'Hacking'에 해당되는 글 266건

  1. 2009.05.23 Debugging by CEOinIRVINE
  2. 2009.05.23 Basic 80x86 Architecture by CEOinIRVINE
  3. 2009.05.09 Game Cheat 101 by CEOinIRVINE
  4. 2009.04.24 fantasy baseball by CEOinIRVINE
  5. 2009.04.16 How To Bypass Linux Magazine Membership Check by CEOinIRVINE
  6. 2009.04.16 How to use Linux awk programming and regular expression to read a big log file? by CEOinIRVINE
  7. 2009.04.08 download musics mp3 at shared libary iTunes by CEOinIRVINE
  8. 2009.04.07 US iPod repairman guilty of fraud by CEOinIRVINE
  9. 2009.04.01 Visa, MasterCard In Security Hot Seat by CEOinIRVINE
  10. 2009.03.30 Incident Reponse by CEOinIRVINE 1

Debugging

Hacking 2009. 5. 23. 10:59

Debugging

Title Description Chapter
Gflags Allows you to enable system-wide heap and object checks for an application.

http://technet2.microsoft.com/WindowsServer/en/Library/6a183942-57b1-45e0-8b4c-c546aa1b8c471033.mspx
8
IDA Pro A disassembler and debugger, plus several additional features useful for figuring out how an application works when you don't have the source code.

http://www.datarescue.com/idabase
17
Microsoft Debugging Tools for Windows Several debugging tools for the Windows operating system.

http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
17
Microsoft Visual Studio Microsoft's premium application debugger and provides a rich set of UI and automatable debugging features. 8, 9
NTSD System and application debugger.

Comes installed in the Windows operating system: ntsd.exe.
8
OllyDbg A 32-bit debugger for the Windows operating system.

http://www.ollydbg.de

'Hacking' 카테고리의 다른 글

Lolhackerstic.dll (godmode)  (0) 2009.06.09
How to Hack a Yahoo Mail Password  (0) 2009.05.26
Basic 80x86 Architecture  (0) 2009.05.23
Game Cheat 101  (0) 2009.05.09
fantasy baseball  (0) 2009.04.24
Posted by CEOinIRVINE
l

Basic 80x86 Architecture

Hacking 2009. 5. 23. 10:55

Basic 80x86 Architecture

The Intel CPU is generally classified as a Von Neumann machine. Von Neumann computer systems contain three main building blocks: the central processing unit (CPU), memory, and input/output (I/O) devices. These three components are connected together using the system bus (consisting of the address, data, and control buses). The block diagram in Figure 3-1 shows this relationship.

Figure 3-1. Block diagram of a Von Neumann system


The CPU communicates with memory and I/O devices by placing a numeric value on the address bus to select one of the memory locations or I/O device port locations, each of which has a unique binary numeric address. Then the CPU, I/O, and memory devices pass data among themselves by placing the data on the data bus. The control bus contains signals that determine the direction of the data transfer (to or from memory, and to or from an I/O device).

3.3.1. Registers

The register set is the most prominent feature within the CPU. Almost all calculations on the 80x86 CPU involve at least one register. For example, to add the value of two variables and store their sum into a third variable, you must load one of the variables into a register, add the second operand to the register, and then store the register's value into the destination variable. Registers are middlemen in almost every calculation. Therefore, registers are very important in 80x86 assembly language programs.

The 80x86 CPU registers can be broken down into four categories: general-purpose registers, special-purpose application-accessible registers, segment registers, and special-purpose kernel-mode registers. We will not consider the last two sets of registers, because the segment registers are not used very much in modern 32-bit operating systems (e.g., Windows, BSD, BeOS, and Linux), and the special-purpose kernel-mode registers are intended for writing operating systems, debuggers, and other system-level tools. Such software construction is well beyond the scope of this text.

3.3.2. 80x86 General-Purpose Registers

The 80x86 (Intel family) CPUs provide several general-purpose registers for application use. These include eight 32-bit registers that have the following names:

EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP

The E prefix on each name stands for extended. This prefix differentiates the 32-bit registers from the eight 16-bit registers that have the following names:

AX, BX, CX, DX, SI, DI, BP, and SP

Finally, the 80x86 CPUs provide eight 8-bit registers that have the following names:

AL, AH, BL, BH, CL, CH, DL, and DH

The most important thing to note about the general-purpose registers is that they are not independent. That is, the 80x86 does not provide 24 separate registers. Instead, it overlaps the 32-bit registers with the 16-bit registers, and it overlaps the 16-bit registers with the 8-bit registers. Figure 3-2 shows this relationship.

Figure 3-2. Intel 80x86 CPU general-purpose registers


The fact that modifying one register may modify as many as three other registers cannot be overemphasized. For example, modifying the EAX register may also modify the AL, AH, and AX registers. You will often see compiler-generated code using this feature of the 80x86. For example, a compiler may clear (set to zero) all the bits in the EAX register and then load AL with a one or zero in order to produce a 32-bit True (1) or False (0) value. Some machine instructions manipulate only the AL register, yet the program may need to return those instructions' results in EAX. By taking advantage of the register overlap, the compiler-generated code can use an instruction that manipulates AL to return that value in all of EAX.

Although Intel calls these registers general purpose, you should not infer that you can use any register for any purpose. The SP/ESP register pair for example, has a very special purpose that effectively prevents you from using it for any other purpose (it's the stack pointer). Likewise, the BP/EBP register has a special purpose that limits its usefulness as a general-purpose register. All the 80x86 registers have their own special purposes that limit their use in certain contexts; we will consider these special uses as we discuss the machine instructions that use them (see the online resources).

3.3.3. The 80x86 EFLAGS Register

The 32-bit EFLAGS register encapsulates numerous single-bit Boolean (True/False) values (or flags). Most of these bits are either reserved for kernel mode (operating system) functions or are of little interest to application programmers. Eight of these bits are of interest to application programmers reading (or writing) assembly language code: the overflow, direction, interrupt disable,[*] sign, zero, auxiliary carry, parity, and carry flags. Figure 3-3 shows their layout within the low-order (LO) 16 bits of the EFLAGS register.

[*] Applications programs cannot modify the interrupt flag, but we'll look at this flag later in this text, hence the discussion of this flag here.

Figure 3-3. Layout of the 80x86 flags register (LO 16 bits)


Of the eight flags that application programmers can use, four flags in particular are extremely valuable: the overflow, carry, sign, and zero flags. We call these four flags the condition codes. Each flag has a state—set or cleared—that you can use to test the result of previous computations. For example, after comparing two values, the condition-code flags will tell you if one value is less than, equal to, or greater than a second value.

