'Hacking'에 해당되는 글 266건

  1. 2009.10.02 AVA Hacks by CEOinIRVINE 1
  2. 2009.10.02 Regarding Online Game Security by CEOinIRVINE
  3. 2009.09.04 Flaw In Sears Website Left Database Open To Attack by CEOinIRVINE
  4. 2009.09.04 SQL Vulnerability Leaves Passwords In The Clear, Researchers Say by CEOinIRVINE
  5. 2009.09.04 Penetration Testing Service by CEOinIRVINE
  6. 2009.06.10 URL Encoding by CEOinIRVINE
  7. 2009.06.09 Hacking with Javascript 2005.FEB. by CEOinIRVINE
  8. 2009.06.09 How to find Addresses in Gunz by CEOinIRVINE
  9. 2009.06.09 Lolhackerstic.dll (godmode) by CEOinIRVINE
  10. 2009.05.26 How to Hack a Yahoo Mail Password by CEOinIRVINE

AVA Hacks

Hacking 2009. 10. 2. 04:24

Ava Hacks (FPS)

September 16th, 2009

<AVA01_large
Not all AVA hacks are created equal in the world of gaming. Some give you a weak AVA hacks or no support, where others just focus on letting you download some silly ESP or AVA Wallhack – We believe that our AVA Hacks are the absolute best in the game and will enable you to get better at the game. As always we are and were the first site to come out with AVA cheats first. After all, our AVA Hacks are the best for a reason. Download AVA  Hacks

AVA Features
These are the current features of the AVA hack (features will get updated randomly)

- Aimbot
o AimThru
o AimAt
o AimKey
o Visibility Check
o AutoSwitch
o Adjustable Field of View
o Aim Speed
o Human Aim

- Esp
o Name
o Distance
o Pose
o Weapon
o Health
o Line
o Bounding Box
o Enemy Warning
o 2D Radar
o Ignore friends

- Removals
o No Spread

- Misc
o Chat Spam
o Draw Fps
o Draw Time
o Draw Resolution
o Custrom crosshair

- Settings
o Menu Pos X
o Menu Pos Y
o Menu Width
o Radar Pos X
o Radar Pos Y
o Radar Size
o Crosshair Red
o Crosshair Green
o Crosshair Blue
o Save settings( 4 slots )
o Load settings( 4 slots )
The Fire’s Burning on the Dance Floor!

Posted by CEOinIRVINE
l

This is Justin Choi who work for one of famous online game companies in US.
For the security purposes, I can't tell where I work for. However, I would like to talk about more real environments in gaming industry.

I am in charge of securing our system/applications.

We have so far two popular games, A and B.


Maybe, I would rather focuses more on hacking stuffs than talk about general things.


There are bunch of hacking groups that is currently aiming at our games.

Speed Hack
Lawn mower
God Mode
HP/SP control
Wall Hack

and ETC.

Mostly, they just use DLL injection skill by using injection tools. They just injected their own DLL into PE file (e.x. blahblah.exe).


I will cover more details soon or later.

Enjoy! :)


Posted by CEOinIRVINE
l
Business-logic flaw in Sears.com Web application could have let hackers brute-force attack the retailer's gift card database

Sep 01, 2009 | 03:49 PM

By Kelly Jackson Higgins
DarkReading

A newly discovered vulnerability on Sears.com could have allowed attackers to raid the retail giant's gift card database.

Alex Firmani, owner of Merge Design and a researcher, this week revealed a major security hole on Sears.com that could allow an attacker to easily steal valid gift cards -- a heist he estimates could be worth millions of dollars. Firmani says he alerted Sears about the flaw, and that Sears has since "plugged" the hole by removing the feature that let customers verify and check their gift-card balances.

The vulnerability was a business logic flaw in a Web application that handles gift card account inquiries; Firmani was able to stage a brute-force attack that could grab all valid, active Sears and Kmart gift cards from the company's database.

Firmani says the site wasn't auditing verification requests, which allowed him to verify gift card and PIN combinations using a homegrown PHP script that automatically submitted the requests. "I wrote a PHP script to hammer their verification server. It happily replied with thousands of verification responses per minute," he says.

The Sears application relied on client-side cookies to halt brute-force verification attempts, which Firmani says wasn't effective. "They should know where the verification requests come from, log them all, and be able to disable the verifications when they have a malicious attack," he says. "It doesn't appear to me that they had any server-side control over how many verifications were done."

Jeremiah Grossman, CTO of WhiteHat Security, says this type of flaw is probably fairly common on retailer Websites. And unlike a cross-site scripting or SQL injection bug, this business logic flaw is different: "It basically lets an attacker defraud Sears.com directly," Grossman says.

Firmani's discovery came on the heels of reports of multiple cross-site scripting (XSS) vulnerabilities on Sears' Web pages that were abused by an attacker to deface the Website.

"I thought this was notable with Sears being a Fortune 50 company," he says. "I have not tested many other large retailers, but I would hope most of them take better care than this. For smaller sites that write their own gift-card verification code, I'd expect just as many are vulnerable."

Firmani, who says he discloses Website flaws to site owners in order to highlight common Web application security issues, suggests that Sears require a valid user account login before allowing a verification request to be sent. "You could then record the number of verification requests and lock out any offending accounts automatically and without relying on client-side cookie," he wrote in his disclosure paper. "Recording requests server-side would be a more reliable way of handling repeat request offenders."

Another option is recording to a server-side database IP addresses of users verifying their gift cards, he said, as well as using a "number-used once" scheme in the verification form or logging all verification requests and using a script to shut down the response server if more than a specifically designated number of requests arrive per minute, he said.

