Change Text on XP Start Button
Step 1 - Modify Explorer.exe File
In order to make the changes, the file explorer.exe located at C:\Windows needs to be edited. Since explorer.exe is a binary file it requires a special editor. For purposes of this article I have used Resource Hacker. Resource HackerTM is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit Windows executables and resource files (*.res). It incorporates an internal resource script compiler and decompiler and works on Microsoft Windows 95/98/ME, Windows NT, Windows 2000 and Windows XP operating systems.
get this from h**p://delphi.icm.edu.pl/ftp/tools/ResHack.zip
The first step is to make a backup copy of the file explorer.exe located at C:\Windows\explorer. Place it in a folder somewhere on your hard drive where it will be safe. Start Resource Hacker and open explorer.exe located at C:\Windows\explorer.exe.
The category we are going to be using is "String Table". Expand it by clicking the plus sign then navigate down to and expand string 37 followed by highlighting 1033. If you are using the Classic Layout rather than the XP Layout, use number 38. The right hand pane will display the stringtable. We’re going to modify item 578, currently showing the word “start” just as it displays on the current Start button.
There is no magic here. Just double click on the word “start” so that it’s highlighted, making sure the quotation marks are not part of the highlight. They need to remain in place, surrounding the new text that you’ll type. Go ahead and type your new entry. In my case I used Click Me!
You’ll notice that after the new text string has been entered the Compile Script button that was grayed out is now active. I won’t get into what’s involved in compiling a script, but suffice it to say it’s going to make this exercise worthwhile. Click Compile Script and then save the altered file using the Save As command on the File Menu. Do not use the Save command – Make sure to use the Save As command and choose a name for the file. Save the newly named file to C:\Windows.
Step 2 – Modify the Registry
!!!make a backup of your registry before making changes!!!
Now that the modified explorer.exe has been created it’s necessary to modify the registry so the file will be recognized when the user logs on to the system. If you don’t know how to access the registry I’m not sure this article is for you, but just in case it’s a temporary memory lapse, go to Start (soon to be something else) Run and type regedit in the Open field. Navigate to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
In the right pane, double click the "Shell" entry to open the Edit String dialog box. In Value data: line, enter the name that was used to save the modified explorer.exe file. Click OK.
Close Registry Editor and either log off the system and log back in, or reboot the entire system if that’s your preference. If all went as planned you should see your new Start button with the revised text.[/b]
2009-06-27
Computer Tips # 49 : Caught A Virus?
Caught A Virus?
If you've let your guard down--or even if you haven't--it can be hard to tell if your PC is infected. Here's what to do if you suspect the worst.
Heard this one before? You must run antivirus software and keep it up to date or else your PC will get infected, you'll lose all your data, and you'll incur the wrath of every e-mail buddy you unknowingly infect because of your carelessness.
You know they're right. Yet for one reason or another, you're not running antivirus software, or you are but it's not up to date. Maybe you turned off your virus scanner because it conflicted with another program. Maybe you got tired of upgrading after you bought Norton Antivirus 2001, 2002, and 2003. Or maybe your annual subscription of virus definitions recently expired, and you've put off renewing.
It happens. It's nothing to be ashamed of. But chances are, either you're infected right now, as we speak, or you will be very soon.
For a few days in late January, the Netsky.p worm was infecting about 2,500 PCs a day. Meanwhile the MySQL bot infected approximately 100 systems a minute (albeit not necessarily desktop PCs). As David Perry, global director of education for security software provider Trend Micro, puts it, "an unprotected [Windows] computer will become owned by a bot within 14 minutes."
Today's viruses, worms, and so-called bots--which turn your PC into a zombie that does the hacker's bidding (such as mass-mailing spam)--aren't going to announce their presence. Real viruses aren't like the ones in Hollywood movies that melt down whole networks in seconds and destroy alien spacecraft. They operate in the background, quietly altering data, stealing private operations, or using your PC for their own illegal ends. This makes them hard to spot if you're not well protected.
Is Your PC "Owned?"