'Hacking' 카테고리의 다른 글

How to Hack a Yahoo Mail Password  (0) 2009.05.26
Debugging  (0) 2009.05.23
Game Cheat 101  (0) 2009.05.09
fantasy baseball  (0) 2009.04.24
How To Bypass Linux Magazine Membership Check  (0) 2009.04.16
Posted by CEOinIRVINE
l

Game Cheat 101

Hacking 2009. 5. 9. 10:57

This guide will explain exactly what is necessary to begin cheat creation for generally any online computer game, including both fields to study, and tools to use.

Before this tutorial begins, it should be noted:

1) I'll make great use of footnotes to fill in anything the reader may not understand.
2) I'm going to assume the general audience is very technologically inept, especially pertaining to the forementioned fields.
3) This tutorial concerns mostly Windows games - there's not much of a market for cheating on other platforms.[23]

Fields of Study


When it comes to cheating in games, it will be heard that you must know either assembly, C++, or both, while in fact, neither are necessarily true. However, if you're going to work alone every step of the way, in almost every scenario, knowledge of Intel-syntax assembly will be necessary.

Assembly


Assembly is considered the bottom of the barrel of programming languages - it's considered as low-level[24] as you can go with a programming language. But, as all executables must utilize assembly one way or other, this is also why it is considered very powerful when attempting to learn what is done in a specific executable. For example, if one program encrypts certain types of files, and you need to learn how the encryption algorithm[25] is done, then you would disassemble[26] the program. From there, assuming you know assembly, you may be capable of understanding what the program does (More importantly, what that algorithm is, which would allow you to write a decryption algorithm).

Assembly uses hexadecimal numbers, so it should be understood the number system is organized as follows:

0 = 0, 1 = 1, 2 = 2, 3 = 3, 4 = 4, 5 = 5, 6 = 6, 7 = 7, 8 = 8, 9 = 9
A = 10
B = 11
C = 12
D = 13
E = 14
F = 15

(The above shows numbers from base 16, the hexadecimal system, to base 10, the standard decimal system)

Firstly, assembly is entirely about data manipulation (In general, that's all programming is - manipulating data, effecting hardware to do what you want). To be put simply, usually three things are being modified:
1) The stack
2) Registers/Flags
3) The memory of a program

Now, to explain what the above:
1) The stack is a large stack of numbers, manipulated for handing off parameters[9] to functions[9], storing the registers, and storing other miscellaneous data.

2) Registers are used for completing varying operations (Comparing data, arithmetic functions[27], logical operations[18], etc). Usually, they'll store certain types of numbers/addresses[19], from as low as 4-bits, all the way up to 32-bits (It's possible to go higher than 32-bits, but, most users won't encounter situations where that will be necessary to know). Flags are used for marking registers for different purposes (e.g.: The overflow flag, or OF, will set itself to the number 1, from 0, if an operation[4] using that register is larger than the space that the register can handle; so if you're using a 4-bit register to handle 32-bit data, the OF flag would be set to 1).

3) Varying data in the program is constantly being modified, as the stack and registers can handle only so much data at once, in many cases, it's more efficient to leave some data modification in the program itself (Though it should be noted, this is only done in memory; meaning, if you were to modify the program to display a random popup every 15 minutes while it was running, the moment the program were exited, when you re-open it later, the popup would no longer appear).


Modifying the stack is done through a number of ways, the most common being using PUSH and POP instructions.

In assembly, each line is an instruction[4], limited to at most two parameters, and as little as none.

The PUSH instruction accepts one parameter, which is added to the top of the stack. For example:

Code:
PUSH 5
The above would push the value 5 onto the stack, so that it would look like this:

Code:
00000005
Now, it should be mentioned, usually a stack base pointer (Another type of register, which will be explained further later on) is pushed onto the stack, to act as a reference point for modifying the stack. Therefore, in the beginning of most functions/programs, you'll find the following line:

Code:
PUSH EBP

Which simply causes the stack to start looking like this:

Code:
00000000
From there, if I can push my data onto the stack:

Code:
00000005
00000000
Or, I can save one of my registers by using POP:

Code:
POP EAX
(NOTE: EAX is an example of a 32-bit register - a full list of available registers and what each one is used for will be covered later).


Assuming the value of EAX was 7C90FFDD, the stack will look like:

Code:
00000005
00000000
7C90FFDD


That covers standard modification of the stack - we'll cover more later, such as how functions access certain portions of the stack for parameters being handed off, etc.

There are many varying types of registers, but to explain the bare basics, we'll start with the general purpose registers. It's necessary to note, the following are all prefixed with the same letter to represent that they are extended registers (32-bit). Therefore, the 16-bit register for EAX is AX:

EAX - Accumulator Register
EBX - Base Register
ECX - Counter Register (Used for looping[20])
EDX - Data Register (Used in multiplication and division)
ESI - Source (Used in memory operations)
EDI - Destination (Used in memory operations)

The above registers each have a sub 4-bit register; for EAX, as the 16-bit is AX, the 4-bit registers are AH and AL - therefore, for (E)BX the 4-bit registers are BH and BL, etc. When referencing pointers, it may be important to keep in mind the different registers.


Modifying registers is essential for loading data from/to the stack or from/to data in the program memory. The most used instruction for loading data into a register is the MOV instruction.

To load what's stored at the address[19] 01009000 into register EAX:

Code:
MOV EAX, DWORD PTR DS:[01009000]
One new thing was introduced on top of the MOV instruction and the EAX register: DWORD PTR DS:[Address]

DWORD is a 32-bit value (e.g.: A number). PTR stands for "pointer", meaning that the data at address 01009000 is being loaded, not the number 01009000. DS stands for "data segment", meaning the loaded value is from the .data section.

To expand, there are four "segment registers", pointing to the segments in the executable:

CS - Code Segment (References anything in the .code section)
DS - Data Segment (References anything in the .data section)
SS - Stack Segment (References the stack)
ES - Extra Segment (Rarely used)

There are also three pointer registers (One of them earlier was already referenced, EBP):

EBP - Base Pointer
ESP - Stack Pointer (Offset to the EBP - "points" to the EBP)
EIP - Instruction Pointer (Points to the address of the next instruction)



Now, apart from the MOV instruction, there is also the LEA instruction. The LEA instruction (Load Effective Address) is slightly slower, and ends with slightly larger code. It's used in preparing the loading of pointers[29] into registers, allowing even math operations to be used (NOTE: Where as MOV can load data into memory, LEA is limited to only modifying registers).