"Security these days is less about what version of Apache you're running and more about custom-written Web applications. With Web apps given unfettered database access, it becomes a simple matter of exploiting less-than-solid Web application programming," Firmani says. "Finding holes in home-brewed Web app code is much easier than exploiting a root-escalation bug on a Linux server, but both often have similar database access."

'Hacking' 카테고리의 다른 글

AVA Hacks  (1) 2009.10.02
Regarding Online Game Security  (0) 2009.10.02
SQL Vulnerability Leaves Passwords In The Clear, Researchers Say  (0) 2009.09.04
Penetration Testing Service  (0) 2009.09.04
URL Encoding  (0) 2009.06.10
Posted by CEOinIRVINE
l

SQL Vulnerability Leaves Passwords In The Clear, Researchers Say

With no patch forthcoming from Microsoft, Sentrigo launches workaround for flaw

Sep 02, 2009 | 05:02 PM

By Tim Wilson
DarkReading

A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today.

Researchers at database security vendor Sentrigo say that in SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords, Sentrigo says.

The vulnerability is most likely an insider threat because it requires administrative privileges, says Slavik Markovich, CTO of Sentrigo. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection, he says.

The flaw may not directly affect the data in the database, since an administrator would have access to that data already, Slavik says. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users' work or personal accounts.

"Worst case, it might lead to one administrator stealing bank account data from another administrator," Slavik says. "People are not supposed to reuse their passwords, but it's a reality that they do."

The Sentrigo researchers found the vulnerability last September and informed Microsoft, Slavik says. However, after nearly a year of discussion, Microsoft has indicated that it considers the issue to be "minor" and has no plans to issue a specific patch, he says.

"We did not agree with Microsoft's classification of this vulnerability as a minor issue, and felt that it was in the best interest of SQL Server users to make the vulnerability public and provide a utility to remove the passwords from memory," Sentrigo says. "If we discovered this information, there is a high likelihood others [who may not be as ethical] could find it as well and abuse it."

Sentrigo feels that the vulnerability is a danger because so many users employ the same passwords for multiple applications, and because so many breaches are engineered by privileged users and administrators.

"Many applications are deployed with administrative privileges," Sentrigo observes. "Hackers using a simple SQL injection vulnerability can now access administrative passwords, which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005, where this can be done remotely.

"Since Microsoft doesn't have immediate plans to fix this vulnerability, we felt that the knowledge regarding its existence -- together with a free utility to repair it -- should be available to the public sooner than later," Sentrigo says.

One well-known security researcher, who requested anonymity, disagrees. "This seems like a nonissue," the researcher says. "Anyone with the ability to read process memory would also have the ability to just hook the authentication code and capture passwords that way. For once, Microsoft is right to ignore it."

Sentrigo acknowledges that administrators have the authority to reset passwords, but "there is a big difference between being able to reset a password to either a system-generated password which the administrator would not see (or to a password the administrator chooses) and actually seeing a user's personal password," the researchers say. "The latter involves much greater risk, including access to additional systems the password may be used on, potentially enabling access to user's private data, such as bank or brokerage accounts."

The Sentrigo fix, which the company has dubbed Passwordizer, replaces the password data with asterisks, making it impossible for administrators to read the passwords in memory. The utility is available now for free and works on any version of SQL Server.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

'Hacking' 카테고리의 다른 글

Regarding Online Game Security  (0) 2009.10.02
Flaw In Sears Website Left Database Open To Attack  (0) 2009.09.04
Penetration Testing Service  (0) 2009.09.04
URL Encoding  (0) 2009.06.10
Hacking with Javascript 2005.FEB.  (0) 2009.06.09
Posted by CEOinIRVINE
l

Let me know if you need security consulting service including penetration testings, system security checks and etc.

:)

counterhacker@gmail.com
Posted by CEOinIRVINE
l

URL Encoding

Hacking 2009. 6. 10. 14:47

HTML URL Encoding Reference

Previous Next

URL encoding converts characters into a format that can be safely transmitted over the Internet.


URL - Uniform Resource Locator

Web browsers request pages from web servers by using a URL.

The URL is the address of a web page like: http://www.w3schools.com.


URL Encoding

URLs can only be sent over the Internet using the ASCII character-set.

Since URLs often contains characters outside the ASCII set, the URL has to be converted. URL encoding converts the URL into a valid ASCII format.

URL encoding replaces unsafe ASCII characters with "%" followed by two hexadecimal digits corresponding to the character values in the ISO-8859-1 character-set.

URLs cannot contain spaces. URL encoding normally replaces a space with a + sign.


Try It Yourself

If you click the "Submit" button below, the browser will URL encode the input before it is sent to the server. A page at the server will display the received input.

 

Try some other input and click Submit again.


URL Encoding Functions

In JavaScript, PHP, and ASP there are functions that can be used to URL encode a string.

In JavaScript you can use the encodeURI() function. PHP has the rawurlencode() function and ASP has the Server.URLEncode() function.

Click the "URL Encode" button to see how the JavaScript function encodes the text.

 

Note: The JavaScript function encodes space as %20.