I should start by saying that not every system oddity is due to a virus, worm, or bot. Is your system slowing down? Is your hard drive filling up rapidly? Are programs crashing without warning? These symptoms are more likely caused by Windows, or badly written legitimate programs, rather than malware. After all, people who write malware want to hide their program's presence. People who write commercial software put icons all over your desktop. Who's going to work harder to go unnoticed?
Other indicators that may, in fact, indicate that there's nothing that you need to worry about, include:
* An automated e-mail telling you that you're sending out infected mail. E-mail viruses and worms typically come from faked addresses.
* A frantic note from a friend saying they've been infected, and therefore so have you. This is likely a hoax. It's especially suspicious if the note tells you the virus can't be detected but you can get rid of it by deleting one simple file. Don't be fooled--and don't delete that file.
I'm not saying that you should ignore such warnings. Copy the subject line or a snippet from the body of the e-mail and plug it into your favorite search engine to see if other people have received the same note. A security site may have already pegged it as a hoax.
Sniffing Out an Infection
There are signs that indicate that your PC is actually infected. A lot of network activity coming from your system (when you're not actually using Internet) can be a good indicator that something is amiss. A good software firewall, such as ZoneAlarm, will ask your permission before letting anything leave your PC, and will give you enough information to help you judge if the outgoing data is legitimate. By the way, the firewall that comes with Windows, even the improved version in XP Service Pack 2, lacks this capability.
To put a network status light in your system tray, follow these steps: In Windows XP, choose Start, Control Panel, Network Connections, right-click the network connection you want to monitor, choose Properties, check "Show icon in notification area when connected," and click OK.
If you're interested in being a PC detective, you can sniff around further for malware. By hitting Ctrl-Alt-Delete in Windows, you'll bring up the Task Manager, which will show you the various processes your system is running. Most, if not all, are legit, but if you see a file name that looks suspicious, type it into a search engine and find out what it is.
Want another place to look? In Windows XP, click Start, Run, type "services.msc" in the box, and press Enter. You'll see detailed descriptions of the services Windows is running. Something look weird? Check with your search engine.
Finally, you can do more detective work by selecting Start, Run, and typing "msconfig" in the box. With this tool you not only see the services running, but also the programs that your system is launching at startup. Again, check for anything weird.
If any of these tools won't run--or if your security software won't run--that in itself is a good sign your computer is infected. Some viruses intentionally disable such programs as a way to protect themselves.
What to Do Next
Once you're fairly sure your system is infected, don't panic. There are steps you can take to assess the damage, depending on your current level of protection.
* If you don't have any antivirus software on your system (shame on you), or if the software has stopped working, stay online and go for a free scan at one of several Web sites. There's McAfee FreeScan, Symantec Security Check, and Trend Micro's HouseCall. If one doesn't find anything, try two. In fact, running a free online virus scan is a good way to double-check the work of your own local antivirus program. When you're done, buy or download a real antivirus program.
* If you have antivirus software, but it isn't active, get offline, unplug wires-- whatever it takes to stop your computer from communicating via the Internet. Then, promptly perform a scan with the installed software.
* If nothing seems to be working, do more research on the Web. There are several online virus libraries where you can find out about known viruses. These sites often provide instructions for removing viruses--if manual removal is possible--or a free removal tool if it isn't. Check out GriSOFT's Virus Encyclopedia, Eset's Virus Descriptions, McAffee's Virus Glossary, Symantec's Virus Encyclopedia, or Trend Micro's Virus Encyclopedia.
A Microgram of Prevention
Assuming your system is now clean, you need to make sure it stays that way. Preventing a breach of your computer's security is far more effective than cleaning up the mess afterwards. Start with a good security program, such Trend Micro's PC-Cillin, which you can buy for $50.
Don't want to shell out any money? You can cobble together security through free downloads, such as AVG Anti-Virus Free Edition, ZoneAlarm (a personal firewall), and Ad-Aware SE (an antispyware tool).
Just make sure you keep all security software up to date. The bad guys constantly try out new ways to fool security programs. Any security tool without regular, easy (if not automatic) updates isn't worth your money or your time.
