OK, back from a tiny little break…

This quickie tutorial is more of a tip than a tutorial. It just explains how to calculate offsets for jumps and calls within the program you are patching. (I didn’t say cracking)

Types of Jumps/Calls

Here I will just describe the different types of jumps and calls which you will come across:

Short Jumps

Short jumps be they conditional or unconditional jumps are 2 bytes long (or 1 nibble if your Californian . These are relative jumps taken from the first byte after the two bytes of the jump. Using short jumps you can jump a maximum of 127 bytes forward and 128 bytes backwards.

Long Jumps

Long jumps if they are relative are 6 bytes long for conditional jumps and are 5 bytes long for unconditional jumps. For conditional jumps 2 bytes are used to identify that it is a long jump and what type of jump (je, jg, jns etc) it is. The other 4 bytes are used to show how far away the target location is relative to the first byte after the jump. In an unconditional jump only 1 byte is used to identify it as a long unconditional jump and the other 4 are used to show it’s target’s relative position, as with the conditional jumps.

Calls

There are two different types of calls which we will use. The normal type of call works the same as the long jumps in that it is relative to it’s current position. The other type gives a reference to a memory location, register or stack position which holds the memory location it will call. The position held by the later is direct e.g. the memory location referenced may contain 401036h which would be the exact position that you would call, not relative to the position of the call. The size of these types of calls depends on any calculations involved in the call i.e. you could do: ‘call dword ptr [eax * edx + 2]‘. Long jumps can also be made using this method, but I didn’t say that earlier as to avoid repetition.

Tables

Here is a brief list of all the different types of jumps/calls and their appropriate op-codes. Where different jumps have the same Op-Codes I have grouped them:

(I’m making this as pretty as possible for you below, because wordpress tables suck in this theme)

Jump Description Short Op-Code Long Op-Code

call procedure call E8xxxxxxxx N/A

jmp u nconditional jump EBxx E9xxxxxxxx

ja/jnbe jump if above 77xx 0F87xxxxxxxx

jae/jnb/jnc jump if above or equal 73xx 0F83xxxxxxxx

jb/jc/jnae jump if below 72xx 0F82xxxxxxxx

jbe/jna jump if below or equal 76xx 0F86xxxxxxxx

jcxz/jecxz jump if cx/ecx equals zero E3xx N/A

je/jz jump if equal/zero 74xx 0F84xxxxxxxx

jne/jnz jump if not equal/zero 75xx 0F85xxxxxxxx

jg/jnle jump if greater 7Fxx 0F8Fxxxxxxxx

jge/jnl jump if greater or equal 7Dxx 0F8Dxxxxxxxx

jl/jnge jump if less 7Cxx 0F8Cxxxxxxxx

jle/jng jump if less or equal 7Exx 0F8Exxxxxxxx

jno jump if not overflow 71xx 0F81xxxxxxxx

jnp/jpo jump if no parity/parity odd 7Bxx 0F8Bxxxxxxxx

jns jump if not signed 79xx 0F89xxxxxxxx

jo jump if overflow 70xx 0F80xxxxxxxx

jp/jpe jump if parity/parity even 7Axx 0F8Axxxxxxxx

js jump if sign 78xx 0F88xxxxxxxx

Calculating Offsets (finding in the xx’s in table)

You will need to be able to calculate offsets when you add jumps and make calls within and to the code you have added. If you choose to do this by hand instead of using a tool then here are the basics:

For jumps and calls further on in memory from your current position you take the address where you want to jump/call and subtract from it the memory location of the next instruction after your call/jump i.e.:

(target mem address) – (mem location of next instruction after call/jump)

Example

If we wanted to jump to 4020d0 and the next instruction *after* the jump is at location 401093 then we would use the following calculation:

4020d0 – 401093 = 103d

We then write the jump instruction in hex as e93d100000 where e9 is the hex op-code for a long relative jump and 3d100000 is the result of our calculation expanded to dword size and reversed.

For jumps and calls to locations *before* the current location in memory you take the address you want to call/jump to and subtract it from the memory location of the next instruction after your call/jump, then subtract 1 and finally perform a logical NOT on the result i.e.

NOT(mem address of next instruction – target mem address – 1)

Example

If we wanted to call location 401184 and the address of the next instruction after the call is 402190 then we do the following calculation:

NOT(402190 – 401184 – 1 ) = ffffeff4

We can then write our call instruction in hex as e8f4efffff where e8 is the hex op-code for relative call and f4efffff is the result of the calculation in reverse order.

