tag:blogger.com,1999:blog-7564576430043279231.post8961858436956628931..comments2023-09-26T15:55:13.314+03:00Comments on 0entropy: meterpreter xor for further av bypassNicolas Krassashttp://www.blogger.com/profile/06456274925706708465noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-7564576430043279231.post-19191253604631989922015-11-23T20:13:00.585+02:002015-11-23T20:13:00.585+02:00i have problem when i put breakpoint and f9 it wir...i have problem when i put breakpoint and f9 it wirght acces violation when writenAnonymoushttps://www.blogger.com/profile/12821053824596843578noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-10562264543140306362013-12-26T04:28:15.515+02:002013-12-26T04:28:15.515+02:00Hi Eric,
This is "address of our code&qu...Hi Eric, <br /><br /> This is "address of our code" - "original entry point" , I choose 0040BF60 for the address of my code, and the Original Entry Point ( OEP ) of the file is at 00406D42, so this gives us:<br /><br />0040BF60 - 00406D42 = 521E<br /><br /><br /><br />Nicolas Krassashttps://www.blogger.com/profile/06456274925706708465noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-74076542006088497572013-12-16T21:59:47.417+02:002013-12-16T21:59:47.417+02:00Nicolas Krassas, CISSP, my email is ericsia978@gma...Nicolas Krassas, CISSP, my email is ericsia978@gmail.com Istill cannot understan where 521E come from. Can you explain to me?Anonymoushttps://www.blogger.com/profile/11505416710137514029noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-84753729344076139942012-03-19T17:41:50.146+02:002012-03-19T17:41:50.146+02:00Ah ok, thanksAh ok, thanksregex84https://www.blogger.com/profile/13284010889294543895noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-49599393602208040232012-03-14T08:37:47.769+02:002012-03-14T08:37:47.769+02:00Hi regex84, the address in ecx is the "addres...Hi regex84, the address in ecx is the "address of our code" - "original entry point". ecx will act as a counter.Nicolas Krassashttps://www.blogger.com/profile/06456274925706708465noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-40888747894134598572012-03-07T22:14:12.195+02:002012-03-07T22:14:12.195+02:00Hi, I understand every step of this wonderful tuto...Hi, I understand every step of this wonderful tutorial except this line:<br />mov ecx, 521E<br />I don't know how to find the corresponding address in my own program.regex84https://www.blogger.com/profile/13284010889294543895noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-41179546208439482822011-02-12T08:41:56.319+02:002011-02-12T08:41:56.319+02:00Yes but upx is detected from many antivirus and it...Yes but upx is detected from many antivirus and it's flagged. The best solution is to encrypt and encapsulate the code in another binary.Nicolas Krassashttps://www.blogger.com/profile/06456274925706708465noreply@blogger.comtag:blogger.com,1999:blog-7564576430043279231.post-41209470615492726382011-02-11T20:46:29.538+02:002011-02-11T20:46:29.538+02:00Can we mix it up with upx, like this http://seclis...Can we mix it up with upx, like this http://seclists.org/metasploit/2009/q2/390 Seems we could go on a little further making undetectable?<br /><br />--aczireUnknownhttps://www.blogger.com/profile/08971630524234929623noreply@blogger.com