Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reverse Engineering Win32 Trojans on Linux

michael posted more than 11 years ago | from the clean-room dept.

Programming 86

slackrootcyc writes "A post (and previous article) give a detailed examination of the reversing process, using a trojan found in the wild. Later on in the story it discusses some techniques for reversing Windows-native code entirely under Linux."

cancel ×

86 comments

Sorry! There are no comments related to the filter you selected.

Another reason why linux sucks! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4686904)

w00t (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4686905)

Strange is our situation here on earth. Each of us comes for a short visit, not knowing why, yet sometimes seeming to divine a purpose. From the standpoint of daily life, however, there is one thing we do know: that man is here for the sake of other men -- above all for those upon whose smiles and well-being our own happiness depends.
-- Albert Einstein

I wish I had (non-computer) viruses (-1, Troll)

PhysicsScholar (617526) | more than 11 years ago | (#4686908)

I don't have use Win32 platforms or do virus work, but I use GNU/Linux and can't get a girlfriend, no
matter what I do. From what I can tell, not too many of you have girlfriends
either; I must make it clear right now that I do not want advice from you. I am
seeking the advice of those who have consentual, regular, heterosexual
intercourse with a well adjusted woman.

You may be wondering why I placed so many restrictions on the type of sexual
intercourse. Being a GNU/Linux user, I can get all the men I want, but my ass
hurts from years of anal sex. I am tired of pillow-biting. I have met women at
Linux User Groups (LUGs) but they didnt want sex the way I wanted it - they
brought their strap on and rode my chute like the men did. The date would end
with her taking me to a gay bar and selling my ass to a drunk and bearded
kernel hacker.

I am convinced, therefore, that I need to meet women that do not use GNU/Linux.

I have tried dating regular women, but find it hard to make conversation. I was
surprised that regular women do not give a shit about Free Software or the
Microsoft monopoly which leaves me with nothing to discuss. Some women tried to
talk about the weather, but I don't keep up with the weather from my mums'
basement.

I have had some success, I dated one girl several times. She picked me up from
home, mum liked her. I am sure dad would have too, but he left us soon after I
installed Slackware on the family computer. I can still hear him crying and see
him moping around the house, saying "I knew he was different; I could handle a
gay son, but this .... a fucking GNU/Linux hippy". He sounded so defeated. She
wanted to go to the beach, but my skin is not adjusted to the sun and my skin
peels while at the beach. This was not a turn on for her and when she came back
to my mum's basement that night we were going to have sex but the raw skin was
too much for her.

Going out at night for a meal can be difficult too; all restaurants refuse to
serve smelly GNU/Linux hippies. The only place we can go for food is the
McDonald's drive through, but she doesnt like waiting in her car in the heat of
the day when I tend to smell the most. She doesn't like the stares she gets
from the drive through staff.

I could go on, but I won't. I now seek your advice.

Re:I wish I had (non-computer) viruses (-1, Offtopic)

Luke-Jr (574047) | more than 11 years ago | (#4686936)

Stop your pervertedness and become a true nerd, not a geek (half-human, half-nerd)! Nerds don't WANT girlfriends. On the other hand, does anyone know a safe way to move into the Wired/internet and leave the so-called "real world"?

Re:I wish I had (non-computer) viruses (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4687229)

Stop your pervertedness and become a true nerd, not a geek (half-human, half-nerd)! Nerds don't WANT girlfriends. On the other hand, does anyone know a safe way to move into the Wired/internet and leave the so-called "real world"?

I believe this accomplished this by hooking live electrical lines into your arms and neck, and then sitting in puddle of water. If your sister comes in the room, just look blankly at the monitors and mumble.

fp (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4686910)

fp suck it clay

i love you

Hi (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4686917)

Hi

Win32 Trojans... (4, Funny)

JessLeah (625838) | more than 11 years ago | (#4686922)

...the condoms that bluescreen.

Where do you want to Put It Today?(TM)

on a related note (0, Flamebait)

Anonymous Coward | more than 11 years ago | (#4686926)

on a related note:

http://news.com.com/2100-1001-965916.html [com.com] CNET reports hackers infest tcpdump distribution with trojan.

This just goes to show that Windows is just as vulnerable as Linux.

Re:on a related note (2, Interesting)

Luke-Jr (574047) | more than 11 years ago | (#4686954)

Maybe, except that these things are rare on Linux and when they happen, they're nearly always a trojan. They happen alot more often on Windoze and most of them there are chaotic viruses.

Re:on a related note (0)

Anonymous Coward | more than 11 years ago | (#4687152)

Linux comes with a lot of applications that aren't generally considered a "part" of the OS. If you count vulnerabilities in those applications as being vulnerabilities in Linux then you must count vulnerabilities in third-party applications for Windows as being vulnerabilities in Windows.

The great thing about Security Focus... (5, Informative)

Anonymous Coward | more than 11 years ago | (#4686942)

They're completely unbiased. New IIS hole? Here's the story. New Apache hole? Here's the story. All objective, no "M$ suX0rs!!!1".

Re:The great thing about Security Focus... (5, Informative)

PhysicsScholar (617526) | more than 11 years ago | (#4686951)

The not-so-great thing about Security Focus is that their Web servers can't handle 10,000 hits in 10 minutes.

So, here's the text of the article just in case:


Reverse Engineering Hostile Code
by Jon Stewart
last updated October 23, 2002

Computer criminals are always ready and waiting to compromise a weakness in a system. When they do, they usually leave programs on the system to maintain their control. We refer to these programs as "Trojans" after the story of the ancient Greek Trojan horse. Often these programs are custom compiled and not widely distributed. Because of this, anti-virus software will not often detect their presence. It also means information about what any particular custom Trojan does is also not generally available, so a custom analysis of the code is necessary to determine the extent of the threat and to pinpoint the origin of the attack if possible.

This article outlines the process of reverse engineering hostile code. By "hostile code", we mean any process running on a system that is not authorized by the system administrator, such as Trojans, viruses, or spyware. This article is not intended to be an in-depth tutorial, but rather a description of the tools and steps involved. Armed with this knowledge, even someone who is not an expert at assembly language programming should be able to look at the internals of a hostile program and determine what it is doing, at least on a surface level.

Tools Required

As with most types of engineering, you'll need some tools. We'll cover tools native to both Unix and Windows. While Unix is the ideal platform to perform the initial reverse engineering process, you can still make do on Windows, especially if you install tools such as Cygwin, a Unix environment that runs on Win32 platforms. Most of these commands are also available for Windows when running Cygwin. However, when you get to the decompile/disassemble/debug steps ahead, going the Windows route will cost a lot of money, whereas the Unix solutions are all free. Be sure to weigh the costs of working on Windows versus the benefits before making it your reverse-engineering platform of choice.

Some useful commands are:

dd - byte-for-byte copying of raw devices. Useful to perform analysis on a compromised system's hard drive without affecting the integrity of evidence of the intrusion.
file - tries to identify the type of a file based on content
strings - outputs the readable strings from an executable program.
hexedit - allows you to read and edit binary files
md5sum - creates a unique checksum for a file for comparison
diff - outputs differences between files
lsof - shows all open files and sockets by process
tcpdump - network packet sniffer
grep - search for strings within a file
Compressed Executables

Trojans are often compressed with an executable packer. This not only makes the code more compact, it also prevents much of the internal string data from being viewed by the strings or hexedit commands. The most commonly used executable packer is UPX, which can compress Linux or Windows binaries. There are several other packers available, but they are typically Windows-only. Fortunately, UPX is one of the few that also provide a manual decompression to restore the original file. This prevents us from having to use advanced techniques to decompress the file into its original format.

