R3,#1 01 00 53 03

——————————————————————————————————–

CMP (reg,reg) xx xx 5X E1
CMP R0,R3 03 00 50 E1

——————————————————————————————————–

LDR R0,[R1,#0x38] 38 00 91 E5
LDR R0,[R5] 00 00 95 E5
LDR R2, [R3] 00 20 93 E5
LDR R1, [R6] 00 10 96 E5

LDRB R2,[R0,#2] 02 20 D0 E5

LDRSH R1, [R6,#0x54] F4 15 D6 E1
LDRSH R1, [R6,#0x56] F6 15 D6 E1

LDRSB R3, [SP,#2] D2 30 DD E1

——————————————————————————————————–

STR R0,[R7] 00 00 87 E5

STRB R1,[R0,R3] 03 10 C0 E7
STRB R11,[LR] 00 B0 CE E5
STRB R11,[LR,#1] 01 B0 CE E5

STRH R3, [R4,#0xC] BC 30 C4 E1
STRH R3, [R4,#0xE] BE 30 C4 E1
STRH R3, [R1] B0 30 C1 E1

——————————————————————————————————–

ORR R3,R3,#0xC 0C 30 83 E3
ORR R3,R3,#0x3C 3C 30 83 E3
ORRS R1, R1, #0x80 80 10 91 E3
ORRS R3, R2, R3,LSL#8 03 34 92 E1
ORRS R5, R2, R3,LSL#8 03 54 92 E1

——————————————————————————————————–

ADD R3, R2, R3 03 30 82 E0
ADD R2, R2, #1 01 20 82 E2
ADD R1, R1, #4 04 10 81 E2
ADD SP, SP, #4 04 D0 8D E2

——————————————————————————————————–

SUB SP, SP, #0x38 38 D0 4D E2
SUB R3, R11, R0 00 30 4B E0

——————————————————————————————————–

ANDS R3, R10, #0xFF FF 30 1A E2
ANDS R3, R0, #0xFF FF 30 10 E2

AND R10, R9, R10 0A A0 09 E0
AND R10, R4, R10 0A A0 04 E0
AND R11, R11, #0xF8 F8 B0 0B E2

——————————————————————————————————–

MUL R11, R2, R4 92 04 0B E0
MUL R9, R11, R3 9B 03 09 E0
MUL R0, R2, R0 92 00 00 E0

——————————————————————————————————–

RSBMI R10, R1, #0 00 A0 61 42
RSBGT R6, R1, R4 04 60 61 C0
RSBMI R4, R2, #0 00 40 62 42

——————————————————————————————————–

RET 0EF0A0E1

——————————————————————————————————–
Virtual NOP MOV R0, R0 00 00 A0 E1

LDREQ R3, [R7,#0x10] = 10 30 97 05
LDREQ R0, [R3,#0x8] = 08 00 93 05

From Fravia‘s site.

A fake MSN’s address

March 20, 2010

Hi all,
today, while I’m chatting through MSN with my friends, I received a invite to add in my contact list one contact. The contact is: rosaliareeves38@hotmail.com

Being curious, I accepted the invitation to try to understand if it were a real contact or a classic fake account.

So I’m starting a conversation with it saying: ” Hi “, and I received a very very fast reply which said: ” I know a way we can chat and have a better time.. do you cam? “. Is simple to understand that the answer to the question is the second ;).

I also noticed that as a personal message has a web address; http://shortlinks.co.uk/wuz

Going to this address we are redirected to another; http://www.mywebcamcrush.com/JessiesHotCam10

We can see that the site is about web chat which it calls to register to see through cam one girl named Jessica. There is also a false interactive chat with girl to the right.
Well, there is not to say anything but only stay away from this contact and this site which is obviously a classic scam site. =)

Bye, see you in the next post.

Hello World!!!

August 19, 2009

Hi all
this is first post in my blog.

I hope that you’ll found here many interesting posts; Reverse Engineering, Solutions for Malware and other malicious programs, Technical News and much more   😉

See you in the next post!!!

bye.