URL Encoding Reference

ASCII CharacterURL-encoding
space %20
! %21
" %22
# %23
$ %24
% %25
& %26
' %27
( %28
) %29
* %2A
+ %2B
, %2C
- %2D
. %2E
/ %2F
0 %30
1 %31
2 %32
3 %33
4 %34
5 %35
6 %36
7 %37
8 %38
9 %39
: %3A
; %3B
< %3C
= %3D
> %3E
? %3F
@ %40
A %41
B %42
C %43
D %44
E %45
F %46
G %47
H %48
I %49
J %4A
K %4B
L %4C
M %4D
N %4E
O %4F
P %50
Q %51
R %52
S %53
T %54
U %55
V %56
W %57
X %58
Y %59
Z %5A
[ %5B
\ %5C
] %5D
^ %5E
_ %5F
` %60
a %61
b %62
c %63
d %64
e %65
f %66
g %67
h %68
i %69
j %6A
k %6B
l %6C
m %6D
n %6E
o %6F
p %70
q %71
r %72
s %73
t %74
u %75
v %76
w %77
x %78
y %79
z %7A
{ %7B
| %7C
} %7D
~ %7E
  %7F
%80
  %81
%82
ƒ %83
%84
%85
%86
%87
ˆ %88
%89
Š %8A
%8B
Œ %8C
  %8D
Ž %8E
  %8F
  %90
%91
%92
%93
%94
%95
%96
%97
˜ %98
%99
š %9A
%9B
œ %9C
  %9D
ž %9E
Ÿ %9F
  %A0
¡ %A1
¢ %A2
£ %A3
  %A4
¥ %A5
| %A6
§ %A7
¨ %A8
© %A9
ª %AA
« %AB
¬ %AC
¯ %AD
® %AE
¯ %AF
° %B0
± %B1
² %B2
³ %B3
´ %B4
µ %B5
%B6
· %B7
¸ %B8
¹ %B9
º %BA
» %BB
¼ %BC
½ %BD
¾ %BE
¿ %BF
À %C0
Á %C1
 %C2
à %C3
Ä %C4
Å %C5
Æ %C6
Ç %C7
È %C8
É %C9
Ê %CA
Ë %CB
Ì %CC
Í %CD
Î %CE
Ï %CF
Ð %D0
Ñ %D1
Ò %D2
Ó %D3
Ô %D4
Õ %D5
Ö %D6
  %D7
Ø %D8
Ù %D9
Ú %DA
Û %DB
Ü %DC
Ý %DD
Þ %DE
ß %DF
à %E0
á %E1
â %E2
ã %E3
ä %E4
å %E5
æ %E6
ç %E7
è %E8
é %E9
ê %EA
ë %EB
ì %EC
í %ED
î %EE
ï %EF
ð %F0
ñ %F1
ò %F2
ó %F3
ô %F4
õ %F5
ö %F6
÷ %F7
ø %F8
ù %F9
ú %FA
û %FB
ü %FC
ý %FD
þ %FE
ÿ %FF


URL Encoding Reference

The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL.

ASCII CharacterDescriptionURL-encoding
NUL null character %00
SOH start of header %01
STX start of text %02
ETX end of text %03
EOT end of transmission %04
ENQ enquiry %05
ACK acknowledge %06
BEL bell (ring) %07
BS backspace %08
HT horizontal tab %09
LF line feed %0A
VT vertical tab %0B
FF form feed %0C
CR carriage return %0D
SO shift out %0E
SI shift in %0F
DLE data link escape %10
DC1 device control 1 %11
DC2 device control 2 %12
DC3 device control 3 %13
DC4 device control 4 %14
NAK negative acknowledge %15
SYN synchronize %16
ETB end transmission block %17
CAN cancel %18
EM end of medium %19
SUB substitute %1A
ESC escape %1B
FS file separator %1C
GS group separator %1D
RS record separator %1E
US unit separator %1F

'Hacking' 카테고리의 다른 글

SQL Vulnerability Leaves Passwords In The Clear, Researchers Say  (0) 2009.09.04
Penetration Testing Service  (0) 2009.09.04
Hacking with Javascript 2005.FEB.  (0) 2009.06.09
How to find Addresses in Gunz  (0) 2009.06.09
Lolhackerstic.dll (godmode)  (0) 2009.06.09
Posted by CEOinIRVINE
l
To: bugtraq@securityfocus.com
Date: Wed, 09 Feb 2005 13:43:23 +0000

HACKING WITH JAVASCRIPT
hictor

This tutorial is an overview of how javascript can be used to bypass
simple/advanced html forms and how it can be used to override cookie/session
authentication.

SIMPLE HTML FORMS

1. Bypassing Required Fields

        Surely you have met a webpage that requires you to fill all fields in a
form in order to submit it. It is possible to bypass these types of
restrictions on any webpage. If you take a look at the webpage's source and
follow it down to the form's code, you will notice the onsubmit form
attribute. Hopefully by this time you have experienced the power of
javascript and you know that javascript has control over every single
element in a webpage, including forms.We can use javascript to our advantage
in every page we view for we can modify, delete, or add any element to the
webpage. In this case we wish to clear the form's onsubmit attribute in
order for the form to be submitted successfully.

        The onsubmit attribute generally points to a function that checks the form
to have the correct format. A function that does this may look something
like this:

                function formSubmit(x)
                {
                        if(x.email.value=="") return false;
                        return true;
                }

                ...

                <form name="spamform" method=post action="process.php" onsubmit="return
formSubmit(this);">
                ...
                </form>

        I will not go into great detail about how the formSubmit function works.
You should know that if the (textfield/optionfield/option/..) field is left
blank, the form will not be submitted to process.php. Now comes the moment
of truth, how do we modify the form so that onsubmit returns true everytime?
The way we can access the form with javascript and do this is:

                document.forms[x].onsubmit="return true;";

                or

                document.spamform.onsubmit="return true;";

        Both of these 'queries' will allow you to submit the form free of
restrictions. The secret is how to execute this. I do this using my
browser's Location bar. All you have to do is enter this text into the
location bar and press enter:

                javascript:document.spamform.onsubmit="return true;";

        The above statement will not work because the 'query' will return a value
javascript doesn't know what to do with it so it dumps the returned value on
the screen. We need a way to use this value and escape it from passing on to
javascript. I know the exact way to do this, with alert()!

                javascript:alert(document.spamform.onsubmit="return true;");

        You will see an alertbox with "return true;" instead of dumping this value
out to the webbrowser. Once you have executed this query you will be able to
enter whatever value into whatever field in spamform.