If you want to practice with different examples then the best way to do this is to use a disassembler like WDASM/OlyDbg which shows you the op-codes and try and work out the results yourself. Also as an end note you don’t have to perform these calculations if you have enough room to make your jump or call instruction into an absolute jump call by doing the following as represented in assembler:

mov eax, 4020d0

call eax (or jmp eax)

Final Note

WTF Get’r Done, and make life easier and use a program to do this hence OlyDbg

I’m starting to see a trend here, seems their MW on MyCrackedSpace (MySpace) is running way smoother than it is on Crackbook… (Facebook)

The trend can be found here in what I’m talking about in the times for a Scheduled Maintenance on both:

30 minutes for MySpace

3 hours for Facebook

This goes to show you, this is a bit out of whack on FB for FB has been having some serious @#$ked up issues with the Developer API, I just fixed an app for a client of mine last week to counter Facebook’s developer HAVOC. (freaking’ nightmare)

Long story short, it seems FB is putting down some pressure on all the larger apps out there for security and privacy issues. Let’s just hope and pray that Zynga can pull out of this one, because they are facing lots of obstacles here which seems to be broken on the FB side of things…

Also we all know that Zynga’s servers responses are slow, which is one thing on Zynga’s end, which I can understand when you grow so fast and no more room to grow on… You scurry and make mistakes as you are scurrying… WITHOUT Q&A and a proper testing team in place, you will encounter bugs galore!!!

All the power to Zynga on trying to fix their issues, my hats off to them once they do! So I take back for the remarks against Zynga on this issue they are facing. It’s more than you can even write in “Layman Terms.”

So WTF get’r done!!!!

In the current job market, Microsoft certifications represent one of the richest and varied spectrums of job roles and responsibilities, which are embraced by industry professionals worldwide, that earning a specific credential provides an objective validation of their ability to successfully perform critical IT functions in a wide range of companies and industries.

Microsoft certification is the top effective way to achieve goals in long-term IT careers, being at the same time a useful tool for companies to develop and retain valuable IT professionals

The following certifications are aimed for network administrators, network engineers, systems administrators, IT engineers, information systems administrators, network technicians, technical support specialists and other IT professionals currently working in complex computing environment of medium-to-large organizations.

- MCSE (Microsoft Certified Systems Engineer) certification

A Microsoft Certified Systems Engineer credential qualifies an IT professional to effectively plan, maintain, implement, and support information systems in diverse computing environments using both the Microsoft Windows 2008 Server and the Microsoft .NET integrated family of server products.

To qualify prerequisite is completion of network+ or documentation of equivalent experience for at least one year on Windows 2003, implementing and administering a network operating system

- MCAD (Microsoft Certified Application Developer) certification

The Microsoft Certified Application Developer (MCAD) credential provides industry recognition to professional developers who build applications using Microsoft Visual Studio. An MCSD candidate should have experience equivalent to one or two years of deploying, building, and maintaining applications.

This certification is designed for individuals who intend to pursue the skills necessary to develop Windows-based applications using Microsoft Visual Basic .NET, Microsoft ASP .NET, and for those interested in developing XML Web services-based solutions.

- MCSD (Microsoft Certified Software Developer) certification

The Microsoft Certified Solution Developer (MCSD) for Microsoft .NET credential is the top-level certification for advanced developers requiring as prerequisite an MCSD for Microsoft .NET and two years of experience developing and maintaining solutions and applications.

This refers to the professional who designs and develops leading-edge enterprise solutions, using Microsoft development tools and technologies including also the Microsoft .NET, a certification to gain the knowledge, skills, and validation needed to be recognized as an expert with Microsoft products and technologies.

- MCSA (Microsoft Certified Systems Analyst) certification

The Microsoft Certified Systems Administrator (MCSA) credential will provide you with skills to successfully manage, implement, and troubleshoot the needs of Microsoft Windows 2003–based operating environments.

This certification requires a prerequisite completion of network+ or documentation of equivalent experience.

- MCT (Microsoft Certified Trainer)

The Microsoft Certified Trainers (MCTs) are technical and instructional experts in Microsoft technologies, products and solutions. They are in charge of Learning Solutions for partners who are required to use a Microsoft Certified Trainer when delivering training using Microsoft Business Solutions courses or official Microsoft Learning products.

I for one don’t condone going on and bashing an Author, I would love to go and point out, hey why not post the remedy instead of just posting hey this is not a secure app, it’s vulnerable, well here take this for instance:

Five ‘must-secure’ Web app vulnerabilities

http://blogs.zdnet.com/security/?p=3268

Security holes in the Apache Geronimo Application Server and SAP cFolders headline a list of five serious Web app vulnerabilities that demand immediate attention.

According to Mark Painter from the HP Security Laboratory, the Geronimo flaws expose users to a variety of attack vectors that could lead to the theft of sensitive information and cookie-based authentication credentials. Here’s the top-five list from this past week:

1. Apache Geronimo Application Server

The free, open-source Apache Geronimo Application Server 2.1 through 2.1.3 is prone to multiple remote vulnerabilities.