Speaking of updating, the same goes for Windows. Use Windows Update (it's right there on your Start Menu) to make sure you're getting all of the high priority updates. If you run Windows XP, make sure to get the Service Pack 2 update. To find out if you already have it, right-click My Computer, and select Properties. Under the General tab, under System, it should say "Service Pack 2."
Here are a few more pointers for a virus-free life:
* Be careful with e-mail. Set your e-mail software security settings to high. Don't open messages with generic-sounding subjects that don't apply specifically to you from people you don't know. Don't open an attachment unless you're expecting it.
* If you have broadband Internet access, such as DSL or cable, get a router, even if you only have one PC. A router adds an extra layer of protection because your PC is not connecting directly with the Internet.
* Check your Internet ports. These doorways between your computer and the Internet can be open, in which case your PC is very vulnerable; closed, but still somewhat vulnerable; or stealthed (or hidden), which is safest. Visit Gibson Research's Web site and run the free ShieldsUP test to see your ports' status. If some ports show up as closed--or worse yet, open--check your router's documentation to find out how to hide them.
If you've let your guard down--or even if you haven't--it can be hard to tell if your PC is infected. Here's what to do if you suspect the worst.
Heard this one before? You must run antivirus software and keep it up to date or else your PC will get infected, you'll lose all your data, and you'll incur the wrath of every e-mail buddy you unknowingly infect because of your carelessness.
You know they're right. Yet for one reason or another, you're not running antivirus software, or you are but it's not up to date. Maybe you turned off your virus scanner because it conflicted with another program. Maybe you got tired of upgrading after you bought Norton Antivirus 2001, 2002, and 2003. Or maybe your annual subscription of virus definitions recently expired, and you've put off renewing.
It happens. It's nothing to be ashamed of. But chances are, either you're infected right now, as we speak, or you will be very soon.
For a few days in late January, the Netsky.p worm was infecting about 2,500 PCs a day. Meanwhile the MySQL bot infected approximately 100 systems a minute (albeit not necessarily desktop PCs). As David Perry, global director of education for security software provider Trend Micro, puts it, "an unprotected [Windows] computer will become owned by a bot within 14 minutes."
Today's viruses, worms, and so-called bots--which turn your PC into a zombie that does the hacker's bidding (such as mass-mailing spam)--aren't going to announce their presence. Real viruses aren't like the ones in Hollywood movies that melt down whole networks in seconds and destroy alien spacecraft. They operate in the background, quietly altering data, stealing private operations, or using your PC for their own illegal ends. This makes them hard to spot if you're not well protected.
Is Your PC "Owned?"
I should start by saying that not every system oddity is due to a virus, worm, or bot. Is your system slowing down? Is your hard drive filling up rapidly? Are programs crashing without warning? These symptoms are more likely caused by Windows, or badly written legitimate programs, rather than malware. After all, people who write malware want to hide their program's presence. People who write commercial software put icons all over your desktop. Who's going to work harder to go unnoticed?
Other indicators that may, in fact, indicate that there's nothing that you need to worry about, include:
* An automated e-mail telling you that you're sending out infected mail. E-mail viruses and worms typically come from faked addresses.
* A frantic note from a friend saying they've been infected, and therefore so have you. This is likely a hoax. It's especially suspicious if the note tells you the virus can't be detected but you can get rid of it by deleting one simple file. Don't be fooled--and don't delete that file.
I'm not saying that you should ignore such warnings. Copy the subject line or a snippet from the body of the e-mail and plug it into your favorite search engine to see if other people have received the same note. A security site may have already pegged it as a hoax.
Sniffing Out an Infection
There are signs that indicate that your PC is actually infected. A lot of network activity coming from your system (when you're not actually using Internet) can be a good indicator that something is amiss. A good software firewall, such as ZoneAlarm, will ask your permission before letting anything leave your PC, and will give you enough information to help you judge if the outgoing data is legitimate. By the way, the firewall that comes with Windows, even the improved version in XP Service Pack 2, lacks this capability.
To put a network status light in your system tray, follow these steps: In Windows XP, choose Start, Control Panel, Network Connections, right-click the network connection you want to monitor, choose Properties, check "Show icon in notification area when connected," and click OK.
