1
Underc0de / Re:Reto Oficial #3 - Codea tu IRC Bot y gana un Mini Arduino!
« en: Noviembre 27, 2013, 05:56:39 am »
Muy buena iniciativa
Suerte a los participantes


Esta sección te permite ver todos los posts escritos por este usuario. Ten en cuenta que sólo puedes ver los posts escritos en zonas a las que tienes acceso en este momento.
#ifndef __RA_ARRAY__
#define __RA_ARRAY__
#include <intrin.h>
#define ULONG unsigned long
template <typename T>
class random_access_array{
const ULONG elements;
const ULONG R;
ULONG a;
ULONG c;
T* buffer;
const ULONG nextPowerOf2(ULONG n)const{
if ((n & (n - 1)) == 0)
return n;
n |= (n >> 1);
n |= (n >> 2);
n |= (n >> 4);
n |= (n >> 8);
n |= (n >> 16);
return n + 1;
}
ULONG LCG(ULONG X, ULONG a, ULONG c, ULONG R){
return (a*X + c) % R;
}
ULONG randmax(ULONG max){
return LCG((ULONG) __rdtsc(), 0x43FD43FDUL, 0xC39EC3UL, max);
}
size_t getRealIdx(int index){
ULONG X = 0;
while (index-- >= 0)
while ((X = LCG(X, a, c, R)) >= elements){}
return X;
}
public:
random_access_array(T* buffer, size_t elements) : elements(elements), buffer(buffer), R(nextPowerOf2(elements)){
a = 2 * randmax(R / 2) + 1;
c = 4 * randmax(R / 4) + 1;
}
random_access_array(T* buffer, size_t elements, ULONG a, ULONG c) : elements(elements), buffer(buffer), R(nextPowerOf2(elements)), a(a), c(c){}
T& operator [](size_t i){
return buffer[getRealIdx(i)];
}
T operator [](const size_t i) const{
return buffer[getRealIdx(i)];
}
};
#endif//__RA_ARRAY__
#define SIZE 573
random_access_array<int> ra(new int[SIZE], SIZE);
for (int i = 0; i < SIZE; i++)
ra[i] = i;
for (int i = 0; i < SIZE; i++)
cout << ra[i] << endl;
#define SIZE sizeof(s) - 1
char s[] = "!eru!akklccr !rza";
random_access_array<char> ra(s, SIZE, 5, 25);
for (int i = 0; i < SIZE; i++)
cout << ra[i];
push 0h
push SIZEOF sbuff
push offset sbuff
push Socket
call send
'USER32
Private Declare Function CallWindowProcW Lib "USER32" (ByRef first_asm As Currency, ByRef params() As Variant, ByVal lib As String, ByVal fnc As String, Optional ByVal null0 As Long = 0) As Long
'---------------------------------------------------------------------------------------
' Author : Karcrack
' Date : 12092013
' Credits: sonykuccio (http://hackhound.org/forums/topic/2790-vb6asm-%C2%B5callapi/)
'---------------------------------------------------------------------------------------
Public Function NanoInvoke(ByRef sLib As String, ByRef sFnc As String, ParamArray params() As Variant) As Long
Dim asm(11) As Currency
Dim p() As Variant
If UBound(params) >= 0 Then p = params
asm(0) = [email protected]: asm(1) = [email protected]: asm(2) = [email protected]: asm(3) = [email protected]
asm(4) = [email protected]: asm(5) = [email protected]: asm(6) = [email protected]: asm(7) = [email protected]
asm(8) = [email protected]: asm(9) = [email protected]: asm(10) = [email protected]: asm(11) = [email protected]
NanoInvoke = CallWindowProcW(asm(0), p, sLib, sFnc)
End Function
' ASM Code: pastebin.com/5gnLv7xn
Call NanoInvoke("user32", "MessageBoxW", 0, StrPtr("test"), StrPtr("karcrack"), 0)
Call NanoInvoke("kernel32", "ExitProcess", 0)
;use32
; Karcrack - 190713
proc NotEmulated
push cs ;//put 0x23 in stack
call to64
ret
to64:
push $CB0033 ;//put 0x33 in stack
call to64 + 3 ;//call to retf
use64
xor rax, rax ;//DEC EAX; XOR EAX, EAX
inc rax ;//DEC EAX; INC EAX
retf ;//Back to x86
endp
xor rax, rax
inc rax
Y luego las desensamblamos como si fuese x86 veremos que se transforma en:dec eax
xor eax, eax
dec eax
inc eax
El prefijo que indica que se trata de un registro de 8bytes es "dec eax". Se observa que si las instrucciones se ejecutan en x64 devuelve 1 en EAX pero si se hace en x86 devuelve 0. xor eax, eax
lea eax, [FS:eax+$30]
ret
El prefijo es superfluo...
push $30
pop eax
push eax
fld dword[FS:eax]
fstp dword[esp]
pop eax
ret