2. Changing Fields' Values

        If you have managed to change a form's onsubmit attribute to let you do
whatever the *** you want, what are the limits? Of course now you know that
you can modify the onsubmit attribute of a form from the location bar, same
goes for any attributes of any object in the page. This is how you can do
it:

                javascript:alert(document.spamform.fieldname.value="Dr_aMado was here!");

                or

                javascript:alert(document.forms[x].fieldname.value="Dr_aMado was here!");

        But of course, you already knew that. Didn't you? You can change the
values of pretty much anything inside a form, including radios, checkboxes,
selects, hidden values, buttons, anything!

SQL INJECTIONS

1. Using Forms to Your Advantage

        You probably already know about sql injection, my goal is to explain how
vulnerable forms can be if not handled correctly. When targeting a system,
most times you will start off with 0 code to exploit. The only thing you
have is a constructed webpage to break to pieces and successfully find
vulnerabilities to use to your advantage.

                ACQUIRING DATABASE INFORMATION

        A very logic way of acquiring system information from a website's database
is by causing errors in the sql queries. These errors can be created
through search forms, dynamic links, or session cookies. Most sql injection
papers explain how dynamic links and text boxes can be used to execute sql
queries but in my opinion, this vulnurability is more common in other input
types (select boxes, hidden fields, checkboxes and radio buttons, and
cookies!).

        Mixing data types generally crashes a webpage if it's not well coded. Take
for example a link to "memberinfo.php?o_id=1". If your goal is to crash that
page it would be a good idea to stick in a " or a ' in the o_id variable.
If you're lucky you will get a debug message containing the crippled sql
query. After you have all the information you need and you know what you're
going after you're ready to hack the hell out of every page that you have
access to.

                CHANGING FIELDS' VALUES

        The first form you think of is the profile page. Most profile pages ignore
a user's intellectuals and don't mask out,for example, select boxes. A way
of exploiting this vulnerability is by injecting a sql query in the value
property of the field.

                javascript:alert(document.profileform.user_sex.value="gay\',user_pasword=\'HACKED\'
WHERE user_id=1#");

        If we assume that the server side sql query looks something like this:

                "UPDATE user_data SET
user_password='$user_password',user_email='$user_email',user_sex='$user_sex'
WHERE user_id=$user_id";

                Then the final query will look somewhat like this:

                "UPDATE user_data SET
user_password='mypassword',user_email='myemail',user_sex='gay',user_password='HACKED'
WHERE
                user_id=1 #' WHERE user_id=7382";

                # Is a sql comment operator.

2. Bypassing Session Cookies

                OVERRIDING BASIC SESSION COOKIE AUTHENTICATION

        Most of the time session handling is done with the use of cookies. The
cookies tell the webpage who you are and what you have access to and what
you don't have access to. If the page does not handle session cookies
correctly a hacker might be able to change their identity to that of
another user's. Cookies are stored in "window.document.cookie". With
javascript we are able to erase,edit,create cookies for any website. This
task is more complicated than regular types of attacks. I will not go into
great detail about how it's done.

                To View the Cookie:
                        javascript:alert(unescape(document.cookie));

                To Change Cookie Data:

                        javascript:alert(window.c=function
a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1)
? c.indexOf(";") :
c.length));nc=unescape(c).replace(v,nv);document.cookie=n+"="+escape(nc);return
unescape(document.cookie);});alert(c(prompt("cookie
name:",""),prompt("replace this value:",""),prompt("with::","")));

                So If You are logged in as "John Doe" in www.ima13370h4x0r.net and your
session cookie reads:

                        SessionData=a:3:{s:11:"SessionUser";s:5:"75959";s:9:"SessionID";i:70202768;s:9:"LastVisit";i:1078367189;}

        The cookie is actually serialized but you should be able to recognize
"75959" as your user_id. Some of the time you will find a website that
stores data (like user_id) in cookies but does not typecast the data. This
is a serious hole in the site's code because any user is able to change
their user_id to any other user or administrator user_id.

        Changing the cookie value is easy once you have declared the window.c
function. First change s:5:"75959" to s:x:"ADMINID" where x is the length of
the new value. So if you want to change 75959 to 1. You must change
s:5:"75959" to s:1:"1" :-) Sometimes you will need to change 75959 to "13 or
1=1" in order to bypass any WHERE statements any sql session queries used to
keep you logged in the website.

----------------------------------------------------------------------------------------
Notes:
        In-line javascript statements can be added to your browser's favorites for
easier access to your own functions.
        It is possible to declare your own functions for use in extended hacks.
Declare the function as a method of window. "alert(window.newfunction =
function (){...})"
----------------------------------------------------------------------------------------

am hictor
lezr.com
thnk you rodhedor
hict0r@hotmail.com

'Hacking' 카테고리의 다른 글

Penetration Testing Service  (0) 2009.09.04
URL Encoding  (0) 2009.06.10
How to find Addresses in Gunz  (0) 2009.06.09
Lolhackerstic.dll (godmode)  (0) 2009.06.09
How to Hack a Yahoo Mail Password  (0) 2009.05.26
Posted by CEOinIRVINE
l

This is my second gunz tutorial =3
Today I will teach you all how to find
all your favorite hacking functions in an
unpacked gunz.

remember you cant call some one if you don't
know what their number is correct?
So to call the function that lets say makes a slash
we need to know where it is to call it over and over
again to make a lawnmower hack
and this is exactly what I will be teaching :)

You will need:

Ollydebugger

CurrentUnpackedGunz
OldGunzclient+OldGunzaddresses
JGunzclient+JGunzaddresses
FullGunz.pdbDump

Ok lets start simple lets say we want to make a lawnmower hack
How do we find where the function that makes a slash is located
in the Gunz.exe so open up your unpacked gunz in
olly and take a look.