The use is identical to MOV:

Code:
LEA EAX, DWORD PTR SS:[EBP-4]

Note the use of the stack being referenced - [EBP-4] means to go to the stack pointer and access the line directly above it.

A better example of LEA would be:

Code:
LEA EAX, [EAX+EBX*4+256]
Note the use of multiplication via the asterisk, and even addition between registers.


Now, onto the easy math operations:

ADD destination, source - Adds the "destination" and "source", leaving the result on the "destination"
SUB destination, source - Subtracts the "destination" and "source", leaving the result on the "destination"

SAL destination, source - Shifts the destination to the left source times (e.g.: 15 shifted once to the left would turn into 5, but shifting once to the right, and the number would still be 5).

SAR destination, source - Shifts the destination to the right source times (e.g.: 15 shifted once to the left would turn into 1, but shifting once to the left, and the number would be 10).

INC destination - Increment the destination (Add one to the given value)
DEC destination - Decrement the destination (Subtract one to the given value)


The final important factor in the basics of assembly are conditional statements (If condition then statement, if not condition then statement, etc) and looping[20].

For comparing data, the CMP instruction is used:

Code:
CMP EAX, 1
Now, the comparison has to end up somewhere, and the possible outcomes are different types of jumps. If EAX is greater than (Or equal to), less than (Or equal to), and equal to (Or not) the number 1, then a jump to a specific address is made. If not, nothing is done.

e.g.:

Code:
CMP EAX, 1
JE 00401000
jge -Jump if they're greater or equal ; This will not work on negative registers
jg - Jump if they're greater than ; Neither will this
jle -Jump if they're less or equal ; ..this..
jl - Jump if they're less ; ...Or this
jne - Jump if they're not equal ; This conditional jump and all the following will work with both negative and positive numbers alike
je - Jump if they're equal
jne - Jump if they're not equal
jae - Jump if they're above/greater than or equal
ja - Jump if they're above/greater than
jbe - Jump if they're below/less than or equal
jb - Jump if they're below/less than

The other operation for comparing two numbers is the TEST instruction, which is identical to an AND[18], but rather than storing the result, the next instructions will check if the result of the AND was zero or one.

JZ - Jump if the result was zero
JNZ - Jump if the result was not zero (Meaning it was one)

e.g.:

Assume EAX is 00000001

Code:
TEST EAX, 1
JNZ 00401000
Since the value of EAX is 1 and the comparison value is 1, the jump will not occur.

Now, these tactics can also be used to repeat steps, for example:

Code:
0100739D   MOV EAX,0
010073A2   CMP EAX,5
010073A5   JE 010073B1
010073AB   INC EAX
010073AC   JMP 00401000
010073B1   RETN
The EAX register is set to zero, then EAX is compared to 5 - if EAX has the value 5, it jumps to the RETN instruction[21], to exit the function. Otherwise, the executing continues, and INC EAX is called, to add 1 to EAX repeatedly, until eventually, EAX is 5, and will jump to the RETN.



And that's the basics of assembly.


Debugging Applications


At this point, your skills of assembly can be put to the test. I recommend the following be downloaded:

Quote:
Originally Posted by CFF Explorer
Homepage: http://www.ntcore.com/exsuite.php
Download: http://www.ntcore.com/Files/ExplorerSuite.exe
Instructions: Execute installer as administrator
Miscellaneous: Thanks to NTCore for releasing tools as great as CFF Explorer!
Quote:
Originally Posted by IDA Free
Homepage: http://www.hex-rays.com/idapro/idadownfreeware.htm
Download: http://85.17.92.154/files/idafree49.exe
Instructions: Execute installer as administrator.
Miscellaneous: Thanks to Hex-Rays for the free release!
Quote:
Originally Posted by OllyDBG
Homepage: http://www.ollydbg.de/
Download: http://www.ollydbg.de/odbg110.zip
Instructions: Extract the ZIP archive to a new folder
Miscellaneous: Thanks to the original author! Also, be sure to register if you plan on using OllyDBG on a regular basis http://www.ollydbg.de/download.htm to honor the author for his/her hard work.
Quote:
Originally Posted by OllyDump
Homepage: Author not available; http://www.openrce.org/downloads/details/108/OllyDump
Download: http://www.openrce.org/downloads/download_file/108
- Extract ZIP archive to the same folder
Miscellaneous: Thanks to Gigapede for the awesome tool!
Quote:
Originally Posted by OllyAdvanced
Homepage: Author not available; http://www.woodmann.com/collaborativ.../Olly_Advanced
Download: http://www.woodmann.com/collaborativ....26-beta12.zip
Instructions: Extract ZIP archive to the same folder
Miscellaneous: Thanks to the original author!
Quote:
Originally Posted by PhantOm
Homepage: N/A
Download: http://securityblog.ws/work/phantom.plugin.1.54.zip
Instructions: Extract ZIP archive to the same folder
Miscellaneous: Thanks to the original author!
From here, you'll be dealing with WinAPI and DirectX functions. WinAPI is the Windows interface for dealing with applications (Starting/exiting of applications and most manipulation of applications is done by the WinAPI). DirectX is a standard collection of multimedia API's (DirectDraw/Direct3D for handling graphics, DirectMusic/DirectSound for sound, etc), which almost all Windows games utilize. But, for a beginner, only WinAPI will matter, so it's adjusted to keep http://msdn.microsoft.com/en-us/libr...49(VS.85).aspx as a bookmark for explaining what WinAPI functions do what.



Understanding how to use debuggers is key to the creation of game cheats. Once you have mastered the basics of understanding what is being done in an executable, through a debugger, you'll be ready to start understanding how cheats can be made on poorly protected games (Protected meaning games with no anti-cheat, no anti-debugger techniques, etc). After the segment on using a debugger, the next step is working around the protection mechanisms put in place to prevent debugging, and at the core of it all, cheating.



The above is a picture of OllyDBG loaded with Notepad. If you notice the "C" button with the cyan background, between the "H" and "/" buttons, that's the "CPU" section. And to explain what is in the CPU section:

1) This is the disassembled output - anything look familar? ;)
2) This is the registers window - what is loaded into each register will be updated with this window
3) This is the current stack of the program
4) This is the assembled input of the program, or the "dump" of the program. You'll notice the ASCII column resembles what the program may look like if you were to open the program in a word editor.

A debugger allows you to manipulate how the executable is ran - you can modify the registers by double clicking on the value to the right of each register. You can modify the stack by right clicking in the stack window and PUSH/POP'ing values, or right clicking on a specific value and selecting "Edit" or "Modify". At this point, you can watch as Notepad is initialized by stepping (Executing instructions one at a time) through it (Select the "Debug" menu --> "Step into" or "Step over").