If you're interested in being a PC detective, you can sniff around further for malware. By hitting Ctrl-Alt-Delete in Windows, you'll bring up the Task Manager, which will show you the various processes your system is running. Most, if not all, are legit, but if you see a file name that looks suspicious, type it into a search engine and find out what it is.
Want another place to look? In Windows XP, click Start, Run, type "services.msc" in the box, and press Enter. You'll see detailed descriptions of the services Windows is running. Something look weird? Check with your search engine.
Finally, you can do more detective work by selecting Start, Run, and typing "msconfig" in the box. With this tool you not only see the services running, but also the programs that your system is launching at startup. Again, check for anything weird.
If any of these tools won't run--or if your security software won't run--that in itself is a good sign your computer is infected. Some viruses intentionally disable such programs as a way to protect themselves.
What to Do Next
Once you're fairly sure your system is infected, don't panic. There are steps you can take to assess the damage, depending on your current level of protection.
* If you don't have any antivirus software on your system (shame on you), or if the software has stopped working, stay online and go for a free scan at one of several Web sites. There's McAfee FreeScan, Symantec Security Check, and Trend Micro's HouseCall. If one doesn't find anything, try two. In fact, running a free online virus scan is a good way to double-check the work of your own local antivirus program. When you're done, buy or download a real antivirus program.
* If you have antivirus software, but it isn't active, get offline, unplug wires-- whatever it takes to stop your computer from communicating via the Internet. Then, promptly perform a scan with the installed software.
* If nothing seems to be working, do more research on the Web. There are several online virus libraries where you can find out about known viruses. These sites often provide instructions for removing viruses--if manual removal is possible--or a free removal tool if it isn't. Check out GriSOFT's Virus Encyclopedia, Eset's Virus Descriptions, McAffee's Virus Glossary, Symantec's Virus Encyclopedia, or Trend Micro's Virus Encyclopedia.
A Microgram of Prevention
Assuming your system is now clean, you need to make sure it stays that way. Preventing a breach of your computer's security is far more effective than cleaning up the mess afterwards. Start with a good security program, such Trend Micro's PC-Cillin, which you can buy for $50.
Don't want to shell out any money? You can cobble together security through free downloads, such as AVG Anti-Virus Free Edition, ZoneAlarm (a personal firewall), and Ad-Aware SE (an antispyware tool).
Just make sure you keep all security software up to date. The bad guys constantly try out new ways to fool security programs. Any security tool without regular, easy (if not automatic) updates isn't worth your money or your time.
Speaking of updating, the same goes for Windows. Use Windows Update (it's right there on your Start Menu) to make sure you're getting all of the high priority updates. If you run Windows XP, make sure to get the Service Pack 2 update. To find out if you already have it, right-click My Computer, and select Properties. Under the General tab, under System, it should say "Service Pack 2."
Here are a few more pointers for a virus-free life:
* Be careful with e-mail. Set your e-mail software security settings to high. Don't open messages with generic-sounding subjects that don't apply specifically to you from people you don't know. Don't open an attachment unless you're expecting it.
* If you have broadband Internet access, such as DSL or cable, get a router, even if you only have one PC. A router adds an extra layer of protection because your PC is not connecting directly with the Internet.
* Check your Internet ports. These doorways between your computer and the Internet can be open, in which case your PC is very vulnerable; closed, but still somewhat vulnerable; or stealthed (or hidden), which is safest. Visit Gibson Research's Web site and run the free ShieldsUP test to see your ports' status. If some ports show up as closed--or worse yet, open--check your router's documentation to find out how to hide them.
Computer Tips # 48 : Can't See Secure Sites
Can't See Secure Sites
Fix the problem with seeing them secrue sites (banks or online stores) i found this very usefull to me at my work (isp backbone support lol, at the time i was regular support )
Any way... what u need to do is make a new notepad file and write in it the followng DLL's.. just copy-paste these
regsvr32 SOFTPUB.DLL
regsvr32 WINTRUST.DLL
regsvr32 INITPKI.DLL
regsvr32 dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 Cryptdlg.dll
and save it as > all file types, and make it something like securefix.bat.
then just run the file and ur problem should be gone.