METHOD 1 "PacketIDs"
The function that makes a slash is ZPostShot and ZPostShotMelee
to find these in your current(or any) unpacked gunz client
go to olly and right click in the CPU window->go down to where
it says "Search for"->find and click on "All Reference Text Strings".
This will search all the gunz.exe for referenced text
and most functions can be found by this method.
To find ZPostShot first click on view on the main top bar
and find "references".
(notice that after you do search for reference
text this window should automatically open and you dont have to do this
step)
Right click in the "Reference Window"->click on "search for text"
a popup will appear with checkboxes, make sure you uncheck
"Case Sensitive" and check "Entire Scope".
Now you not knowing what specific text string ZPostShot is
you should use a text that is in the name i.e "Shot" and press
Ctrl+L to search for next until you find the one you think it is.
But I know what ZPostShot is its "Peer.Shot".
so you find it in reference text and click to find it in the CPU window
just press enter or double click.
and you should see something like this:
Code:
  PUSH Unpacked.0065D0B8
  PUSH 2732
  MOV ECX,DWORD PTR SS:[EBP-1B44]
  CALL Unpacked.0050C920
You see the PUSH 2732?
the four digits ->"2732"<- that is the "PacketID"
With this you can find your function.
Just right click on the line where the packet ID is located
and select "Binary"->"Binary Copy".
Now that you have copied to the clip board
Right click->"Search for"->"Binary String"(Ctrl+B)
and in the "HEX +05" space paste the binary(Ctrl+V)
and hit OK.
That will jump you to the function(it should) and it does not
just press Ctrl+L to keep searching.
If you do find it just scroll up to the start of the function
it should look like this (the full ZPostShot function)
Code:
  PUSH EBP
  MOV EBP,ESP
  PUSH -1
  PUSH Unpacked.006367DB
  MOV EAX,DWORD PTR FS:[0]
  PUSH EAX
  MOV DWORD PTR FS:[0],ESP
  SUB ESP,14
  MOV EAX,DWORD PTR DS:[6D3AD8]
  MOV ECX,DWORD PTR DS:[EAX+30]
  MOV EAX,DWORD PTR DS:[ECX]
  MOV EDX,DWORD PTR DS:[EAX]
  PUSH EBX
  PUSH ESI
  MOV ESI,DWORD PTR SS:[EBP+8]
  FLD DWORD PTR DS:[ESI]
  PUSH EDI
  MOV DWORD PTR SS:[EBP-20],EDX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+4]
  MOV WORD PTR SS:[EBP-1C],AX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+8]
  MOV WORD PTR SS:[EBP-1A],AX
  CALL Unpacked.005925D0
  MOV ESI,DWORD PTR SS:[EBP+C]
  FLD DWORD PTR DS:[ESI]
  MOV WORD PTR SS:[EBP-18],AX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+4]
  MOV WORD PTR SS:[EBP-16],AX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+8]
  MOV WORD PTR SS:[EBP-14],AX
  CALL Unpacked.005925D0
  MOV WORD PTR SS:[EBP-12],AX
  MOV AL,BYTE PTR SS:[EBP+10]
  PUSH 2732
  MOV BYTE PTR SS:[EBP-10],AL
  CALL Unpacked.004C6340
  PUSH 10
  MOV ESI,EAX
  CALL Unpacked.0062C25E
  ADD ESP,8
  MOV DWORD PTR SS:[EBP+8],EAX
  XOR EDI,EDI
  CMP EAX,EDI
  MOV DWORD PTR SS:[EBP-4],EDI
  JE L055
  PUSH 11
  LEA ECX,DWORD PTR SS:[EBP-20]
  PUSH ECX
  MOV ECX,EAX
  CALL Unpacked.0050AC40
  JMP L056
  XOR EAX,EAX
  PUSH EAX
  MOV ECX,ESI
  MOV DWORD PTR SS:[EBP-4],-1
  CALL Unpacked.0050D020
  PUSH ESI
  CALL Unpacked.004C6400
  ADD ESP,4
  MOV DWORD PTR SS:[EBP+8],EDI
  PUSHAD
  MOV EAX,EBP
  ADD EAX,4
  MOV EAX,DWORD PTR DS:[EAX]
  MOV DWORD PTR SS:[EBP+8],EAX
  MOV EAX,Unpacked.00481D90
  MOV DWORD PTR SS:[EBP+C],EAX
  POPAD
  MOV EAX,DWORD PTR SS:[EBP+8]
  CMP EAX,Unpacked.00401000
  JBE L077
  CMP EAX,3000000
  JB L082
  PUSH 238D
  CALL Unpacked.004C6340
  PUSH EAX
  CALL Unpacked.004C6400
  ADD ESP,8
  MOV ECX,DWORD PTR SS:[EBP-C]
  POP EDI
  POP ESI
  MOV DWORD PTR FS:[0],ECX
  POP EBX
  MOV ESP,EBP
  POP EBP
  RETN
There you just found your function.
All ZPost functions will have packetIDs so they are easy
to find but what about other functions like the one used
to make a godmode hack? well this is where our JGunz.exe
comes in.