There are many other features of this particular debugger - you can view the sections of the program by clicking on the cyan "M" (Memory) button, which will bring up a list of all the varying sections (Some that haven't been explained yet, such as the .text and .rsrc sections). The status of each window can be viewed by clicking on the cyan "W" button. Open file handles[29] can be seen by clicking on the cyan "H" button. Threads[32] window, seen by clicking the "T" cyan button. The last window of importance would be the software breakpoints[33] window.

This next part of debugging is done using the version of Notepad released with Windows XP (Home/Professional). If you're using a new version of Windows, such as Windows 7, or even a newer release, where Notepad was either removed or dramatically changed, then you may just have to read through, following without physically using OllyDBG.

Now that you understand the importance of the varying explained windows, you can start debugging. Launch OLLYDBG.EXE, and if you receive a popup relating to "PSAPI.DLL" being outdated, I recommend selecting the "No" option. Click on the "File" menu, then "Open", and enter "%systemroot%\notepad.exe" in the "File name:" text area. Click the "Open" button.

To test out using the debugger, I recommend you do a "Step Into" or "Step Over" by navigating to the "Debug" menu (Or simply press F7 for "Step Into" and F8 for "Step Over"). If you notice, the stack window changed - now the value "70" is on top of the stack. If you step into/over again, a new value is on the stack now.

Now, you can test out setting a breakpoint. You can manually jump to the address that is about to be called by the "CALL 01007568" instruction, by pressing the box directly to the left of the "L" cyan button, and entering the address. Or, if the grey background is highlighted over the CALL instruction (As it should be, if you've stepped into/over twice), you can simply press enter.

If you did either of the two suggested, you should end up at something that looks similar to this:

Code:
PUSH <JMP.&msvcrt._except_handler3>
If so, then you've followed this guidance correctly (If not, you can reload the instance of Notepad but clicking the gray box with two arrows pointing to the left, which is the box to the right of the "Open" box). Now, you can set a breakpoint by right clicking on the prementioned instruction, navigating to "Breakpoint" and selecting "Toggle" (Or click your F2 key while the gray line is over the prementioned opcode). You can step into/over again, or attempt to execute the program by clicking the blue play button, fourth to the right of the first "Open" button (The F9 key can also be clicked to accomplish the same). Execution will pause at the this instruction due to the breakpoint - if you attempt to execute again, Notepad will be running, and the CPU window will no longer be up-to-date, due to the startup being completely done.

From here, you can try pause the execution by clicking on the "pause" button, directly to the right of the play button, which will land you at a "RETN" line, below a "SYSENTER" instruction. Setting a breakpoint on a call expected to be used can cause the program to pause in the CPU section again, giving you direct control over the flow of the program. For example, if you go to the "ExitProcess" function (Click the button directly left of the cyan "L" button and type in "ExitProcess") and set a breakpoint here, then when you run the program and attempt to exit, the window will disappear, but execution will pause at this function. This is an example of one way you can gain control over a program.

Another commonly checked area is the strings in an executable. Right click on the disassembled area, select "Search For" then select "All Referenced Text Strings". If you scroll down toward the end of the newly opened list, in the References window (Which can be opened by the "R" cyan button, for future reference), you may see something such as:

Code:
Text strings referenced in notepad:.text, item 248
 Address=01007D26
 Disassembly=ASCII "GetLocaleInfoW",0
In Notepad, this is a list of functions that are being imported. Some executable will list other strings of interest. For example, if you're attempting to modify the attributes of a weapon in a loaded game, the weapon name may be listed in the strings window. You can check where that string is referenced (If it's referenced in a MOV/LEA or a PUSH, odds are, it's being used as a parameter for a function), set a breakpoint, then run the game again. Then the first time where the name of that weapon is used as a parameter is where the executable will be paused, which may lead you to functions you will be interested in.

One more instruction not mentioned in the assembly portion is "NOP" or "no-operation". While that isn't an actual Intel instruction, the actual opcode for NOP is "XCHG EAX, EAX" - many debuggers convert the line "XCHG EAX, EAX" to NOP. If you want to remove a line in a program while debugging it, you have to "NOP" it out - replace the bytes that line takes with nothing but NOP's, until the line is full. If you want to replace a line that takes up 4 bytes, and the replacement is only 2 bytes, you'll have to use NOP instructions to fill up the remaining space.

Lastly, to modify an instruction in OllyDBG, double click on the instruction in the CPU window, and replace to your heart desires.

Debugging is a very tricky game, filled with a fair bit of guessing and checking. Gradually, as you become more comfortable with your debugging environment, you'll become better, and eventually, you'll be very comfortable in navigating through executables.


IDA Pro

IDA is an extremely powerful environment tool for analyzing executables, and with that power, comes complexity. I recommend it be used by you as your experience grows, but there is too much to be said about how to utilize all the capabilities of it in this single guide.


Anti-Debugging Techniques

Assuming you find yourself fully capably of working with executables, the next segment in the guide is going to cover protection schemes used to prevent debugging.

One very commonly used call to detect debuggers is the "IsDebuggerPresent" call. For example:

Code:
CALL IsDebuggerPresent
http://msdn.microsoft.com/en-us/libr...45(VS.85).aspx

If a debugger is not being ran for the program calling IsDebuggerPresent, 0 is the value that ends up being given back (Or "returned") - otherwise, anything not equal to 0 is returned.

To bypass checks of these sort, navigate to the "Plugins" window, then "OllyAdvanced", and select "Anti-Debug 2". Check the "IsDebuggerPresent" box, and hit "Ok".

But, of course, there are many other anti-debugger features: many executables are made to exploit bugs in OllyDBG to make it crash if the program is loaded. I recommend opening the OllyAdvanced window and checking the three following bugfixes:

Code:
Kill %s%s bug (full fix in string-routine)
Kill NumOfRva Bug
Kill little Analysis-Crash-Bug
PhantOm also has powerful features: I recommend navigating to the PhantOm menu (Select "Plugins", "PhantOm", then "Options") and checking off the following:

Code:
hide from PEB
fix ODString, FPU, Import
custom handler exceptions
change Olly caption
patch NumOfRvaAndSizes

load driver
hide OllyDbg windows
hook RDTSC
However, do not go wild and check off every single anti-debugger option - in fact, some of those options can cause problems when debugging applications, resulting usually in a crash (Or worse).

Of course, these aren't the only things that are used to protect an application. One common scenario you may run in is when you see this popup dialog:



"Quick statistical test of module "notepad-" reports that its code section is either compressed, encrypted, or contains large amount of embedded data. Results of code analysis can be very unreliable or simply wrong. Do you want to continue analysis?"