In an ordinary executable, running the "strings" command or examining the Trojan with hexedit should show many readable and complete strings in the file. If you only see random binary characters or mostly truncated and scattered pieces of text, the executable has likely been packed. Using grep or hexedit, you should be able to find the string "UPX" somewhere in the file if it was packed by UPX. Otherwise you may be dealing with one of the many other executable packers. Dealing with these other formats is beyond the scope of this article, but you can find resources to help work with these files.

Decompiling

Occasionally you will get lucky and find that the Trojan was written in an interpreted or semi-interpreted language such as Visual Basic, Java or even compiled Perl. There are tools available to decompile these languages to varying degrees.

Visual Basic - There is a decompiler floating around the Net for VB version 3. For newer versions, there are no decompilers known, but you can use a tool such as Compuware's SmartCheck to trace calls in the program. While its output is not a source code listing, you can see just about everything the program is doing internally.
Java - There is the excellent decompiler jad, which decompiles to a complete source code listing which can be recompiled again. Several other java decompilers are also known to exist.
Perl - Perl programs compiled into Windows executables can be reduced to their bare script using exe2perl.
Disassembly

If the Trojan was written in a true compiled language, you'll have to bite the bullet and disassemble the code into assembly language. For Unix executables, objdump is the way to go. For Windows executables, you'll want IDA Pro or W32dasm There is a free version of IDA that is just as powerful as IDA Pro but has a console-based interface. These programs will disassemble your code, then match up strings in the data segment to where they are used in the program, as well as show you separation between subroutines. They will attempt to show you Windows API calls by name instead of by offset. This kind of output is known as a deadlisting, and can give you a good idea of what the program is doing internally. The GNU objdump program does not provide such useful features, but there is a perl-based wrapper for objdump called dasm, which will give you much of the same functionality as the Windows disassemblers.

Debuggers

While a deadlisting can be quite valuable, you will still want to use a debugger to step through the program code, especially if the Trojan is communicating via network sockets. This gives you access to the memory and temporary variables stored in the program, as well as all data it is sending and receiving from socket communications. On Unix, gdb is the debugger of choice. It has a long history on Unix, is well documented, and best of all, is available free of charge. Under Windows, the choices are far more varied, but most tutorials on reverse engineering under Win32 assume you are using SoftICE. It does cost a fair amount of money, but is worth getting if you can afford it.

Preparing to Debug

You must take precautions when running hostile code, even under a debugger. You should never debug a Trojan on a production network. Ideally, you should set up a lab network, as shown in figure 1.

Figure 1: A typical debugging network

The debug system should have a clean install of whatever OS the Trojan is intended for, with a second box acting as a firewall. A third system on the network allows you to emulate services and capture the network traffic generated by the Trojan. Capturing this traffic can be invaluable in tracing the source of the infection. Ensure that you firewall all outbound connections, allowing only the Trojan's control connection through. If you don't want the master controller to know your lab network is running the Trojan, you can set up services to mimic the resources the Trojan needs, such as an IRC or FTP/TFTP server.

Stepping Through the Code

Now that we have constructed a proper quarantined lab environment, we can begin debugging the code. Using the deadlisting, we look for key functions in the program, such as Winsock and file I/O calls. The debugger allows us to set breakpoints in the program based on offset values, so we can interrupt the flow of the program and examine the program memory and CPU registers at that point. The remainder of this article will look at an example of how such a debugging session might look on an x86 Linux platform.

Running the Debugger

We want to know how the Trojan communicates with its controller. Often, sniffing the network traffic will be sufficient. However, many newer Trojans are incorporating encryption into their network traffic, making network sniffing a lost cause. However, with some cleverness we can grab the messages from memory before they are encrypted. By setting a breakpoint on the "send" socket library call, we can interrupt the code just prior to the packet being sent. Then, by getting a stack trace, we can see where we are in the program. For example, the Trojan source code might look something like: /* encrypt output to master */
elen = encrypt(crypted,buf,len); /* write crypted output to socket */
send(s, crypted, elen, 0);

Examining the compiled Trojan in gdb might give us the following output [note that the bolded statement represent the author's comments on the output]:

[test@debugger test]$ gdb ./Trojan
GNU gdb 5.2.1-2mdk (Mandrake Linux)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of
it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty"
for details.
This GDB was configured as "i586-mandrake-linux-gnu"...
(no debugging symbols found)...
(gdb) set disassembly-flavor intel [Switch syntax output from AT&T]
(gdb) b send [Set a breakpoint on the "send" library call]
Breakpoint 1 at 0x400f5c10
(gdb) run
Starting program: /home/test/Trojan

Breakpoint 1, 0x400f5c10 in send () [We hit a breakpoint]
(gdb) where [Do a stack trace to see where we are at in the program]
#0 0x400f5c10 in send () from /lib/i686/libc.so.6
#1 0x080487fa in socket ()
#2 0x40040082 in __libc_start_main () from /lib/i686/libc.so.6

The above output from the "where" command in gdb shows us the offset each subroutine will return to after execution. Since we know that the "send" call was right after our encrypt call, we need only to examine the previous subroutine, which encompasses the return offset 0x080487fa. We are interested in the assembly language code just prior to this offset. Using gdb, we can disassemble the code at this point.

(gdb) disas 0x080487d2 0x080487fa
Dump of assembler code from 0x80487d2 to 0x80487fa:
0x80487d2 : call 0x8048804
0x80487d7 : add esp,0x10
0x80487da : mov DWORD PTR [ebp-836],eax
0x80487e0 : push 0x0
0x80487e2 : push DWORD PTR [ebp-836]
0x80487e8 : lea eax,[ebp-824]
0x80487ee : push eax
0x80487ef : push DWORD PTR [ebp-828]
0x80487f5 : call 0x8048534
End of assembler dump.

We see that just prior to the call to "send", there was a call to 0x8048804 . In reality, this is our "encrypt" subroutine. When programs are stripped of their symbols, gdb is often confused about where subroutines begin and end, so it continues the name of the last one it recognizes for all following subroutines, often the previous dynamic library call. In this case, it is mislabeled as being part of the "socket" function.

To examine the contents of the unencrypted packet, we need only know how the "call" instruction works. The arguments to our subroutine were pushed onto the "stack", a place where temporary data and return offsets are stored. We can access the contents of the variables by setting a breakpoint on the call and then using an offset from an internal CPU register known as the stack pointer, ESP. ESP+4 will be a pointer to the first argument, ESP+8 will be a pointer to the second argument, ESP+12 will be a pointer to the third argument, and so forth. Just keep poking at the stack until something useful comes up. In this case, the useful information (the plaintext data) is in the second argument to "encrypt". Let's set a breakpoint at the encrypt call, and examine the stack [Again, the bolded statement represent the author's comments on the output.]

(gdb) b * 0x80487d2 [Set a breakpoint on the "encrypt" call]
Breakpoint 2 at 0x80487d2
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/test/Trojan
(no debugging symbols found)...
Breakpoint 2, 0x080487d2 in socket ()
(gdb) x/x $esp+8 [Get the offset of the second argument ESP+8]
0xbffff5e4: 0x0806fe20
(gdb) x/fs 0x0806fe20 [Examine the contents of the memory at 0x0806fe20]
0x806fe20: "root pts/0 Oct 11 14:22\n"

From this output we can see that the Trojan is reporting back on who is currently logged on to the system. Of course, it could send any kind of data; network packet captures, keystroke logs, etc. Fortunately, we have our network set up so this traffic will be redirected to the sniffer host instead.