METHOD 2 (WildCards)
Open JGunz(or OldGunz) in Ollydbg
open JGunz GunzFunction.txt in notepad
and press Ctrl+F in notepad
and type "ZModule_HPAP::SetHP"or"ZModule_HPAP::SetAP"
and press enter you will find that
in JGunz ZModule_HPAP::SetHP is located at 0047DDD0
so copy that address and go to JGunz in olly and
click on this button ->and paste the address there
click Ok or press enter
In JGunz the full ZModule_HPAP::SetHP looks like this:
Code:
  MOV EAX,DWORD PTR SS:[ESP+4]
  PUSH ESI
  PUSH EDI
  MOV EDI,ECX
  XOR ECX,ECX
  TEST EAX,EAX
  SETL CL
  DEC ECX
  AND ECX,EAX
  MOV DWORD PTR SS:[ESP+C],ECX
  FILD DWORD PTR SS:[ESP+C]
  FCOM DWORD PTR DS:[EDI+8]
  FSTSW AX
  TEST AH,5
  JPO L017
  FSTP ST
  FLD DWORD PTR DS:[EDI+8]
  CALL JGunz.005533F8
  MOV DWORD PTR SS:[ESP+C],EAX
  MOV AL,BYTE PTR DS:[EDI+18]
  XOR ESI,ESI
  TEST AL,AL
  JE L038
  CALL JGunz.0048E030
  MOV ESI,EAX
  LEA EDX,DWORD PTR DS:[EDI+10]
  ADD ESI,8
  PUSH EDX
  MOV ECX,ESI
  CALL JGunz.00526370
  TEST EAX,EAX
  JE L038
  MOV ECX,EAX
  CALL JGunz.00526210
  TEST AL,AL
  JNZ L038
  MOV ECX,ESI
  CALL JGunz.00526B00
  FILD DWORD PTR SS:[ESP+C]
  MOV CL,BYTE PTR DS:[EDI+18]
  TEST CL,CL
  LEA EAX,DWORD PTR DS:[EDI+10]
  FADD DWORD PTR DS:[5D0444]
  FSTP DWORD PTR DS:[EAX]
  JE L049
  PUSH 4
  PUSH EAX
  MOV ECX,ESI
  CALL JGunz.005263A0
  POP EDI
  POP ESI
  RETN 4
as you can see there is no packetID so we are going to do a Binary
Copy :)

So highlight alittle bit of the fuction i.e:
Code:
  PUSH ESI
  PUSH EDI
  MOV EDI,ECX
  XOR ECX,ECX
  TEST EAX,EAX
  SETL CL
  DEC ECX
  AND ECX,EAX
  MOV DWORD PTR SS:[ESP+C],ECX
  FILD DWORD PTR SS:[ESP+C]
  FCOM DWORD PTR DS:[EDI+8]
  FSTSW AX
  TEST AH,5
Right click and do a Binary Copy and paste it in notepad it should
look like this
Code:
56 57 8B F9 33 C9 85 C0 0F 9C C1 49 23 C8 89 4C 24 0C DB 44 24 0C D8 57 08 DF E0 F6 C4 05
Now to organize it lets space it how it is in olly like so:
Code:
56 
57 
8B F9 
33 C9 
85 C0 0F 9C C1 
49 
23 C8 
89 4C 24 0C 
DB 44 24 0C 
D8 57 08 
DF E0 
F6 C4 05
That in Binary is the equivelant to the ASM above it :)
Ok so from the first 3 lines and the last 2 lines fill it with "??"
yep question makes.
So like this:
Code:
56 
57 
8B F9 
?? ?? 
?? ?? ?? ?? ?? 
?? 
?? ?? 
?? ?? ?? ?? 
?? ?? ?? ?? 
?? ?? ?? 
DF E0 
F6 C4 05
I am doing it this way since I know it will work
but the general rule is that what ever you copy goes through this process
FF FF (If your binary string looks like this the right side after the space should be filled with "??" so it look like FF ??
FF (If there is only 1 pair then nothing needs to be done
FFFF FF (Any pair after the space should be replaced with "??" like so FFFF ??.

Ok so thats in notepad.
Open up your current unpacked gunz in olly
and press Ctrl+B and paste the OP code you just made in notepad :)
into the HEX +05 space and click ok.

The first one you see should be the new function and at the top is the address
where its located.
It should look like this in the current gunz:
Code:
  PUSH EBP
  MOV EBP,ESP
  PUSH ECX
  FLD DWORD PTR DS:[66571C]
  PUSH EBX
  FCOMP DWORD PTR SS:[EBP+8]
  PUSH ESI
  PUSH EDI
  MOV EDI,ECX
  FSTSW AX
  TEST AH,41
  JNZ L014
  FLD DWORD PTR DS:[66571C]
  JMP L015
  FLD DWORD PTR SS:[EBP+8]
  FCOMP DWORD PTR DS:[EDI+8]
  FSTSW AX
  TEST AH,5
  JPE L026
  FLD DWORD PTR DS:[66571C]
  FCOMP DWORD PTR SS:[EBP+8]
  FSTSW AX
  TEST AH,41
  JNZ L028
  MOV DWORD PTR SS:[EBP+8],0
  JMP L028
  MOV EAX,DWORD PTR DS:[EDI+8]
  MOV DWORD PTR SS:[EBP+8],EAX
  MOV ESI,DWORD PTR DS:[EDI+24]
  TEST ESI,ESI
  JE L051
  FLD DWORD PTR SS:[EBP+8]
  MOV EAX,DWORD PTR DS:[ESI]
  FADD DWORD PTR DS:[6506FC]
  XOR EDI,EDI
  TEST EAX,EAX
  FSTP DWORD PTR SS:[EBP+8]
  JE L039
  MOV EDI,EAX
  PUSH 4
  CALL Unpacked.0062C25E
  MOV ECX,DWORD PTR SS:[EBP+8]
  ADD ESP,4
  TEST EDI,EDI
  MOV DWORD PTR DS:[ESI],EAX
  MOV DWORD PTR DS:[EAX],ECX
  JE L081
  PUSH EDI
  CALL Unpacked.0062C28E
  ADD ESP,4
  JMP L081
  MOV AL,BYTE PTR DS:[EDI+18]
  XOR ESI,ESI
  TEST AL,AL
  JE L070
  CALL Unpacked.0049A4D0
  MOV ESI,EAX
  LEA EDX,DWORD PTR DS:[EDI+10]
  ADD ESI,8
  PUSH EDX
  MOV ECX,ESI
  CALL Unpacked.0055EAA0
  TEST EAX,EAX
  JE L070
  MOV ECX,EAX
  CALL Unpacked.0055E8B0
  TEST AL,AL
  JNZ L070
  MOV ECX,ESI
  CALL Unpacked.0055F230
  FLD DWORD PTR SS:[EBP+8]
  MOV CL,BYTE PTR DS:[EDI+18]
  TEST CL,CL
  FADD DWORD PTR DS:[6506FC]
  LEA EAX,DWORD PTR DS:[EDI+10]
  FSTP DWORD PTR DS:[EAX]
  JE L081
  PUSH 4
  PUSH EAX
  MOV ECX,ESI
  CALL Unpacked.0055EAD0
  MOV DWORD PTR SS:[EBP+8],0
  PUSHAD
  MOV EAX,EBP
  ADD EAX,4
  MOV EAX,DWORD PTR DS:[EAX]
  MOV DWORD PTR SS:[EBP+8],EAX
  MOV EAX,Unpacked.00489480
  MOV DWORD PTR SS:[EBP-4],EAX
  POPAD
  MOV EAX,DWORD PTR SS:[EBP+8]
  CMP EAX,Unpacked.00401000
  JBE L095
  CMP EAX,3000000
  JB L100
  PUSH 238D
  CALL Unpacked.004C6340
  PUSH EAX
  CALL Unpacked.004C6400
  ADD ESP,8
  POP EDI
  POP ESI
  POP EBX
  MOV ESP,EBP
  POP EBP
  RETN 4
Congrats you just found ZModule_HPAP::SetHP =3