This usually means the executable was packed, as means to prevent debugging, and analysis of what's in the executable. There are a number of methods used to unpack executables, but in most cases, if you let the program run, it will unpack itself entirely into memory, allowing you to pause the program, then navigate your way through, using previously mentioned tactics.

One extremely common packer, however, is UPX (http://upx.sourceforge.net/). UPX is intended to be used only for compression, not protection, but in more cases than others, UPX is used to protect an executable. There's a free unpacker tool distributed with UPX, that is also bundled with CFF Explorer. Therefore, if you open CFF Explorer, select "File", then "Open", you may navigate down to the "UPX Utility" and select the "Unpack" option. Select "File" then "Save" to save the unpacked copy, and enjoy.

However, if the executable is not using UPX, then the first step usually taken, is identifying what the executable is packed with. There are tools made to identify what some executables are packed with (Though, be warned - occasionally, these tools aren't entirely accurate, and may point to the wrong packer, or may even state an executable is packed, when in fact, it isn't).

CFF Explorer comes with a tool for identifying packed executables titled "PE Detective", though I do not recommend using this, as it is terribly outdated, and in most current day cases, will be of no help at all.

PEiD-
Homepage: http://www.peid.info/
Download: http://www.peid.info/files/PEiD-0.95-20081103.zip
Instructions: Extract ZIP archive to a new folder
Miscellaneous: Thanks to the PEiD community for their hard work!

One fantastic benefit about PEiD, is that it comes with a tool for unpacking some executables - it usually doesn't work, but for a beginner, I recommend using it whenever possible.

Once you identify what an executable is packed with, I would recommend Googling tutorials on how to unpack that specific executable. For example:

Code:
unpack [packer] tutorial
Replacing [packer] with the packer PEiD identified.

.NET Framework


Of course, what if the executable you're working with isn't packed or protected in any way at all, but it still won't run in OllyDBG? Another possible scenario is that the application was made with the .NET framework, which OllyDBG is not capable of working with. If that's the case, I recommend downloading the free .NET decompiler tool, "Reflector".

Quote:
Originally Posted by Reflector
Homepage: http://www.red-gate.com/products/reflector/
Download: http://reflector.red-gate.com/download.aspx
Instructions: Fill out the form on the website, download, and extract the ZIP archive to a new folder.
With Reflector, the full source code to an application will be returned - to understand what is being done, you'll have to learn a new .NET language (Either VB, C#, or any other Reflector will display the executable as), which is simply out of the spectrum of this guide.

Resources


The next segment is a short one, covering resources. Under Windows, there's a method of adding pictures, sound, executables, and all other types of files to an executable, by adding them to the .rsrc section of an executable. Sometimes, some protection schemes will consist of adding the original program as a resource to a new program, then having the new program load the original from the .rsrc area. The great news about resources, is that they're viewable by anyone.

If you open an executable in CFF Explorer, and select the option on the left toolbar "Resource Editor", a full list of everything attached to the executable is returned. At the least, there is usually an "Icons" folder. But, with CFF Explorer, if you right click on any of the files or folders, it is shown you can remove, replace, add, and even save resources, essentially extracting them from the executable.

And that's all there is to using resources.

Anti-Cheat Mechanisms


The final portion of the guide, is working against anti-cheat mechanisms, where many common methods are discussed, such as the commonly known "DLL injection".

To start, many anti-cheat engines are known for being very aggressive. They hide themselves from the process list, keep track of any newly made processes, etc.

Usually, to gain control over an executable, a call to the WinAPI function "OpenProcess" is made (http://msdn.microsoft.com/en-us/libr...20(VS.85).aspx). OpenProcess is almost always hooked[1] to prevent touching of a process. However, even if OpenProcess were not hooked, the process list table has to be repaired so that you can find the proper process ID, so OpenProcess would know which process to open.

It's considered very complex attempting to write a bypass for such aggressive anti-cheat systems. Rather, if you're dealing with an anti-cheat such as GameGuard, DLL injection is used to make changes to the executable before GameGuard loads.

However, it isn't always that easy. GameGuard will constantly check the .code section so you cannot modify that section. Rather, DLL injection involves allocating space[34], then adding code to that new area, which GameGuard will not check. Usually, this new area will make changes in the .data section - if the HP of a character is stored in a particular spot in the .data section, then one cheat may modify the HP, setting it to the maximum possible value every milisecond, to imitate the "god mode" cheat.

Yet, some games will do another check - they'll check if there is execution occuring outside the .code section by checking the last called function. Others may attempt to do entire checks on the executable in memory, etc.

But, if that's all there is to it, how do you know where HP is stored? Or how do you know what is possible with that anti-cheat in place? As stated earlier, debugging is a game of guess and check. One great place to check is the community - every now and then, some communites may list the offset where sensitive data, such as the HP of a character, can be found.

Good luck.

Footnotes



[1] - Hooking a function involves intercepting data from a hooked function, and usually acting upon that action. There are a few varying methods of hooks, but usually, you'll find more aggressive anti-cheat systems overwrite the first few bytes[2] of a function to intercept any potentially dangerous calls to the game being protected.

[2] - There are 8 bits in a byte - bytes are a measurement of data. In the .code section[3] of a program, there's a certain number of bytes for each instruction[4]. To see what opcodes[4] do what, check out ProView's x86 Disassembler (http://pvdasm.reverse-engineering.net/PVPHP.php).

[3] - The .code section is where instructions[4] are executed. In a standard[8] portable executable (P.E.; The most common type of available executable for Windows NT 5.X[5]), there's a .data section (For all data - pictures, video, text, variables[6], etc), a .code section,

[4] - Instructions are commands to be executed by the CPU of a workstation. As you study assembly more, you'll learn more about the varying type of available instructions. It should be noted, instructions are also called "operation codes", or "opcodes".

[5] - Windows NT 5.X is the kernel name for Windows XP (The X representing the exact version number).

[6] - In math, variables are numbers represented by characters. In programming, variables are types of data[7] represented by a space in memory[8]

[7] - In math, there are varying types of numbers: Integers, natural numbers, rational, irrational, etc. In programming, there are varying data types, for strings of text, integers, binary data (e.g.: Usually used for pictures, video, encrypted data, etc), ...

[8] - This does not include programs made under the .NET framework, for a new section is added (CLR), which is for matters outside the extent to which this guide reaches.