Conclusion

The Trojan above is not real. Had it been an actual Trojan, we might have followed additional courses of action. Often times a Trojan will use established channels such as IRC to reach its master. We can take advantage of this fact, and use it to track down the source of the attack, even gaining control of the entire network of Trojaned hosts if the Trojan writer has been careless. If the Trojan uses FTP to update itself, you might find additional code on the FTP server and possibly clues to the identity of the Trojan writer.

Although we've only scratched the surface of reverse engineering, you should be able to take the basic information above and put it to work. Read the documentation for your debugger; you'll be surprised at how powerful it can be, and how much it can tell you; even if you're not the best at reading assembly code. If it seems overwhelming at first, don't give up hope. The payoff can be quite gratifying. During one reverse-engineering session the author of this article found the real name of the Trojan author unintentionally embedded in the program's source code (hint: don't write Trojans in VB when logged in to your NT workstation at work). With a quick trip to Google the author's email address and picture was available, posted to a VB discussion site. One "whois" later and his home address and phone number was found. Somewhere in Brazil, a Trojan writer slaps his forehead and says (in Portuguese), Doh!

Re:The great thing about Security Focus... (2)

Istealmymusic (573079) | more than 11 years ago | (#4687085)

Using grep or hexedit, you should be able to find the string "UPX" somewhere in the file if it was packed by UPX.
This is unreliable. The "UPX" signature can be changed to anything; perhaps "DLL", and UPX will refuse to unpack it. Furthermore, it may be difficult to identify that the executable was packed with UPX, therefore hindering decompression once more. Security through obscurity does not work!

Re:The great thing about Security Focus... (0)

Anonymous Coward | more than 11 years ago | (#4687727)

wow, what a pointless comment.

Re:The great thing about Security Focus... (0)

Anonymous Coward | more than 11 years ago | (#4688341)

I don't mean to be rude here, but anyone who knows enough to be able to be attempting to manually unpack an EXE in the first place is going to be able to tell what it's compressed with, "signature" changed or not. And where, exactly, did you hear that changing the "signature" would still allow the program to run? You know, being that it has to decompress itself when you run it, and thus would be looking for said string to identify where it's supposed to start? Do a little research, please.

Re:The great thing about Security Focus... (2)

Istealmymusic (573079) | more than 11 years ago | (#4688535)

I've done my research. The signature-verification-check routine in the main UPX unpacker can be altered to allow the check to pass if the signature-verification-check routine does in fact exist, but it does not. Thank you for your time.

Violation of the DMCA!! (5, Funny)

SuperDuG (134989) | more than 11 years ago | (#4686949)

hehehehe wonder if Symantec and Network Associates will sue for having their code reverse engineered ...


wait a minute anti-virus software makers don't make virii, what was I thinking

Re:Violation of the DMCA!! (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4686972)

They actually do make some of the viruses. (Which is plural of virus.) But they don't make the trojans. The trojans are made so that people can gain remote access to your computer for a few reasons. Either they want your hdd space or they want personal information about you. Even something as benign as VNC or Radmin can be turned to the "dark side."

Re:Violation of the DMCA!! (2, Funny)

Istealmymusic (573079) | more than 11 years ago | (#4687114)

Even something as benign as VNC or Radmin can be turned to the "dark side."
As well as a benign utility such as SubSeven or NetBus.

Re:Violation of the DMCA!! (1, Funny)

Anonymous Coward | more than 11 years ago | (#4689641)

and several cows (that is plural of cow) roamed the farms.

Re:Violation of the DMCA!! (0)

Anonymous Coward | more than 11 years ago | (#4706058)

Correction: Several cowii roamed the farms.

Re:Violation of the DMCA!! (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4689930)

"virii" is perfectly acceptable hacker speak [tuxedo.org]

Uh Oh... (3, Funny)

nothing safe (626252) | more than 11 years ago | (#4686952)

*GASP* Does this mean that the cat is out of the bag with that top secret trojan known as 'Sub7'?

On Mac OS-X (3, Interesting)

Anonymous Coward | more than 11 years ago | (#4686958)

I know a Windows underground group which is converting M$ Windows trojans to Mac OS-X. They just think it's cool - that's their motivation. I don't see what's so cool in it..

Re:On Mac OS-X (0)

Anonymous Coward | more than 11 years ago | (#4688870)

Thank god you were AC for that, otherwise I'd have a name to put along side the picture of "stupid" in the dictionary. Oooooh, a Windows "underground group." Let me guess, they hang out in, say, #l33th4X0rzzzzzz on EFNet, and though they all claim to be "hackers" they're really just hosting a few warez FTP's?

I know these types (0)

Anonymous Coward | more than 11 years ago | (#4689152)

I've met them in real life. Usually they're boys in their mid teens, totally psychopathic, obsessed with being 'cool', and take joy in the whole badness of the cr4ck0r groupy thing. These boys do alot of damage, so as much as you may demean them for being the idiots they are, they're still going to doing their vandalism.

Make Win32 Trojans Open Source (4, Funny)

Slashdotess (605550) | more than 11 years ago | (#4686960)

This is why we should be coding everything in Open Source. The fact being is, in this highly dynamic internet society today Trojans can hide their code to prevent security professionals from doing their job. When we finally open source these trojans, our software will become more secure because programmers from around the world can work on making the trojans and the programs the effect faster, better, and more secure.

Currently, trojans are badly written because of their inherent proprietary nature. Using something like sourceforge a multitude of coders can be simultaneously working on different parts of a trojan while the open source community can review, debug and test the code for infectioness effectiveness.

Only when we make Trojans open source will we realize that our computer controlled Oil tankers accross the world will be safe from Da Vinci.

Re:Make Win32 Trojans Open Source (1)

Istealmymusic (573079) | more than 11 years ago | (#4687063)

When we finally open source these trojans, our software will become more secure because programmers from around the world can work on making the trojans and the programs the effect faster, better, and more secure.
ADM is way [cert.org] ahead [ciac.org] of [slashdot.org] you [slashdot.org] man.

Re:Make Win32 Trojans Open Source (1)

sirshannon (616247) | more than 11 years ago | (#4687148)

but what about those of us who make our livings writing proprietary trojans for anti-virus companies?

Re:Make Win32 Trojans Open Source (1)

sco08y (615665) | more than 11 years ago | (#4689029)

but what about those of us who make our livings writing proprietary trojans for anti-virus companies?

Are you a US citizen? If so, you can get lucrative defense contracts protecting Homeland Security against cyber-terrorism.

Re:Make Win32 Trojans Open Source (2)

Rasta Prefect (250915) | more than 11 years ago | (#4687160)

Err....You mean something like this [sourceforge.net] ?

Re:Make Win32 Trojans Open Source (2)

Ryan Amos (16972) | more than 11 years ago | (#4687511)

Yeah but BO2k has a legit use. Not that many people really use it for that...

Too bad no one here cares about ASM... (5, Troll)

SexyKellyOsbourne (606860) | more than 11 years ago | (#4686962)

This is some pretty neat stuff: the author details how to find a needle in a haystack for a virus establishing a TCP connection from nothing more than raw dissassembly, and then how to use breakpoints in the WINE program to get gdb to work with it.

