A fake MSN’s address

March 20, 2010

Hi all,
today, while I’m chatting through MSN with my friends, I received a invite to add in my contact list one contact. The contact is: rosaliareeves38@hotmail.com

Being curious, I accepted the invitation to try to understand if it were a real contact or a classic fake account.

So I’m starting a conversation with it saying: ” Hi “, and I received a very very fast reply which said: ” I know a way we can chat and have a better time.. do you cam? “. Is simple to understand that the answer to the question is the second ;).

I also noticed that as a personal message has a web address; http://shortlinks.co.uk/wuz

Going to this address we are redirected to another; http://www.mywebcamcrush.com/JessiesHotCam10

We can see that the site is about web chat which it calls to register to see through cam one girl named Jessica. There is also a false interactive chat with girl to the right.
Well, there is not to say anything but only stay away from this contact and this site which is obviously a classic scam site. =)

Bye, see you in the next post.

A way to work with SoftIce on XP SP3 through VMware

December 28, 2009

Hi to all,
after a couple of month I return to write on my blog…

This time I want to provide you a very usefull pack with everything needed to work with SoftIce on XP SP3 through VMware.

Follow these steps:

1. Copy compuware.dat to your C:\windows\system32\drivers folder;

2. Start Autorun.exe and while you are installing, You use the serial: 7888-5842DD-DD ( you can also use the keygen provided with this pack ) ;

3. When you must choose for option 14-day trial or select the file license, choose the file license, don’t choose 14-daytrial!
Make the path to : C:\windows\system32\drivers\compuware.dat
Finish the installation;

4. Restart;

5. Copy OSINFO.DAT to your C:\windows\system32\drivers folder and overwrite if it exists;

6. Disable DEP by modifying c:\boot.ini

/noexecute=alwaysoff

7. Modify *.vmx:

svga.maxFullscreenRefreshTick = 5
vmmouse.present = "FALSE"

8. Copy dbghelp.dll and symsrv.dll to C:\Programmi\Compuware\DriverStudio [or DriverSuite]\Softice\SymbolRetriever directory and overwrite if them exist;

Now run SIce and it’ll work [ hopefully πŸ˜‰ ] fine on NT and XP on VMware.

Here the link to download the Pack: SIce Pack

Thx to all ExeTool’s Member but a special thx for WhoCares!!!

Sorry for my bad English. πŸ˜›

Bye, see you to the next post =)

Win32Hlp for Windows 7 x86 and x64

October 1, 2009

How many people have noticed, Windows 7 can’t read .hlp files natively!!! A couple of days ago I found WinHlp for Windows 7 x86 and x64, so I decided to share with you ;P

This is the link when u’ll download it:WinHlp

See you in the next post. =)

P-Code Opcodes List

September 28, 2009

I have backuped a Database of P-Code Opcodes so it can help you and me to reverse a VB program makes with P-Code.

Original URL: Database

HTML File Backuped: OpCode

See you in the next post!!!

Bye. =)

DLL Export Comparer

September 6, 2009

My friend Evilcry has released a new useful tool; DLL Export Comparer!!!

Dll Export Comparer can be used to differentiate DLLs and log differences into file.

It’s developed in Qt.

Here a screenshoot:

ExpComparer

Qt DLLs NOT INCLUDED!!!

You must have 3 Qt Library:
– QtCore4.dll;
– QtGui4.dll;
– mingwm10.dll.

DLL Export Comparer

Bye, see you in the next post. =)

Patch Diff 2: A useful plugin for IDA Pro

September 2, 2009

PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.2).
The plugin can perform the following tasks:

  • Display the list of identical functions;
  • Display the list of matched functions;
  • Display the list of unmatched functions (with the CRC);
  • Display a flow graph for identical and matched functions.

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs.
Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.

Patch Diff 2

See you in the next post!!!

Bye. πŸ™‚

Virus Win32:Induc

August 20, 2009

Hi all,

this morning while I was programming in Delphi, with my IDE Delphi 7, I noticed that the exe that has been compiled it has been detected by my AV as a Virus.

My AV is Avast! and the exe compiled has been detected as Win32:Induc specifically.

Win32:Induc is a new emerging threat, exactly of 18/08/09.

I have google and looked on my PC and I can say this:

The virus, first searchs in the registry path HKLM\Software\Borland\Delphi\X.0\ RootDir key, that specifies the folder location of your Delphi IDE.

[ X indicates the version of your Delphi IDE installed on your PC ]

When it has been done this, the virus infects the file SysConst.pas, that is Delphi library source file, located in Source\Rtl\Sys\ .
Then, it searchs the directory \lib in the delphi’s root directory, then it copies SysConst.pas to \bin directory and it injects malicious code in it.

Then, this Virus renames the original Delphi library file \lib\SysConst.dcu to \lib\SysConst.bak.

Instead of the original file .dcu, the virus invokes the Delphi compiler [ bin\dcc32.exe ] and it compils a new SysConst.dcu infected Delphi library file.

Soon, it erases the previous file .pas, infected with malicious code, or else SysConst.pas, and it sets the date and the time of new file SysConst.dcu with the same time/data of original file.

After all this things has been done, any project compiled with Delphi IDE will be infected automatically.
Indeed this is what happened to me πŸ˜›

I resolved, or at least it seems, to this problem in this way:

– I deleted both SysConst files, or else .bak and .dcu from \lib;

– I replaced the original file of setup file folder SysConst.pas at path \Source\Rtl\Sys and I compiled it when I was going to compile my project.

These two simple steps appear to have solved the problem, in fact the exe file compiled didn’t has been detected as infected file.

For this time is all, see you in the next post πŸ™‚

Bye.

Hello World!!!

August 19, 2009

Hi all
this is first post in my blog.

I hope that you’ll found here many interesting posts; Reverse Engineering, Solutions for Malware and other malicious programs, Technical News and much moreΒ Β  πŸ˜‰

See you in the next post!!!

bye.