[9] - In math, functions are formulas used to manipulate numbers as needed. Usually, you'll plugin a number or two (Or more) to represent variables to be used in the function. In math, the numbers being handed off as variables are referred to as "parameters". In programming, it's the same, though you're not limited to just numbers for the parameters, and not all functions need to be given parameters. For example, there's a function, exit, used to usually shutdown a user-mode[10] program. Exit, in C/C++[11] takes one parameter in the syntax of, "exit ( int )", where int stands for "integer".

[10] - C and C++[11] alike are two also low-level programming languages, which are usually used in the creation of game cheats, as the syntax is considered easier to understand, and the compilers[13] used for C(++) are known to create more optimized[14] programs/libraries[15] than hand-written assembly code.

[11] - C++ is an extension of C, carrying many features (Primarily, it is Object-Oriented[12]) making it more commonly used than C in most current-day projects.

[12] - If you use an object-oriented language, you'll learn later what it is, and the importance of it. For now, it's not necessary.

[13] - Compilers are a tool used with linkers[16] to create programs; generally, it is the compiler's responsibility to handle code generation and optimization. The result output of a compiler is an object, which from there, is handled by a linker to create a program.

[14] - Optimized code is usually written to perform fastest on the CPU, by taking up less cycles[17] (Via either using less instructions, or using instructions that use less cycles). Usually, optimized code may end up taking more space on a hard drive than unoptimized code (More optimized programs will usually use more instructions that use less cycles to complete a simple task - for a live example of this, visit http://www.hexblog.com/2005/11/do_yo...ion_opera.html).

[15] - Libraries are used to add functioniality to programs - for example, there may be a codec library for playing an MP3 file, which is used by a media player for communicating with MP3 files. Without the executable, the library file is just data, without the library, the executable will fail to play the MP3 file.

[16] - Linkers, to be put simply, take objects and library files, and "links" them to create a single executable.

[17] - CPU cycles are the measurement of a computer's speed - for example, a 2.0GHZ CPU is capability of completing 2 billion clock cycles per a second (Coming out to 2 clock cycles per a nano second).

[18] - Logical operations are used for further data manipulation. The AND operator (Represented by the ampersand symbol) will check that two pieces of data are true (If they both are true, the return value is true - otherwise, the return value is false). Then the OR operator (Represented by a pipe symbol), states that if both pieces of data are not both false, the return value is true (Otherwise, it is false). The XOR operator (Represented usually by a carrot symbol) ensures two peices of data are different (If they are both true or both false, the return value is false - otherwise, if one is true and the other false, the return value is true).

[19] - Assembly references to spaces in an application by addresses, which are catalogued by how many bytes are used per an instruction, or per a piece of data; for example:

The following instruction takes up 2 bytes:

Code:
MOV EAX, EAX
If that piece of data is stored at 010070D8, then the next instruction would be stored at 010070DA. It should also be noted, addresses are usually 32-bits (If you're in such a rare situation where you're working with a 64-bit program, then addresses will go up to 64-bits).

Addresses are also referred to as "offsets".

[20] - Looping is a method of repeating a certain number of instructions for a specific amount of runs - this can range from zero loops to infinite (Infinite usually implies the loop will continue until the program shuts down).

[21] - The RETN instruction is used to return execution to the main code. For example, if a function is called using the CALL[22] instruction,

[22] - The CALL instruction is for calling functions in the executable. For example, if you want to call the exit function, which accepts one parameter, it would be called like so:

Code:
PUSH 0
CALL Exit ; Assume Exit stands for the location of the Exit address
But, it should be noted, parameters must be placed in reverse order. Therefore, if you're calling a function, "Divide" that takes two parameters, the first being the dividend, the second being the divsor, and you're attempting to divide 100 by 10, then the following would be the corresponding code:

Code:
PUSH 10
PUSH 100
CALL Divide
[23] - Platforms generally including other operating systems, apart from all versions of Windows made from Windows XP and later. Examples of some platforms would be Mac OS X, all distributions of Linux, all distributions of UNIX, etc.

[24] - Low-level languages are, in simple terms, very closely related to the computers hardware. In the case of assembly, it's considered to be as low as one can go on a Windows platform.

[25] - An algorithm is a certain number of steps used to process data. It may be used to encrypt/decrypt data, to organize data in files (e.g.: In a file with a list of random words, an algorithm could be used to identify words longer than 10 characters, then place them into a special location for later access), etc.

[26] - Disassembly is the process of "un-assembling" a program. For now, all that needs to be known, is that disassembly is always possible when dealing with programs (Executables, libraries [For Windows, files ending with the .DLL extension are one type of library], etc).

[27] - This just means any basic math function - adding, subtracting, multiplying, etc.

[28] - Pointers are a reference to data in memory (Pointers hold offsets[19] to data)

[29] - When a file is opened, a unique identifier must be marked, so when you decide to read or write from that specific file, the machine knows which opened file you're talking about. This identifier is known as a "file handle". Also, communication to hardware and kernel[31] drivers[30]

[30] - Kernel drivers are an interface to the kernel[31].

[31] - The kernel is the last component to bridge hardware to software. Whenever software needs to manipulate the hardware, the kernel is involved.

[32] - Threads are a method of executing multiple instructions at the same time. For example, if are playing a computer game that has to keep track of multiple users playing at once, including yourself, all the active windows it has open, etc, then you need threads - otherwise, only one thing will be done at a time (You move, then one other player, then one other, etc).

[33] - Software breakpoints are a method of stopping execution once a certain instruction is reached. For example, if I put a software breakpoint at the beginning of the call to the Exit function, as soon as program being debugged attempted to call Exit, the debugger would pause program execution at that point.

[34] - Allocating space means reserving parts of memory for a program, to be used for a particular purpose.

'Hacking' 카테고리의 다른 글

Debugging  (0) 2009.05.23
Basic 80x86 Architecture  (0) 2009.05.23
fantasy baseball  (0) 2009.04.24
How To Bypass Linux Magazine Membership Check  (0) 2009.04.16
How to use Linux awk programming and regular expression to read a big log file?  (0) 2009.04.16
Posted by CEOinIRVINE
l

fantasy baseball

Hacking 2009. 4. 24. 10:10

To use the script, follow these 3 steps

  1. download firefox
  2. install greasemonkey extension
  3. come back here and click following link

http://userscripts.org/scripts/source/5143.user.js

Posted by CEOinIRVINE
l

How To Bypass Linux Magazine Membership Check

Linux Magazine is one of my many email subscription where I read about Linux-related information.

At this time being, each of the Linux Magazine articles is available to public at zero cost, except that if you want hardcopy delivered to doorstep!