Fix the problem with seeing them secrue sites (banks or online stores) i found this very usefull to me at my work (isp backbone support lol, at the time i was regular support )
Any way... what u need to do is make a new notepad file and write in it the followng DLL's.. just copy-paste these
regsvr32 SOFTPUB.DLL
regsvr32 WINTRUST.DLL
regsvr32 INITPKI.DLL
regsvr32 dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 Cryptdlg.dll
and save it as > all file types, and make it something like securefix.bat.
then just run the file and ur problem should be gone.
Computer Tips # 47 : cannot use my password to get back into Windows XP
Cannot use my password to get back into Windows XP
Because of the security features built into Windows XP, it is virtually impossible to get back into the system without the password.
You have several options to try and get around this problem.
If you have access to another user account with administrator rights, you can use that account to change the password
of the account that is locked out. You can also use the default Administrator account that is built into Windows XP.
First you need to boot the system into Safe Mode.
1.Restart your system.
2.When you see the blue Dell globe or screen, press the ( F8 ) key about 3 times a second.
3.You should get the Windows startup menu. Use the (Up or Down) arrow keys to highlight (SafeMode)
4.Press (Enter) on (Safe Mode), then press (Enter) on (Windows XP).
5.The system should boot to Safe Mode.
Once you are at the Account Log on Screen, click on the icon
for the user account with administrator rights, or click on the icon
for the administrators account.
Note: For Home the Administrator account isn't normally shown & in Safe Mode you have to press Ctrl+Alt+Delete keys twice to show.
For PRO you can do this in normal mode
When the system has booted to the desktop, use the following steps to change the accounts password.
1.Click Start, Control Panel, Administrative Tools.
2.Click Computer Management.
3.Double click Local Users and Groups, double click the folder Users.
4.Right click on the account name that is locked out, and click on Set Password.
5.You may get a warning message about changing the password, simply click proceed.
6.Leave the New Password box blank, also leave the Confirm Password box blank.
7.Click OK, and OK again.
8.Then close all Windows, reboot the system and try to log in.
There are also applications that can recover the password for you.
The following companies provide these applications at a cost.
iOpusฎ Password Recovery XP here.
LostPassword.com, here.
Asterisk Password Recovery XP v1.89 here.
Windows XP / 2000 / NT Key here.
If the above information does not help in recovering the password, the only option left is to
format the hard drive then reinstall Windows and the system software.
Because of the security features built into Windows XP, it is virtually impossible to get back into the system without the password.
You have several options to try and get around this problem.
If you have access to another user account with administrator rights, you can use that account to change the password
of the account that is locked out. You can also use the default Administrator account that is built into Windows XP.
First you need to boot the system into Safe Mode.
1.Restart your system.
2.When you see the blue Dell globe or screen, press the ( F8 ) key about 3 times a second.
3.You should get the Windows startup menu. Use the (Up or Down) arrow keys to highlight (SafeMode)
4.Press (Enter) on (Safe Mode), then press (Enter) on (Windows XP).
5.The system should boot to Safe Mode.
Once you are at the Account Log on Screen, click on the icon
for the user account with administrator rights, or click on the icon
for the administrators account.
Note: For Home the Administrator account isn't normally shown & in Safe Mode you have to press Ctrl+Alt+Delete keys twice to show.
For PRO you can do this in normal mode
When the system has booted to the desktop, use the following steps to change the accounts password.
1.Click Start, Control Panel, Administrative Tools.
2.Click Computer Management.
3.Double click Local Users and Groups, double click the folder Users.
4.Right click on the account name that is locked out, and click on Set Password.
5.You may get a warning message about changing the password, simply click proceed.
6.Leave the New Password box blank, also leave the Confirm Password box blank.
7.Click OK, and OK again.
8.Then close all Windows, reboot the system and try to log in.
There are also applications that can recover the password for you.
The following companies provide these applications at a cost.
iOpusฎ Password Recovery XP here.