Though you can do that with a simple netstat, it opens up ways to find everything else about the trojan, too, without the risk of raping your native environment Windows system.

Too bad most nu-geek slashdotters would rather hear about someone putting a neon rope light inside their computer case.

Re:Too bad no one here cares about ASM... (0, Offtopic)

Brightest Light (552357) | more than 11 years ago | (#4686985)


Too bad most nu-geek slashdotters would rather hear about someone putting a neon rope light inside their computer case.

word.

SEE YOU IN METAMOD, ASSFUCK!!! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4687421)

dont forget to mod this shit down, too

Re:Too bad no one here cares about ASM... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4686989)

Your opinions always tear into other people and normally aren't based in fact. And that picture you link makes me wanna lose my breakfast. Try to stay on topic.

Re:Too bad no one here cares about ASM... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4687165)

The problem with this guy is he posts something intelligent, then trolls. Do I mod him up for the intelligent part, or down for the troll?

Actually, I'll post to prevent myself from being able to moderate! Problem solved.

Re:Too bad no one here cares about ASM... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4687123)

whoa, neon lights inside the computer? that's fuckin' cool... where can I find out more? Does microsoft sell it?

ps. Kelly Osbourne is goddamn FUGLY.

Re:Too bad no one here cares about ASM... (2, Interesting)

OneEyedApe (610059) | more than 11 years ago | (#4687173)

I've been here a little over a month and this is far more interesting than any case modding story that I've seen. This is the sort of article that I read slashdot for.

You have to admit that this is hard stuff... (0)

Anonymous Coward | more than 11 years ago | (#4687241)

Not everyone can hack the kernel, and not everyone can disassemble win32 code and make sense out of it.

One thing that Windows has over Linux is that no one ever implies that you shouldn't be running Windows just because you don't know C++.

Re:You have to admit that this is hard stuff... (1)

runderwo (609077) | more than 11 years ago | (#4688295)

One thing that Windows has over Linux is that no one ever implies that you shouldn't be running Windows just because you don't know C++.
Who the hell ever implied that? If they did, they are a complete moron and do not represent anyone else's views.

B.G.A.T. ****TROLL ALERT**** (0)

Anonymous Coward | more than 11 years ago | (#4687534)

B.G.A.T.(Billy Goats Against Trolls) is proud to announce that SexyKellyOsbourne has made our most wanted list. Normally it is pretty hard for us to prove our case against such people. But Ms. Osbourne has taken special care to ensure that the world knows she is a troll. Example #1 Right from her own journal [slashdot.org] . As much as B.G.A.T. would like to take credit for this, it does all come right from the trolls mouth!That one wasn't enough to convince you. How about This one? [slashdot.org] And then there is this one [slashdot.org] . She has also taken a moment to tell her something about herself [slashdot.org] . A quick glance at her posting History tells it all. Here is one of my favorites [slashdot.org] . Just have a look at the people on her FOE LIST [slashdot.org] . She has to go! So please take this time to spend just one mod point to keep this genital wart on society out of sight. MOD HER DOWN AS A TROLL!!!! Not because I said so, but remeber she is a self confesed troll.

Mod parent up! (1)

ThePeeWeeMan (77957) | more than 11 years ago | (#4690499)

I have no idea why this was modded as a troll, cause it definitely does give you some insight into:
(a) writing your own trojans =P
(b) doing analysis and stuff inhouse without any consultants being needed.

Magic Patch (5, Informative)

taviso (566920) | more than 11 years ago | (#4686966)

I made this little patch a few days ago to /etc/magic, it can detect when an executable has been packed with upx (works against latest 1.90 release)

--- magic.orig 2002-11-16 20:43:02.000000000 +0000
+++ magic 2002-11-13 12:54:09.000000000 +0000
@@ -1793,6 +1793,7 @@
>>16 leshort 1 relocatable,
>>16 leshort 2 executable,
>>16 leshort 3 shared object,
+>>0x79 string UPX UPX compressed,
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16 leshort 4 core file

example output:
$ file ./counter
./counter: ELF 32-bit LSB executable, UPX compressed, Intel 80386, version 1 (Linux), statically linked, stripped

Re:Magic Patch (0)

Anonymous Coward | more than 11 years ago | (#4689919)

finger me for my gpg key

EWWW!!

No!

Well, OK

Trojan Writers (5, Funny)

Dakisha (526733) | more than 11 years ago | (#4686970)

And in further news, trojan writers worldwide file a DMCA suit against linux users for circumventing there security and reverse compiling there intelectual property ;)

haiku (0, Redundant)

bobtheprophet (587843) | more than 11 years ago | (#4686983)

We are 1337 h4x0rs.
Reverse engineering
trojans like crazy.

Re:haiku (0)

thinkninja (606538) | more than 11 years ago | (#4687023)

Beautiful :)

Reverse engineering with WINE (5, Informative)

jeroenb (125404) | more than 11 years ago | (#4686994)

I've used WINE quite extensively and I would say if you want to reverse engineer a piece of Win32 code WINE might be the best way to do it on Linux. On the other hand, so much is either not implemented or only implemented halfway, I wouldn't really consider my WINE-based findings to be an objective assessment of what a piece of code would do once actually run on a system based on an original version of Windows.

I don't really see why you'd go through all the trouble of using Linux to reverse a Win32-trojan. The only argument the author of the two linked articles gives is that all related development tools on Linux/Unix are free. However, if you just want to poke around some code without producing optimized binaries, you can get cheap versions of MS Developer Studio (so-called "Learning Editions") as well.

I mean, this kind of stuff is complicated enough without the possible hassle of having your environment messed up because of some incomplete emulator.

Re:Reverse engineering with WINE (2, Informative)

Anonymous Coward | more than 11 years ago | (#4687091)

Or you could use WinDBG, which MS provides for free. The gdb commands used in the article are almost exactly the same as used for WinDBG.

Re:Reverse engineering with WINE (1)

Istealmymusic (573079) | more than 11 years ago | (#4687124)

Typo? The above posting should say "WinGDB".

Re:Reverse engineering with WINE (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4689050)

Shutup dumbass, WinDBG is MS's system level debugger, much like WinICE (aka SoftIce) but
with an uglier, more clumsy interface.

Re:Reverse engineering with WINE (5, Interesting)

IamTheRealMike (537420) | more than 11 years ago | (#4687412)

Actually the missing parts of Wine are now mostly common controls or desktop components. For debugging low level stuff, Wine is invaluable as it can show you exactly what API calls a program is making, with parameters, filtered according to type.

Coming soon! (1, Funny)

Anonymous Coward | more than 11 years ago | (#4687031)

With any luck, the anti-virus companies will soon start to figure out how to write linux viri...

They've done a darn good job on win32! Just imagine the amount of work they've put in... Especially when all you need is the following options:

o Remove .Exe attachments
o Remove .Com attachments
o Remove embedded (inline) e-mail files.

But wait, that'd be too easy!

Re:Coming soon! (1)

Istealmymusic (573079) | more than 11 years ago | (#4687228)

You forgot PIF, BAT, SHS, VBS, and JS attachments.