Although reading online is FOC, it requires one to register and login as member in order to read articles in full, posting comments, edit email subscription, download white-paper, etc.



If you just want to read the articles, not keen to register as member, forgot the login credential, etc, there are at least two ways to bypass the Linux Magazine membership restriction.

These tricks have been used to bypass Experts Exchange membership restriction as well, so as other premium content that requires membership login.

As long as these premium content allows Google crawlers to index their pages in full, you can pretend as a Googlebot to browse the membership-only content in full as well, i.e. counting on Googlebot membership privilege!

Using Google Cache

Ask Google to search for the URL and click to browse Google Cache version of the article. For example,

This original URL will display excerpt that require reader to register and login for full content.

This Google Cache version of the orginal URL allows reader to read the full article as what the Google Crawler can “see”, i.e. click the “Cached” (highlight in blue color) link.

Read the Google Cache version of Linux Magazine article without register and login as member.

Tweaking a web browser User Agent String

Purposely and manually change the default User Agent String of your favorite web browser, as this screenshot in Firefox 2.0.0.7.



replace anything in “general.useragent.extra.firefox” to become

Googlebot/2.1 (+http://www.googlebot.com/bot.html)

in order to spoof the Firefox User Agent String as Googlebot!

Posted by CEOinIRVINE
l


How to use Linux awk programming and regular expression to read a big log file?

Use the Linux tail command to analysis the log file content, in order to understand log entries pattern.

Using the db2diag.log as an example, each event / incident is initiated with a line that contains date and time:

2008-01-02-10.52.47.720435+480 I1840G300          LEVEL: Event
Then, I use the awk and its regular expression to filter out all log entries that match the particular day and hour of interest:

First, find out the record number of first log entry that match the date and time pattern using its regular expression (RegEx) function:

awk '{if ($1 ~ /2008-01-16-17/){print NR}}' < db2diag.log | head -1
Next, find out the record number of last log entry that match the date and time pattern:

awk '{if ($1 ~ /2008-01-16-17/){print NR}}' < db2diag.log | tail -1
Finally, use awk again to extract or filter all log entries within the range of first and last record numbers that we’ve known from last two steps:

awk '{if (NR >= 7529 && NR <= 8382){print $0}}' < db2diag.log
Because the nature of db2diag.log, the last record number I get from awk doesn’t include the detail of DB2 event / incident happened on that particular time. Thus, I purposely top up the “last record number” (suppose the last record number reported by awk command is 8382, I rest it to be 8390):

awk '{if (NR >= 7529 && NR <= 8390){print $0}}' < db2diag.log >tempfile
If you would like to output the extracted log entries to another temporarily file, just redirect the standard output of awk command to a temp file as you wish (e.g. append >tempfile to the end of last awk command sample).

Brief note about the awk programming syntax used in the sample codes at above:

$1 ~ /2008-01-16-17/ means to check if 1st field/column text pattern matches with the regular expression (i.e. 2008-01-16-17).


Unless the field separator (FS) is specified, awk regards space as field separator by default.

The first field (a.k.a column) of a line (awk treats each line as a record) is denoted as $1, 2nd field as $2, and so forth. The $0 is simply means all the fields/columns of the line/record.

Thus, the combination of awk programming and organized text files can form a simple database system!


The awk regular expression pattern is enclosed by a pair of slash character (/).

The awk RegEx operator for match comparison is a tilde/swung dash character (~). (refer to GNU awk notes on Regular Expression).

print NR is meant to print the record number (NR), i.e. the line number in the log file. To print the number of field/column in a line/record, use NF

'Hacking' 카테고리의 다른 글

fantasy baseball  (0) 2009.04.24
How To Bypass Linux Magazine Membership Check  (0) 2009.04.16
download musics mp3 at shared libary iTunes  (0) 2009.04.08
US iPod repairman guilty of fraud  (0) 2009.04.07
Visa, MasterCard In Security Hot Seat  (0) 2009.04.01
Posted by CEOinIRVINE
l

Share your iTunes library over the internet or download songs from other iTunes library over the internet for free.

MOJO - This is one of the latest must have software that is free and damn useful at the same time….

Windows/Mac only: Share any song in your iTunes library and download any song from your friends’ iTunes libraries over the internet with freeware application Mojo. Essentially, Mojo makes sharing music with your friends through iTunes wildly simple, from its simple interface to its brilliant implementation. If you’ve ever used apps like previously mentioned ourTunes to download music from shared libraries, you have an idea of what Mojo does, but you should still prepare to be amazed.

Getting Started

mojo-friends.pngTo get started, you need to download and install Mojo on your computer (it’s fully ready to go on Macs, and currently in beta for Windows). The first time you run Mojo, you’ll be asked to create an account. Do that, then you’ll see the Mojo friends window, which is much like a buddy window on an instant messenger client. Granted, you won’t have any buddies in this window to begin with (unless it’s also been installed by another computer on your local network), but don’t worry, you will.add-friend.pngNext, let’s say your friend downloads and installs Mojo as well. They give you their user name, you hit the little plus (+) sign to add them as a buddy, and they’re sent an approval request. They approve you, and voilà—you now have access to every song in their iTunes library. So what now?

Browsing and Downloading Music

To browse your friend’s library, just double-click their entry in the buddy window. Mojo will open a new window which shows every song in their library and their playlists, along with their Movies, TV Shows, Podcasts, and Audiobooks. Double-click any song to play it back, and to download a song (or even video), just click the download arrow next to the song or the big download button at the bottom of the screen.
Mojo will download the song and automatically add it to your iTunes library. Additionally, it will even create a playlist in a folder called Mojo containing all the songs you downloaded from that friend.


You may be thinking: Sure, this is impressive, but what else can it do? Well, for one, Mojo automatically detects whether or not you already have a song in your iTunes library. Any song that you’ve already got displays in Mojo in a light gray color. And if your friend has purchased a song from the iTunes Music store, and it’s dripping with nasty DRM—Mojo highlights those tracks in red.

So What’s the Catch?

If you’ve already checked out the Mojo homepage, you may notice that there is a premium version of the application. Luckily for all of the cheapskates out there like me, you really don’t need to buy the premium version to enjoy most of the best features of Mojo. But let’s say you do want to go Pro. Here’s what you get:

  • Unlimited friends
  • Playlist subscriptions

playlist-subscribe.pngAs far as I can tell, that’s it. Playlist subscriptions, which allow you to subscribe to a playlist in your friend’s library, automatically downloads music in the playlist as your friend adds to it. Crazy cool, yes, but if you don’t want to shell out for it, it’s really not that must-have.