LostPassword.com, here.
Asterisk Password Recovery XP v1.89 here.
Windows XP / 2000 / NT Key here.
If the above information does not help in recovering the password, the only option left is to
format the hard drive then reinstall Windows and the system software.
Computer Tips # 46 : Calculating Offsets
Calculating Offsets
This tutorial is more of a tip than a tutorial. It just explains how to calculate offsets for jumps and calls within the program you are patching.
Types of Jumps/Calls
Here I will just describe the different types of jumps and calls which you will come across:
Short Jumps
Short jumps be they conditional or unconditional jumps are 2 bytes long (or 1 nibble if your Californian ;-). These are relative jumps taken from the first byte after the two bytes of the jump. Using short jumps you can jump a maximum of 127 bytes forward and 128 bytes backwards.
Long Jumps
Long jumps if they are relative are 6 bytes long for conditional jumps and are 5 bytes long for unconditional jumps. For conditional jumps 2 bytes are used to identify that it is a long jump and what type of jump (je, jg, jns etc) it is. The other 4 bytes are used to show how far away the target location is relative to the first byte after the jump. In an unconditional jump only 1 byte is used to identify it as a long unconditional jump and the other 4 are used to show it's target's relative position, as with the conditional jumps.
Calls
There are two different types of calls which we will use. The normal type of call works the same as the long jumps in that it is relative to it's current position. The other type gives a reference to a memory location, register or stack position which holds the memory location it will call. The position held by the later is direct e.g. the memory location referenced may contain 401036h which would be the exact position that you would call, not relative to the position of the call. The size of these types of calls depends on any calculations involved in the call i.e. you could do: 'call dword ptr [eax * edx + 2]'. Long jumps can also be made using this method, but I didn't say that earlier as to avoid repetition.
Tables
Here is a brief list of all the different types of jumps/calls and their appropriate op-codes. Where different jumps have the same Op-Codes I have grouped them:
Jump Description Short Op-Code Long Op-Code
call procedure call E8xxxxxxxx N/A
jmp u nconditional jump EBxx E9xxxxxxxx
ja/jnbe jump if above 77xx 0F87xxxxxxxx
jae/jnb/jnc jump if above or equal 73xx 0F83xxxxxxxx
jb/jc/jnae jump if below 72xx 0F82xxxxxxxx
jbe/jna jump if below or equal 76xx 0F86xxxxxxxx
jcxz/jecxz jump if cx/ecx equals zero E3xx N/A
je/jz jump if equal/zero 74xx 0F84xxxxxxxx
jne/jnz jump if not equal/zero 75xx 0F85xxxxxxxx
jg/jnle jump if greater 7Fxx 0F8Fxxxxxxxx
jge/jnl jump if greater or equal 7Dxx 0F8Dxxxxxxxx
jl/jnge jump if less 7Cxx 0F8Cxxxxxxxx
jle/jng jump if less or equal 7Exx 0F8Exxxxxxxx
jno jump if not overflow 71xx 0F81xxxxxxxx
jnp/jpo jump if no parity/parity odd 7Bxx 0F8Bxxxxxxxx
jns jump if not signed 79xx 0F89xxxxxxxx
jo jump if overflow 70xx 0F80xxxxxxxx
jp/jpe jump if parity/parity even 7Axx 0F8Axxxxxxxx
js jump if sign 78xx 0F88xxxxxxxx
Calculating Offsets (finding in the xx's in table)
You will need to be able to calculate offsets when you add jumps and make calls within and to the code you have added. If you choose to do this by hand instead of using a tool then here are the basics:
For jumps and calls further on in memory from your current position you take the address where you want to jump/call and subtract from it the memory location of the next instruction after your call/jump i.e.:
(target mem address) - (mem location of next instruction after call/jump)
Example
If we wanted to jump to 4020d0 and the next instruction *after* the jump is at location 401093 then we would use the following calculation:
4020d0 - 401093 = 103d
We then write the jump instruction in hex as e93d100000 where e9 is the hex op-code for a long relative jump and 3d100000 is the result of our calculation expanded to dword size and reversed.