Re:Coming soon! (0)

Anonymous Coward | more than 11 years ago | (#4687767)

You talk too much.

http://developers.slashdot.org/comments.pl?sid=4 52 44&cid=4687228
http://developers.slashdot.org/com ments.pl?sid=452 44&cid=4687124
http://developers.slashdot.org/com ments.pl?sid=452 44&cid=4687114
http://developers.slashdot.org/com ments.pl?sid=452 44&cid=4687085
http://developers.slashdot.org/com ments.pl?sid=452 44&cid=4687063

Re:Coming soon! (2)

Istealmymusic (573079) | more than 11 years ago | (#4687926)

Point taken.

Re:Coming soon! (0)

Anonymous Coward | more than 11 years ago | (#4688287)


o ???????
o Profit!

Not a big deal. But could get expensive. (2, Troll)

FreeLinux (555387) | more than 11 years ago | (#4687035)

Doing assembly dumps on object code isn't terribly exciting. Doing this on trojans is perhaps even less so, even on Linux.

But, referring to doing this on native Windows code is not a good idea at all. Remember the EULA, simply having the Windows code on your disk constitutes acceptance of the EULA and reverse engineering by assembly dumps is explicitly defined as a violation of the EULA. In other words you are setting yourself in a position for major legal problems.

The only legitimate way to reverse engineer software is the method used by the Samba team. You must look at the input and look at the output and then determine your OWN method of achieving the same result.

This is the only legal way to do it. If you even glance at an assembly dump of the actual software, you are no longer virgin. Thus ANYTHING that you produce afterwards the even vaguely resembles the operation of the original software will place you in a losing position, legally.

Avoid assembly dumps of MS code!

Re:Not a big deal. But could get expensive. (1)

chrisseaton (573490) | more than 11 years ago | (#4687127)

And how many trojans come with EULAS? I don't think your argument applies here...

Re:Not a big deal. But could get expensive. (0)

Anonymous Coward | more than 11 years ago | (#4687244)

He's probably referring to various MS DLLs that the viruses may use. Those most likely fall under those crazy MS EULAs.

Re:Not a big deal. But could get expensive. (0)

Anonymous Coward | more than 11 years ago | (#4687664)

no need to reverse-engineer those, they're fully documented and said docs are there for the reading on msdn.microsoft.com

Re:Not a big deal. But could get expensive. (3, Interesting)

Ninja Master Gara (602359) | more than 11 years ago | (#4687330)

Reverse engineering is protected indirectly by laws in other countries that override the EULAs, since those clauses are not valid under the state laws.

Russian crackers would happily tell you all about this, just like they happily tell the owners of the software they've cracked when they're slapped with Cease and Desists.

no hysteria, please (5, Insightful)

g4dget (579145) | more than 11 years ago | (#4687400)

But, referring to doing this on native Windows code is not a good idea at all. Remember the EULA, simply having the Windows code on your disk constitutes acceptance of the EULA and reverse engineering by assembly dumps is explicitly defined as a violation of the EULA. In other words you are setting yourself in a position for major legal problems.

Don't believe everything you read. Just because Bill Gates writes into the EULA that you'll work as his towel boy if you open the box doesn't mean you are actually legally obligated to.

The only legitimate way to reverse engineer software is the method used by the Samba team. You must look at the input and look at the output and then determine your OWN method of achieving the same result.

Sorry, but you don't know what you are talking about. That is not "the only legitimate way".

Thus ANYTHING that you produce afterwards the even vaguely resembles the operation of the original software will place you in a losing position, legally


Oh, please, stop the hysteria. These things need to judged on a case-by-case basis. I frankly doubt that reverse engineering a trojan/virus will get you into hot water with Microsoft's EULA.

Re:no hysteria, please (0)

Lisias (447563) | more than 11 years ago | (#4690990)

Well...

United States is well known for allowing a rich entity to sue common people to bankruptcy. Not that this does'nt happens around here, anyway... 8-(

If you give M$ a good excuse to sue you, doesn't matter who is right in the end: you will end up this with your life ruined. The rule of thumb is : do that you want, but don't tell other people about it. Or at least don't tell who your are.

Re:no hysteria, please (2)

xanadu-xtroot.com (450073) | more than 11 years ago | (#4691586)

Just because Bill Gates writes into the EULA that you'll work as his towel boy if you open the box doesn't mean you are actually legally obligated to.

"Piss Boy, wait for the shake... [splash]... [ploink] Your tip is in the bucket."

Misinterpreting "Windows Native" (0)

Anonymous Coward | more than 11 years ago | (#4687460)

I believe what the submitter meant by "Windows native code" was code compiled to run on a Windows platform, not specifically code written by (or owned by) Microsoft. Most Linux tools I know of primarily operate on ELFs/cores/etc. compiled for Linux. Being able to debug/examine binaries compiled to run on Windows without having a Windows box handy (or without wanting to risk it, or without wanting to use it for whatever reason) is useful.

5, Insightful ?!? (0)

Anonymous Coward | more than 11 years ago | (#4687610)

Moderators PLEASE come to your senses !!! This is such an *obvious* troll.

OT and way over rated (0)

Anonymous Coward | more than 11 years ago | (#4688898)

This is about vir... forget it, not even wasting my time, the subject says it all... karma whore

New Trolltalk Address REVEALED! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4687042)


Plea for forgiveness... (Score:0)
by Anonymous Coward on Saturday November 16, @02:46PM (#4686623)
I have a problem.

I used to be a regular at geekizoid. I make no excuses -- at the time it was a fun place. People posted random thoughts... nonsense articles... flamed each other with wanton abandon. It wasn't full of stuck up dickless wonders like certain other sites. Amazing as it may sound now, this haven of juvenile fun was hosted by Vladinator, aka Scott Lockwood, aka Fat Fucking Loser.

Things changed, of course, because nothing involving a brain-dead obesity like Lockwood can remain fun for long. Sure enough, the drooling fat fool tried to make geekizoid into a more "serious" site, and offer commercial hosting to other piss-poor attempts at slash/scoop sites -- amusing to anyone familiar with the long history of hilarious incompetence shown by the band of half-wits administering his systems. It is at this point that anyone bar a few determined Lockwood mockers and his pet cock-suckers left *.geekizoid for good.

This is my problem. I was once a geekizoidian. I now hate and despise Lardinator and all those associating with him. How do I remove this taint from my soul and rejoin the troll brotherhood? Am I doomed to wander, anonymously, the wastelands of 20721, forever excluded from decent troll society?

Please help. [ezboard.com]
[ Reply to This | Parent ]
!!Troll Gespräch Auswahlsterndatum JETZT (Score:0)
by Anonymous Coward on Saturday November 16, @02:19PM (#4686455)