Right now, as I said, Mojo is available and ready for primetime on the Mac, and is currently in beta for Windows users. The app takes practically zero know-how to set up and get started with, and everything it does is near perfect. I’ve only tested it on my Mac so far, so if you give the beta a try on Windows, let’s hear how it’s working in the comments. For another detailed usage overview, check out the introduction screencast from Mojo.

Mojo (Mac version)
Mojo Windows Beta( windows users download this)

Btw use hamachi to be able to see each other’s itunes library….install hamachi then install this…make sure u and ur friends join the same network….

you guys can join the following networks to get many users’ libraries

1——————————–
networkname: dexxter.co.nr
password:12345
———————————

2——————————–
networkname: spawnshare
password: password12345
———————————

if  u are creating a network or you know of any other networks for mojo then please lets us know through comments so we can share them

credits: Lifehacker

Posted by CEOinIRVINE
l

A Michigan man has pleaded guilty to fraud and money laundering in a scheme to acquire more than 9,000 replacement iPod Shuffle music players.

Twenty-three-year-old Nicholas Woodhams of the Kalamazoo area appeared in federal court in Grand Rapids on Monday, less than a month after charges were filed.


Woodhams had an iPod repair shop and knew that owners could get a replacement if their Shuffle had problems. He guessed valid serial numbers and entered them into Apple Inc. ( AAPL - news - people )'s Web site. Woodhams then resold the Shuffles shipped by Apple.

He has agreed to give up property, including a house, an Audi sedan, a race car and more than $570,000. Woodhams will be sentenced Aug. 25. A message seeking comment was left with his lawyer.

Copyright 2009 Associated Press. All rights reserved. This material may not be published broadcast, rewritten, or redistributedda

Posted by CEOinIRVINE
l

Criminal hackers aren't just hard to catch. They're also hard to blame.

In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted.

So in a hearing Tuesday, the House of Representative's Committee on Homeland Security took aim at a more accessible target: credit card companies like Visa and MasterCard (nyse: MA - news - people ), which are responsible for creating and enforcing the Payment Card Industry (PCI) standards that failed to prevent those breaches.

Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies.

"I don't believe that PCI standards are worthless," said Rep. Yvette Clark, D-N.Y., who led the hearing. "But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not."

Clark called for changes to the standards that included better encryption of data, more frequent updates to the rules to keep up with constantly shifting cybercriminal tactics and new technologies for preventing identity theft like "chip and PIN" cards--a system currently used in Britain that checks personal identification numbers against a tiny microchip in the card itself.

Behind those recommendations loomed the threat of legislation. Rep. Bennie Thompson, D-Miss., the Homeland Security Committee's chairman, suggested that the PCI rules were written by card companies to shift blame to retailers and partners rather than actually preventing cybercrime.

"I'm concerned that as long as the payment card industry is writing the standards, we'll never see a more secure system," Thompson said. "We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they're inadequate to address the ongoing threat."

Congress's growing attention to obscure payment-card security practices is the result of a steady increase in the number of data breaches nationwide, combined with several high profile information spills in the last year.

The Identity Theft Resource Center counted 646 data breach incidents in 2008, a 47% increase over 2007's total of 446 breaches, itself a record for the most breaches tallied in a single year. (See: "Data Security's Worst Year Yet.")

Those dismal numbers were followed by another shock to the world of cybersecurity: the revelation in January of a breach at Princeton, N.J.-based Heartland that potentially revealed more than a hundred million credit card numbers to hackers--the most of any breach in history. Heartland, like several major breach victims before it, had been approved as compliant with the card industry's security standards.

At Tuesday's hearing, retailers chimed in with their own criticisms of those standards. Michael Jones, the chief information officer at the retail company Michael's, testified that the PCI rules were "expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement."

He argued that the rules were sloppily written and designed to shield card companies from blame. In some cases, he said, card companies required retailers to store more credit card information than is necessary, increasing the risk of data theft. He also pointed to financial services firms that aren't prepared to deal with encrypted transaction data, forcing retailers to send the transactions unencrypted and exposed to potential data thieves.

In breach situations, on the other hand, the retailer takes the brunt of the punishment for any breach of consumer data loss. "The retailer is demonized, the retailer is threatened with damages and sanctions," Jones complained.

Representatives from the payment card industry countered those attacks on PCI standards, arguing that more stringent rules and new technological requirements could be costly for small merchants. "Encryption is an expensive proposition," argued Robert Russo, director of the PCI's Data Security Standards Council. "If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately."

Both Russo and Joseph Majka, head of fraud control for Visa, testified that no company that has suffered a breach has ever been fully compliant with PCI rules.

But in fact, the industry certified both Hannaford and Heartland and only criticized their security measures after their networks were breached. Rep. Ben Ray Lujan, D-N.M., compared the regulatory group to a fire department that declares a home's safety system inadequate after a fire. "There's no one overseeing this. … In the case of breaches, we often depend on the Department of Justice to inform people," he said. "It seems to me that the system we have today, we can all agree, from different sides, it's not working."


'Hacking' 카테고리의 다른 글

download musics mp3 at shared libary iTunes  (0) 2009.04.08
US iPod repairman guilty of fraud  (0) 2009.04.07
Incident Reponse  (1) 2009.03.30
six questions on copyright for jonathan zittrain  (0) 2009.03.26
Copyright as Politics and Business  (0) 2009.03.26
Posted by CEOinIRVINE
l

Incident Reponse

Hacking 2009. 3. 30. 07:59

Incident Response Programs

NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)
This NIST publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.

Handbook for Computer Security Incident Response Teams (CSIRTs) - CERT/CC (233 pages)
This document provides guidance on forming and operating a computer security incident response team (CSIRT). It details the functions that make up the CSIRT, how to handle sensitive information and the tools, procedures, and roles necessary to implement the program. In addition, operational and technical issues are covered, such as equipment, security, and staffing considerations.

Computer Security Incident Response Team (CSIRT) FAQs - CERT/CC
This frequently asked questions page provides a good primer for those interested in the basics of computer incident response.

6 Phases of Incident Handling - Texas A&M University
Computer security incident handling can be divided into six phases: preparation, identification, containment, eradication, recovery, and follow-up. Understanding these stages, and what can go wrong in each, facilitates responding more methodically and avoids duplication of effort.

Recovering from an Incident - CERT/CC
If you believe that your site may have suffered a break-in or other type of incident, the CERT/CC has some documents that can help you.

CSIRT Case Classification (Example for enterprise CSIRT) - FIRST
This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper case handling procedures and will form the basis of SLA’s between the CSIRT and other Company departments.
Posted by CEOinIRVINE
l