For jumps and calls to locations *before* the current location in memory you take the address you want to call/jump to and subtract it from the memory location of the next instruction after your call/jump, then subtract 1 and finally perform a logical NOT on the result i.e.
NOT(mem address of next instruction - target mem address - 1)
Example
If we wanted to call location 401184 and the address of the next instruction after the call is 402190 then we do the following calculation:
NOT(402190 - 401184 - 1 ) = ffffeff4
We can then write our call instruction in hex as e8f4efffff where e8 is the hex op-code for relative call and f4efffff is the result of the calculation in reverse order.
If you want to practice with different examples then the best way to do this is to use a disassembler like WDASM which shows you the op-codes and try and work out the results yourself. Also as an end note you don't have to perform these calculations if you have enough room to make your jump or call instruction into an absolute jump call by doing the following as represented in assembler:
mov eax, 4020d0
call eax (or jmp eax)
Final Notes
Make life easier and use a program to do this ;-)
This tutorial is more of a tip than a tutorial. It just explains how to calculate offsets for jumps and calls within the program you are patching.
Types of Jumps/Calls
Here I will just describe the different types of jumps and calls which you will come across:
Short Jumps
Short jumps be they conditional or unconditional jumps are 2 bytes long (or 1 nibble if your Californian ;-). These are relative jumps taken from the first byte after the two bytes of the jump. Using short jumps you can jump a maximum of 127 bytes forward and 128 bytes backwards.
Long Jumps
Long jumps if they are relative are 6 bytes long for conditional jumps and are 5 bytes long for unconditional jumps. For conditional jumps 2 bytes are used to identify that it is a long jump and what type of jump (je, jg, jns etc) it is. The other 4 bytes are used to show how far away the target location is relative to the first byte after the jump. In an unconditional jump only 1 byte is used to identify it as a long unconditional jump and the other 4 are used to show it's target's relative position, as with the conditional jumps.
Calls
There are two different types of calls which we will use. The normal type of call works the same as the long jumps in that it is relative to it's current position. The other type gives a reference to a memory location, register or stack position which holds the memory location it will call. The position held by the later is direct e.g. the memory location referenced may contain 401036h which would be the exact position that you would call, not relative to the position of the call. The size of these types of calls depends on any calculations involved in the call i.e. you could do: 'call dword ptr [eax * edx + 2]'. Long jumps can also be made using this method, but I didn't say that earlier as to avoid repetition.
Tables
Here is a brief list of all the different types of jumps/calls and their appropriate op-codes. Where different jumps have the same Op-Codes I have grouped them:
Jump Description Short Op-Code Long Op-Code
call procedure call E8xxxxxxxx N/A
jmp u nconditional jump EBxx E9xxxxxxxx
ja/jnbe jump if above 77xx 0F87xxxxxxxx
jae/jnb/jnc jump if above or equal 73xx 0F83xxxxxxxx
jb/jc/jnae jump if below 72xx 0F82xxxxxxxx
jbe/jna jump if below or equal 76xx 0F86xxxxxxxx
jcxz/jecxz jump if cx/ecx equals zero E3xx N/A
je/jz jump if equal/zero 74xx 0F84xxxxxxxx
jne/jnz jump if not equal/zero 75xx 0F85xxxxxxxx
jg/jnle jump if greater 7Fxx 0F8Fxxxxxxxx
jge/jnl jump if greater or equal 7Dxx 0F8Dxxxxxxxx
jl/jnge jump if less 7Cxx 0F8Cxxxxxxxx
jle/jng jump if less or equal 7Exx 0F8Exxxxxxxx
jno jump if not overflow 71xx 0F81xxxxxxxx
jnp/jpo jump if no parity/parity odd 7Bxx 0F8Bxxxxxxxx
jns jump if not signed 79xx 0F89xxxxxxxx
jo jump if overflow 70xx 0F80xxxxxxxx
jp/jpe jump if parity/parity even 7Axx 0F8Axxxxxxxx
js jump if sign 78xx 0F88xxxxxxxx
Calculating Offsets (finding in the xx's in table)
You will need to be able to calculate offsets when you add jumps and make calls within and to the code you have added. If you choose to do this by hand instead of using a tool then here are the basics:
For jumps and calls further on in memory from your current position you take the address where you want to jump/call and subtract from it the memory location of the next instruction after your call/jump i.e.:
(target mem address) - (mem location of next instruction after call/jump)
Example
If we wanted to jump to 4020d0 and the next instruction *after* the jump is at location 401093 then we would use the following calculation:
4020d0 - 401093 = 103d
We then write the jump instruction in hex as e93d100000 where e9 is the hex op-code for a long relative jump and 3d100000 is the result of our calculation expanded to dword size and reversed.