Collection Stardate di Trolltalk TODAY (Score:-1, Troll) from Anonymous Coward the 16 saturday November, @12:02PM (# 4685796) That is pathetic (Score:0) from gnillort (myslashdotemailaccount@yahoo.com) the 16 saturday November, @10:5ÂM (# 4685513) (customer #617577 Info | last newspaper: Wednesdays October 23, @07:53PM) rather than it eliminates the infuence of Vlad that crapflooding and the cabal/AVT/CUNT/CLIT/Klerck that crapflooding, yo [ the fatasses of slashdot.org]u are based here. I have an alternative perfectly good [ ezboard.com ] all the putting to point. Why not diagli a test? [ answer to this | parent ] YOOOOU Is TEH GAY! (Score:0) from Anonymous Coward the 16 saturday November, @10:4ÀM (# 4685454) in A.D. Faggotry 2002 was beginning. AV3: Which thing happens? Boy 1 Of The Telephone: Someone them pump on boy 2 of the extremity telephone: We do not obtain lubricating AV3: That what! Boy 2 Of The Telephone: Hard main turn AV3 of the tap: He is You!! Vlad: As you are fagmasters!! Vlad: All your females are belong to we Vlad: You are on the sense to the dead women from AIDS AV3: That what you say!! Vlad: You do not have probability to survive smoke your Vlad pole: IT HAS HAS HAS HAS.... AV3: It removes every AV3 ' cockring ': You know that what you that fairies AV3: It moves ' jizcatcher ' the AV3: For justice great [ answer this | parent ] to 1 January 2003: daily count down. (Score:0) from Anonymous Coward the 16 saturday November, @07:01AM (# 4684935) the count down: 45 days [ answer to the srings of this trolltalk | of the parent ] to life! (Score:0) from Anonymous Coward the 16 saturday November, @06:49AM (# 4684907) who on earth could carry therefore unexpected of tide-fluctuates of the vitalità of new to this justification cruddy for a sid secret? why, momochrome naturally! only its brightness could possibly king-corroborate therefore condition sad of the degeneration and to newly breathe the new life within this justification weak person for a troll collective. All hail the momochrome! [ answer to srings of this | the parent ] Re:trolltalk to life! (Score:0) from Anonymous Coward the 16 saturday November, @06:59AM (# 4684931) moreover, "of tide-fluctuates of the vitalità" had been continuous for a enough sure time before that the sig. Momochrome has been sormontato with the jealousy that popolano was speaking about someone except he and decided therefore to throw its hat in the ring. It is nothing. Washed - in on-state. To the day today, who even remembers itself of who Momochrome was? The sure one not sweeping in order to remember itself of and has been in the hardcore of troll-scene of Slashdor from when before the scene has existed. Momochrome was a famous one to piè of page of the a-line to page 4,275 of the history of trolling and the greater part of people has not been taken care to read that page, and many less notes to piè of page. Momochrome who? Not squilla one flange [ answer to srings of this | the parent ] Re:trolltalk to life! (Score:0) from Anonymous Coward the 16 saturday the November, @07:0ÃM excuses (# 4684944) Excuses \A*pol"o*gy \, n.; pl. Excuses. [ apology of the L., gr.; from +: cfr. apologies of the F.. See Apologetic. ] 1. Something said or written in the defense or the justification of that what appears badly to others, or of that what can be responsible to the disapprobation; justification; axis, excuses of the Tertullian for christianity. It is not my intention to excuse for mine poem; some will think it do not have need of justification and others will not receive any. -- Dryden. 2. An acknowledgment planned like atonement for one sure observation or improper or injurious action; an admission to an other of a wrong one or a discourtesy made he, accompanied from an expression of the sorrow. 3. Qualche.cosa supplied like substitute; a espediente. It goes to work inventing the excuses for stretches them of the window. -- Dickens. Syn [slashdot.org]

Read the rest of this comment... by
[ Reply to This | Parent ]
Warning to Crapflooders (Score:1)
by gbwd on Saturday November 16, @02:33PM (#4686546)
(User #626693 Info)
Hi everybody (Dubya here),

i am logging the IP addresses of everybody who posts to this here trolltalk forum. if you are a crapflooder i WILL turn you in to the authorities.
[ Reply to This | Parent ]
You only popped up yesterday (Score:0)
by Anonymous Coward on Saturday November 16, @02:39PM (#4686594)
You fuck the dick mister.
If you really want to avoid crapflooding, go join chainrust.
[ Reply to This | Parent ]
A note to the Vladequacy/AVT CRAPFLOODERS (Score:0)
by Anonymous Coward on Saturday November 16, @01:49PM (#4686311)
Fucking stop it already.

plz die k thx
[ Reply to This | Parent ]
This is pathetic (Score:0)
by gnillort (myslashdotemailaccount@yahoo.com) on Saturday November 16, @10:54AM (#4685513)
(User #617577 Info | Last Journal: Wednesday October 23, @07:53PM)
Rather than get rid of the influence of Vlad crapflooding and the cabal/AVT/CUNT/CLIT/Klerck crapflooding, you fatasses sit here. I have a perfectly good alternative [ezboard.com] all set up. Why not give it a try?
[ Reply to This | Parent ]
GOD DAMMIT CHAINRUST (Score:1)
by gbwd on Saturday November 16, @02:25PM (#4686490)
(User #626693 Info)
Hi everybody (Dubya here),

dear Mr. Chainrust, please stop trying to attract attention to yourself. it is painfully obvious you are not welcome under any name you choose for yourself. instead of wasting your time here trying to be "cool" with us trolls, someone your age should be spending his time with real other people at his age and developmental level. why don't you go partake in some time-honored American extracurricular activities? you could go and join the Boy Scouts, sign up for ROTC (the War on Terror needs you), or if you're one of them new-age sensitive guys [www.dobi.nu], you can learn some Home Ec or something. just stop gallavanting around here like a damn fool.
[ Reply to This | Parent ]
Re:This is pathetic (Score:0)
by Anonymous Coward on Saturday November 16, @12:39PM (#4685992)
I just LOVE Klerck's site [klerck.org]! Especially the "fash" section [klerck.org], where I learned to cut the bottom off of an old pair of testicles to use as a hair enhancement! Oh, and the "fetish party" photos [klerck.org]!

Of course, don't forget to read Klerck's emails [rotten.com]! Here you will discover how truly difficult it is to decide what to do on the weekends... have an orgy? A mass rape party? Go to the mall and sodomize yourself with splintery broomsticks? Autofellate or autoeroticasphixyate yourself?

In short, if you haven't checked out Klerck's site [goatse.cx], you don't know what you're missing!
[ Reply to This | Parent ]
YOOOOU ARE TEH GAY! (Score:0)
by Anonymous Coward on Saturday November 16, @10:42AM (#4685454)
In A.D. 2002
Faggotry was beginning.
AV3: What happen?
Phone Boy 1: Somebody pump us up the butt
Phone Boy 2: We get no lubricant
AV3: What!
Phone Boy 2: Main cock turn hard
AV3: It's You!!
Vlad: How are you fagmasters!!
Vlad: All your females are belong to us
Vlad: You are on the way to death by aids
AV3: What you say!!
Vlad: You have no chance to survive smoke your pole
Vlad: HA HA HA HA....
AV3: Take off every 'cockring'
AV3: You know what you doing
AV3: Move 'jizcatcher'
AV3: For great justice
[ Reply to This | Parent ]
January 1st, 2003: daily countdown. (Score:0)
by Anonymous Coward on Saturday November 16, @07:01AM (#4684935)
The countdown: 45 days

Re:New Trolltalk Address REVEALED! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4687068)

[ezboard.com]

Plea for forgiveness... (Score:0)
by Anonymous Coward on Saturday November 16, @02:46PM (#4686623)
I have a problem.

I used to be a regular at geekizoid. I make no excuses -- at the time it was a fun place. People posted random thoughts... nonsense articles... flamed each other with wanton abandon. It wasn't full of stuck up dickless wonders like certain other sites. Amazing as it may sound now, this haven of juvenile fun was hosted by Vladinator, aka Scott Lockwood, aka Fat Fucking Loser.