Here is a list of some I have already found this is currently working for Ijji as of April,02,09.
Addresses
Next Gunz tutorial I will teach you how to make a simple
Dll Hack !

http://www.lethalgaming.net/forum/showthread.php?t=57725

'Hacking' 카테고리의 다른 글

URL Encoding  (0) 2009.06.10
Hacking with Javascript 2005.FEB.  (0) 2009.06.09
Lolhackerstic.dll (godmode)  (0) 2009.06.09
How to Hack a Yahoo Mail Password  (0) 2009.05.26
Debugging  (0) 2009.05.23
Posted by CEOinIRVINE
l
008788F8 |. /74 17 |je short lol!.00878911							; If the previous comparison was equal, go to 00878911
008788FA |. |6A 00 |push 0 ; /pThreadId = NULL							; pThreadId is declared as NULL as a parameter for CreateThread
008788FC |. |6A 00 |push 0 ; |CreationFlags = 0							; CreationFlags is declared as 0 as a parameter for CreateThread
008788FE |. |6A 00 |push 0 ; |pThreadParm = NULL						; pThreadParam declared as NULL as a parameter for CreateThread
00878900 |. |B8 7D588700 |mov eax, lol!.0087587D ; |						; Move the data stored at 0087587D to the EAX register
00878905 |. |50 |push eax ; |ThreadFunction => lol!.0087587D					; Push the EAX register as a parameter for CreateThread
00878906 |. |6A 00 |push 0 ; |StackSize = 0							; Declare the stack size as 0 as a parameter for CreateThread
00878908 |. |6A 00 |push 0 ; |pSecurity = NULL							; pSecurity is declared as NULL as a parameter for CreateThread
0087890A |. |2E:FF15 BC518>|call near dword ptr cs:[<&KERNEL32.CreateThread>] ; \CreateThread   ; Call to CreateThread
00878911 |> \E8 2CAAFFFF |call lol!.00873342							; Call to function at address 00873342
00878916 |. 6A 32 |push 32 ; /Timeout = 50. ms							; Push decimal value 50 as a parameter for SLEEP
00878918 |. 2E:FF15 64528>|call near dword ptr cs:[<&KERNEL32.Sleep>] ; \Sleep			; Call SLEEP function
0087891F |> BA 11748900 |mov edx, lol!.00897411 ; ASCII "@charge"				; Load the ASCII text "@charge" into the EDX register
00878924 |. E8 569FFFFF |call lol!.0087287F							; Call to function at address 0087287F
00878929 |. E8 92070100 |call lol!.008890C0							; Call to function at address 008890C0
0087892E |. 85C0 |test eax, eax									; AND operation - modifies flags as needed
00878930 |. 75 49 |jnz short lol!.0087897B							; Jump if return value is not zero to address 0087897B
00878932 |. 803D 61C48900>|cmp byte ptr ds:[89C461], 0						; Compare byte value 89C461 to zero
00878939 |. 75 06 |jnz short lol!.00878941							; Jump if return value is not zero to address 00878941
0087893B |. C645 80 01 |mov byte ptr ss:[ebp-80], 1						; Move the number 1 to 80 bytes below the stack base pointer
0087893F |. EB 04 |jmp short lol!.00878945							; Jump to address 00878945
00878941 |> C645 80 00 |mov byte ptr ss:[ebp-80], 0						; Move the number 0 to 80 bytes below the stack base pointer
00878945 |> 8A45 80 |mov al, byte ptr ss:[ebp-80]						; Move the byte value of EBP-80 to the register AL
00878948 |. A2 61C48900 |mov byte ptr ds:[89C461], al						; 
0087894D |. 803D 61C48900>|cmp byte ptr ds:[89C461], 0						; Compare the byte value 89C461 to 0
00878954 |. 74 17 |je short lol!.0087896D							; If the values are equal jump to address 0087896D
00878956 |. 6A 00 |push 0 ; /pThreadId = NULL							; pThreadId is declared as NULL as a parameter for CreateThread
00878958 |. 6A 00 |push 0 ; |CreationFlags = 0							; CreationFlags is declared as 0 as a parameter for CreateThread
0087895A |. 6A 00 |push 0 ; |pThreadParm = NULL							; pThreadParam declared as NULL as a parameter for CreateThread
0087895C |. B8 FE578700 |mov eax, lol!.008757FE ; |						; Move the data stored at 008757FE to the EAX register
00878961 |. 50 |push eax ; |ThreadFunction => lol!.008757FE					; Push the EAX register as a parameter for CreateThread
00878962 |. 6A 00 |push 0 ; |StackSize = 0							; Declare the stack size as 0 as a parameter for CreateThread
00878964 |. 6A 00 |push 0 ; |pSecurity = NULL							; pSecurity is declared as NULL as a parameter for CreateThread
00878966 |. 2E:FF15 BC518>|call near dword ptr cs:[<&KERNEL32.CreateThread>] ; \CreateThread	; Call to CreateThread
0087896D |> E8 D0A9FFFF |call lol!.00873342							; Call to function at address 00873342
00878972 |. 6A 32 |push 32 ; /Timeout = 50. ms							; Push decimal value 50 as a parameter for SLEEP
00878974 |. 2E:FF15 64528>|call near dword ptr cs:[<&KERNEL32.Sleep>] ; \Sleep			; Call to SLEEP
0087897B |> BA 19748900 |mov edx, lol!.00897419 ; ASCII "@godmode"				; Move ASCII text "@godmode" into EDX register