• Multiple directory traversal vulnerabilities (see advisory)
• A cross-site scripting vulnerability (see advisory)
  
• Multiple HTML-injection vulnerabilities
• A cross-site request-forgery vulnerability (see advisory)

It’s important to note that attackers can exploit these issues to obtain sensitive information, upload arbitrary files, execute arbitrary script code, steal cookie-based authentication credentials, and perform certain administrative actions.

2. SAP cFolders

SAP cFolders is vulnerable to several cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.  Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

• SAP Cfolders Multiple Stored XSS Vulnerabilies (Digital Security)
• SAP Cfolders Multiple Linked XSS Vulnerabilities (Digital Security)
• SAP Cfolders Multiple Linked XSS Vulnerabilities (”Digital Security Research Group \[DSecRG\]” )
• SAP Cfolders Multiple Stored XSS Vulnerabilies (”Digital Security Research Group \[DSecRG\]” )
• SAP note 1284360 (SAP)
• SAP note 1292875 (SAP)

3. CS Whois Lookup

CS Whois Lookup is prone to a remote command-execution vulnerability because the software fails to adequately sanitize user-supplied input.  Successful attacks can compromise the affected software and possibly the computer.

An attacker can exploit this issue using a browser. The following example URI is available.

There are not patches available yet.  Contact CS Whois Lookup for information.

4. phpMyAdmin

There is a remote PHP code-injection vulnerability (PMASA-2009-4) affecting phpMyAdmin.

An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

This issue affects phpMyAdmin 3.x (prior to 3.1.3.2). Attackers can launch exploits issue via a browser.  Patches are available.

5. Novell Teaming

A user-enumeration weakness and multiple cross-site scripting vulnerabilities expose users of Novell Teaming to a range of attack scenarios.

• A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible.
• The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

To exploit the cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI. The following example URI is available.

• Multiple Vulnerabilities in Novell Teaming (Bernhard Mueller )
• Novell Teaming username enumeration vulnerability fix (Novell)
• Novell Teaming Cross-Site Scripting Vulnerability fix (Novell)

Novell Teaming 1.0.3 is vulnerable; other versions may also be affected.

As you see above, this guy that works for Kaspersky Lab, great Author and all, still it kind of makes your wonder who you have behind the scenes at these sorts of joints such as Norton and etc…

Well if you read here was my answer:

RE: Five ‘must-secure’ Web app vulnerabilities

The number one golden rule of keeping your whole box secure for this is??? Don’t run it as a privileged user… that’s what useradd is good for.

To note, why post just on five ‘must-secure’ without posting how to secure them? It’s pointless if your end-reader that’s new to the world of securing their apps, so here for example, how to secure your phpMyAdmin is simple and effective by adding a couple lines in their Apache Module conf file:

order deny,allow
deny from all
allow from 127.0.0.1
allow from 192.168.0.90

All from 192.168.0.90 is a WS here that I’m at writing this reply, and that and localhost to the server is the ONLY ones allowed to use phpMyAdmin everyone else will be denied.

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

normally by default when installing phpMyAdmin you create an Alias on how it should be called, well I would make it more secure by changing the name as such:

Alias /fuhaX0rz /usr/share/phpMyAdmin

However it’s totally up to you, on what you want, but the first one of allowing access to the phpMyAdmin area via IP address is ample enough. Simple 1 minute fix and any haX0r out there can try to run his bot day and night getting to this directory.

The rest is simple, a guy has to only go and use google.com to fix the rest, I’m not the author of the blog, but if you post something about security and how to secure the apps, I would highly recommend for the end-user(reader) to have a how-to fix them…

Moral of it all is this, don’t post something they having bottom-lines saying, no patches are available, patches are available and etc… I for one don’t care to see this kind of stuff, you just gave 50% away, now give the other 50% to the end-reader and they’ll keep coming back too you. Well all the Authors at zdnet are great people, and one person namely Paula, which is very extraordinary and a well-rounded creature, but you know it’s about the reader-base.

I for one would love to see Authors ellaborate more especially to the end-reader on what to do to even beef up your security, yes we know this is not a PERFECT world and we will always have haX0rz, crackerz, keygenners and etc… I believe this is why you (as an Author) get such foul mooded readers (humans) people and hatemail. I don’t receive it only unless it’s from the IRS or something.

t3h l337 |-|4×02 473 m4h 54|\||)vv1[|-|

So WTF Get ‘r done!

Doing what I do on a daily basis, and having so many freaking issues between network shares, well I had this issue today with my Maxtor telling me, “Warning: Error creating share!”, well that’s a first! Out of 3.5 years non-stop these (7 Maxtors) things have been online and never been down, as the fact they are backed up with a nice UPS to keep them alive…

well you know scouring around, ssh to the damn thing, and figuring out what to do, I seen the problem under the logs on it, and bam, time to refresh the .bin file (Which is the shareware crap) Long story short, just update your firmware no matter if you have a current version or not, it’ll fix this issue, seems out of 3.5 years of hard work, they do give out at some point. =)