Things changed, of course, because nothing involving a brain-dead obesity like Lockwood can remain fun for long. Sure enough, the drooling fat fool tried to make geekizoid into a more "serious" site, and offer commercial hosting to other piss-poor attempts at slash/scoop sites -- amusing to anyone familiar with the long history of hilarious incompetence shown by the band of half-wits administering his systems. It is at this point that anyone bar a few determined Lockwood mockers and his pet cock-suckers left *.geekizoid for good.

This is my problem. I was once a geekizoidian. I now hate and despise Lardinator and all those associating with him. How do I remove this taint from my soul and rejoin the troll brotherhood? Am I doomed to wander, anonymously, the wastelands of 20721, forever excluded from decent troll society?

Please help. [ezboard.com]
[ Reply to This | Parent ]
!!Troll Gespräch Auswahlsterndatum JETZT (Score:0)
by Anonymous Coward on Saturday November 16, @02:19PM (#4686455)

Collection Stardate di Trolltalk TODAY (Score:-1, Troll) from Anonymous Coward the 16 saturday November, @12:02PM (# 4685796) That is pathetic (Score:0) from gnillort (myslashdotemailaccount@yahoo.com) the 16 saturday November, @10:5ÂM (# 4685513) (customer #617577 Info | last newspaper: Wednesdays October 23, @07:53PM) rather than it eliminates the infuence of Vlad that crapflooding and the cabal/AVT/CUNT/CLIT/Klerck that crapflooding, yo [ the fatasses of slashdot.org]u are based here. I have an alternative perfectly good [ ezboard.com ] all the putting to point. Why not diagli a test? [ answer to this | parent ] YOOOOU Is TEH GAY! (Score:0) from Anonymous Coward the 16 saturday November, @10:4ÀM (# 4685454) in A.D. Faggotry 2002 was beginning. AV3: Which thing happens? Boy 1 Of The Telephone: Someone them pump on boy 2 of the extremity telephone: We do not obtain lubricating AV3: That what! Boy 2 Of The Telephone: Hard main turn AV3 of the tap: He is You!! Vlad: As you are fagmasters!! Vlad: All your females are belong to we Vlad: You are on the sense to the dead women from AIDS AV3: That what you say!! Vlad: You do not have probability to survive smoke your Vlad pole: IT HAS HAS HAS HAS.... AV3: It removes every AV3 ' cockring ': You know that what you that fairies AV3: It moves ' jizcatcher ' the AV3: For justice great [ answer this | parent ] to 1 January 2003: daily count down. (Score:0) from Anonymous Coward the 16 saturday November, @07:01AM (# 4684935) the count down: 45 days [ answer to the srings of this trolltalk | of the parent ] to life! (Score:0) from Anonymous Coward the 16 saturday November, @06:49AM (# 4684907) who on earth could carry therefore unexpected of tide-fluctuates of the vitalità of new to this justification cruddy for a sid secret? why, momochrome naturally! only its brightness could possibly king-corroborate therefore condition sad of the degeneration and to newly breathe the new life within this justification weak person for a troll collective. All hail the momochrome! [ answer to srings of this | the parent ] Re:trolltalk to life! (Score:0) from Anonymous Coward the 16 saturday November, @06:59AM (# 4684931) moreover, "of tide-fluctuates of the vitalità" had been continuous for a enough sure time before that the sig. Momochrome has been sormontato with the jealousy that popolano was speaking about someone except he and decided therefore to throw its hat in the ring. It is nothing. Washed - in on-state. To the day today, who even remembers itself of who Momochrome was? The sure one not sweeping in order to remember itself of and has been in the hardcore of troll-scene of Slashdor from when before the scene has existed. Momochrome was a famous one to piè of page of the a-line to page 4,275 of the history of trolling and the greater part of people has not been taken care to read that page, and many less notes to piè of page. Momochrome who? Not squilla one flange [ answer to srings of this | the parent ] Re:trolltalk to life! (Score:0) from Anonymous Coward the 16 saturday the November, @07:0ÃM excuses (# 4684944) Excuses \A*pol"o*gy \, n.; pl. Excuses. [ apology of the L., gr.; from +: cfr. apologies of the F.. See Apologetic. ] 1. Something said or written in the defense or the justification of that what appears badly to others, or of that what can be responsible to the disapprobation; justification; axis, excuses of the Tertullian for christianity. It is not my intention to excuse for mine poem; some will think it do not have need of justification and others will not receive any. -- Dryden. 2. An acknowledgment planned like atonement for one sure observation or improper or injurious action; an admission to an other of a wrong one or a discourtesy made he, accompanied from an expression of the sorrow. 3. Qualche.cosa supplied like substitute; a espediente. It goes to work inventing the excuses for stretches them of the window. -- Dickens. Syn [slashdot.org]

Read the rest of this comment... by
[ Reply to This | Parent ]
Warning to Crapflooders (Score:1)
by gbwd on Saturday November 16, @02:33PM (#4686546)
(User #626693 Info)
Hi everybody (Dubya here),

i am logging the IP addresses of everybody who posts to this here trolltalk forum. if you are a crapflooder i WILL turn you in to the authorities.
[ Reply to This | Parent ]
You only popped up yesterday (Score:0)
by Anonymous Coward on Saturday November 16, @02:39PM (#4686594)
You fuck the dick mister.
If you really want to avoid crapflooding, go join chainrust.
[ Reply to This | Parent ]
A note to the Vladequacy/AVT CRAPFLOODERS (Score:0)
by Anonymous Coward on Saturday November 16, @01:49PM (#4686311)
Fucking stop it already.

plz die k thx
[ Reply to This | Parent ]
This is pathetic (Score:0)
by gnillort (myslashdotemailaccount@yahoo.com) on Saturday November 16, @10:54AM (#4685513)
(User #617577 Info | Last Journal: Wednesday October 23, @07:53PM)
Rather than get rid of the influence of Vlad crapflooding and the cabal/AVT/CUNT/CLIT/Klerck crapflooding, you fatasses sit here. I have a perfectly good alternative [ezboard.com] all set up. Why not give it a try?
[ Reply to This | Parent ]
GOD DAMMIT CHAINRUST (Score:1)
by gbwd on Saturday November 16, @02:25PM (#4686490)
(User #626693 Info)
Hi everybody (Dubya here),

dear Mr. Chainrust, please stop trying to attract attention to yourself. it is painfully obvious you are not welcome under any name you choose for yourself. instead of wasting your time here trying to be "cool" with us trolls, someone your age should be spending his time with real other people at his age and developmental level. why don't you go partake in some time-honored American extracurricular activities? you could go and join the Boy Scouts, sign up for ROTC (the War on Terror needs you), or if you're one of them new-age sensitive guys [www.dobi.nu], you can learn some Home Ec or something. just stop gallavanting around here like a damn fool.
[ Reply to This | Parent ]
Re:This is pathetic (Score:0)
by Anonymous Coward on Saturday November 16, @12:39PM (#4685992)
I just LOVE Klerck's site [klerck.org]! Especially the "fash" section [klerck.org], where I learned to cut the bottom off of an old pair of testicles to use as a hair enhancement! Oh, and the "fetish party" photos [klerck.org]!

Of course, don't forget to read Klerck's emails [rotten.com]! Here you will discover how truly difficult it is to decide what to do on the weekends... have an orgy? A mass rape party? Go to the mall and sodomize yourself with splintery broomsticks? Autofellate or autoeroticasphixyate yourself?