'Hacking' 카테고리의 다른 글

Hacking with Javascript 2005.FEB.  (0) 2009.06.09
How to find Addresses in Gunz  (0) 2009.06.09
How to Hack a Yahoo Mail Password  (0) 2009.05.26
Debugging  (0) 2009.05.23
Basic 80x86 Architecture  (0) 2009.05.23
Posted by CEOinIRVINE
l

Someone you know has a Yahoo account.. and you want the password. Whether you don’t trust your spouse or just looking to do some justice, i’m sure you have your reasons. Yahoo mail is estimated as the world’s largest email provider, and in February, 2008, a Yahoo executive claimed the company served 260 million email users which is very close to Hotmail’s numbers. With that many accounts, there is clearly a demand for hacking into these accounts. I don’t condone anything illegal, but I do believe that information should be freely available on the internet, no matter the subject, and that there are many situations and good reasons for doing so. I leave that up to you to decide.

When it comes to hacking email passwords like Yahoo, there are 2 foolproofmethods to do it. Spying and Phishing. They are both methods of social engineering, or in other words, the target unknowingly gives you their password. The only people that know the password are Yahoo and the target themselves, so who do you think it is easier to get from? While there are other ways to hack a yahoo password, the odds are so low it’s not even funny. If you want to know more about the other non-realistic ways to hack password and why they don’t work, read The Truth about Password Hacking/Cracking.

So, here is how you hack yahoo:

Spying (cost money)

Almost everyone logs into their yahoo account through a computer, usually their own. That means one of the people that DOES know the password is the computer it’s being entered on, but of course this information is not remembered by the computer unless Spy Software has snuck onto it. Getting spy software onto the computer is easy, especially if you have physical access to it. Can you count how many times your computer has gotten a virus or suspicious email? It’s the same thing.

So what’s the best spy software to use?

If you have physical access to the computer, you are practically guaranteed the password. A good program is completely stealthy with a host of features, which I recommend you get AceSpy. It’s an advanced spy software mainly for monitoring your kids or employees silently and discreetly. There are also some free keyloggers out there, but I was unable to find one that was stealthy and they are really feature limited. AceSpy has a host of features such as websites visited, instant messenger chat logs, email recording, and even stores screenshots and a unique surveillance mode feature which records a movie of their actions. This can often be better than just having the Yahoo mail password, as deleted emails and other information can be recovered from the screenshots when you otherwise couldn’t.

If you need to hack someone remotely via the internet, there’s a program from the same company called SniperSpy. The difference between the programs, and this is the really great thing, is that SniperSpy is remotely deployable. That means that you can send it’s module via email or file transfer and it will begin monitoring their computer! All of the data it gathers is stored online and can be accessed via their website which means you won’t have to worry about software that doesn’t install on your computer for some reason - all you need is a web browser and the internet to access the Spy Control Panel. This is the program I used on my girlfriend and I was able to get proof of what I suspected. It’s got the same features as AceSpy plus a ton more, and is so stealthy it bypasses firewalls and antivirus because it’s a commercial product.

Phishing (Fake Login Pages)

Phishing is mostly used on a wider scale to target a large amount of yahoo accounts. For example, the most common way of phishing is done by email where the target receives an email message that appears to have come from Yahoo themselves (it’s actually very easy to forge an email sender). In the message, there is always a story of an issue with your account and it asking you to verify your account at the link below - this is where the hacking happens. The person thinks the link is taking them to the official yahoo website, but most people don’t notice the URL is slightly or even completely different. The target is taken to a yahoo login page that looks authentic, and as soon as they enter their details and hit submit, the password is known to the hacker. Phishing is not legal in any circumstance because you are impersonating yahoo and copywriting their page by creating a fake login, but there is literally no enforcement of this and I know of no one being arrested or getting in trouble (if you do, feel free to comment). It is also limited to only giving you the password (unlike spying) and it is meant for those with above average computer skills to setup. If you are interested in doing it this way, access the instructions page here (a cell phone offer helps hide the instructions page from prying eyes. Enter a valid phone number and instructions page should appear immediately afterwards).

'Hacking' 카테고리의 다른 글

How to find Addresses in Gunz  (0) 2009.06.09
Lolhackerstic.dll (godmode)  (0) 2009.06.09
Debugging  (0) 2009.05.23
Basic 80x86 Architecture  (0) 2009.05.23
Game Cheat 101  (0) 2009.05.09
Posted by CEOinIRVINE
l