In short, if you haven't checked out Klerck's site [goatse.cx], you don't know what you're missing!
[ Reply to This | Parent ]
YOOOOU ARE TEH GAY! (Score:0)
by Anonymous Coward on Saturday November 16, @10:42AM (#4685454)
In A.D. 2002
Faggotry was beginning.
AV3: What happen?
Phone Boy 1: Somebody pump us up the butt
Phone Boy 2: We get no lubricant
AV3: What!
Phone Boy 2: Main cock turn hard
AV3: It's You!!
Vlad: How are you fagmasters!!
Vlad: All your females are belong to us
Vlad: You are on the way to death by aids
AV3: What you say!!
Vlad: You have no chance to survive smoke your pole
Vlad: HA HA HA HA....
AV3: Take off every 'cockring'
AV3: You know what you doing
AV3: Move 'jizcatcher'
AV3: For great justice
[ Reply to This | Parent ]
January 1st, 2003: daily countdown. (Score:0)
by Anonymous Coward on Saturday November 16, @07:01AM (#4684935)
The countdown: 45 days

Some useful RE links... (5, Informative)

Anonymous Coward | more than 11 years ago | (#4687073)

Those wishing to learn more about Reverse Engineering software may find the following pages useful:

Fravia's pages [cjb.net] - A huge, sprawling resource of RE information. Chances are, any info you need is in here somewhere. It's just a matter of finding it...

The Art of Assembly [ucr.edu] and other essential ASM programming links. If you want to learn RE, sooner or later you're going to have to learn assembly. Get to it.

Mammon's Tales to his Grandson [eccentrix.com] and other useful RE classics by a G.O.M. of the genre. Oh, and an older mirror [angelfire.com] , possibly with extra/different stuff on it.

Google's directory listing for Disassemblers [google.com] , which you'll be wanting at least one of...
...and the listing for Testing tools [google.com] , which may come in handy.

Finally, Compuware's SoftIce page [compuware.com] - SoftIce being the single most popular RE tool for Win32 software... Not that you're likely to be paying for it, you warez monkey, you.

Have fun, kids, and release Open Source.

(Posting Anon because I don't need the Karma or the implication of knowledge =)...

Re:Some useful RE links... (2)

PhotoGuy (189467) | more than 11 years ago | (#4687342)

SoftIce is (or at least was, and I presume still is) truly amazing. The version I used, awhile back, loaded *before* windows, allowing it to breakpoint on anything, about as low-level as you can get.

Too bad VMWare doesn't support debugging in it's PC emulation, it would even be better than the Wine approach (a real copy of windows running). Still there are some good tools out there to trace programs. Very cool stuff.

Debugging in vmware using softice (3, Informative)

seudafed (575243) | more than 11 years ago | (#4687524)

A coworker was able to succesfully debug in vmware by looping a serial cable out one port and back in the other, giving one port to vmware and using softice's remote serial debugging to debug from the vmware host computer.

Re:Some useful RE links... (0)

Anonymous Coward | more than 11 years ago | (#4687403)

great links !!.... i thought fravia+ froze his site long ago ...... but someone else must be running the show now ...... anyways it should be noted that the techniques that were used to reengg the s/ws in the main fravia's academy database are quite outdated now .... s/ws now use softice detection routines prior to initialising itself ( though there is frogice ;) ) ... then there are anti disassembly techniques , PEs , packers , encryptors etc ..... well if the worm/trojan writers become that smart then i think the forensics people are going to get a tough time ;) ( though i doubt how many so called security experts in bugtraq really study the trojan .. most of them simply do an effect analysis and maybe some basic attempts to find the signature in order to feed the snort/prelude rules ) .

Re:Some useful RE links... (1)

runderwo (609077) | more than 11 years ago | (#4688285)

Go here. [woodmann.com]

It's +fravia's page, but it's constantly being updated with new stuff.

Reverse Engineering (1)

tomkit (521930) | more than 11 years ago | (#4687361)

I've seen this phrase a couple of times on /., but I'm not sure entirely what it means. Can someone provide a link or a concise explanation if no link?

--tomkiit

Re:Reverse Engineering (3, Insightful)

jericho4.0 (565125) | more than 11 years ago | (#4687525)

RE is the process of looking at how software or hardware works, and trying to replicate it, without looking at the source code. ie, trying to build a car by looking at a car, rather than blueprints.

Re:Reverse Engineering (0)

Anonymous Coward | more than 11 years ago | (#4687682)



Happy thirteenth birthday from all of us here at Slashdot!!

Re:Reverse Engineering (2)

jaoswald (63789) | more than 11 years ago | (#4690333)

"Engineering" refers to starting with a goal (desired functionality) and arranging materials in a way (determined by a possibly involved design process) that reaches that goal (by delivering a finished product that works).

"Reverse Engineering" is the exact opposite: one has a finished product that does something, or at least would if it were in proper working order. (Did you break it?) There might be some documentation. One might have some idea of the goal, perhaps only a vague one. (E.g., an automaker might reverse engineer a competitor's automobile, which has an obvious goal. For a Windows virus, you have a vague idea that the program is supposed to cause damage and/or replicate itself.) The missing part is insight into the design process that happened. Figuring out that design process (by whatever means) is the goal of "reverse engineering."

Why do you want to know about the design? You might discover the secret behind some unique functionality. You might expose some flaw or weakness. You might be able to reconstruct enough of the internal protocols to be able to develop compatible products. (E.g. understand enough about IBM's PC BIOS to document its behavior well enough for a programming team to construct a compatible BIOS without simply duplicating the ROM contents, to break into the market for making PC clones in the 1980s.) You might just enjoy tearing things apart.

Hope this helps!

Isn't Reverse Engineering Prohibited By DCMA? (0)

Anonymous Coward | more than 11 years ago | (#4687744)

Is Linux a tool of the unlawful?

Hamlet's Soliloquy (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4688695)


To be, or not to be: that is the question:
Whether 'tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing end them? To die: to sleep;
No more; and by a sleep to say we end
The heart-ache and the thousand natural shocks
That flesh is heir to, 'tis a consummation
Devoutly to be wish'd. To die, to sleep;
To sleep: perchance to dream: ay, there's the rub;
For in that sleep of death what dreams may come
When we have shuffled off this mortal coil,
Must give us pause: there's the respect
That makes calamity of so long life;
For who would bear the whips and scorns of time,
The oppressor's wrong, the proud man's contumely,
The pangs of despised love, the law's delay,
The insolence of office and the spurns
That patient merit of the unworthy takes,
When he himself might his quietus make
With a bare bodkin? who would fardels bear,
To grunt and sweat under a weary life,
But that the dread of something after death,
The undiscover'd country from whose bourn
No traveller returns, puzzles the will
And makes us rather bear those ills we have
Than fly to others that we know not of?
Thus conscience does make cowards of us all;
And thus the native hue of resolution
Is sicklied o'er with the pale cast of thought,
And enterprises of great pith and moment
With this regard their currents turn awry,
And lose the name of action.

William Shakespeare

UPX (0)

Anonymous Coward | more than 11 years ago | (#4688871)

Well since I still don't know ASM, I guess I learned "Always pack your trojans"... That would probably be useful information, if I start writing trojans, or get laid

Not what i expected... (0)

Anonymous Coward | more than 11 years ago | (#4692979)

I can sum up the whole article with:

c:\> type Trojan.exe | find "WSAStatup"
c:\> Netstat -a -n | find "LISTENING" >before.txt
c:\> Trojan.exe
c:\> Netstat -a -n | find "LISTENING" >after.txt
c:\> diff before.txt after.txt
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>