For jumps and calls to locations *before* the current location in memory you take the address you want to call/jump to and subtract it from the memory location of the next instruction after your call/jump, then subtract 1 and finally perform a logical NOT on the result i.e.
NOT(mem address of next instruction - target mem address - 1)
Example
If we wanted to call location 401184 and the address of the next instruction after the call is 402190 then we do the following calculation:
NOT(402190 - 401184 - 1 ) = ffffeff4
We can then write our call instruction in hex as e8f4efffff where e8 is the hex op-code for relative call and f4efffff is the result of the calculation in reverse order.
If you want to practice with different examples then the best way to do this is to use a disassembler like WDASM which shows you the op-codes and try and work out the results yourself. Also as an end note you don't have to perform these calculations if you have enough room to make your jump or call instruction into an absolute jump call by doing the following as represented in assembler:
mov eax, 4020d0
call eax (or jmp eax)
Final Notes
Make life easier and use a program to do this ;-)
Computer Tips # 44 : Bypass Internet Censorship
Bypass Internet Censorship
I remember not so long ago someone was asking about ways to get around and view sites that were blocked by the administrators, or some web filtering device, either at work or at school, hope this helps.
www.zensur.freerk.com
I remember not so long ago someone was asking about ways to get around and view sites that were blocked by the administrators, or some web filtering device, either at work or at school, hope this helps.
www.zensur.freerk.com
Computer Tips # 43 : Burning BIN/CUE Images with Nero Burning Rom
Burning BIN/CUE Images with Nero Burning Rom
BIN/CUE image format is quite common on the Internet. It might seem that finding an appropriate software for burning these images is quite hard. Luckily, it's not. In addition to Golden Hawk CDRWin, the original software for BIN/CUE format, you can also use Nero Burning Rom to burn the images.
Please make sure that you have the latest version of Nero, which now is 5.5.10.0
Verify the CUE-sheet and open it with Nero
Before doing anything else you have to verify that the path in the CUE-sheet is correct. A CUE-sheet is a plaintext file describing the structure and the location of the BIN-file. You can open up the .CUE -file using, for example, Notepad.
The file should look something like this:
FILE "IMAGE.BIN" BINARY
TRACK 01 MODE1/2352
INDEX 01 00:00:00
Usually the CUE-filename and the BIN-filename have the same body -- e.g. IMAGE. All you need to do is verify that there is no path information on the
FILE "IMAGE.BIN" BINARY
-line. Ie. it should NOT read e.g.
FILE "C:\TEMP\IMAGE.BIN" BINARY
If there is any path information on the line, just remove it so that you have just the name of the .BIN-file as in the example above. Also make sure that the name of the .BIN in the CUE-sheet is the same as the actual .BIN file you have on hard-disk.
Next load Nero Burning Rom and choose File, Burn Image....
Load the CUE-sheet in Nero
Choose the Files of Type: dropdown menu and select All Files *.*. Next just locate the .CUE file, select it and click Open. Make sure you select the .CUE -file, not the .BIN -file.
Burn the image
All you have to do then is choose the writing speed, select the Disc-At-Once Write Method, and click Write.
That's it! After a couple of minutes you'll have a CD with the BIN/CUE Image written on it.
NOTES:
--> Do not worry if the BIN file seems larger than the capacity of your CD-R or CD-RW. Bin files are raw data and once burned, the file size is smaller.
--> If you have a DVD burner, just burn the cue/bin directly onto the DVD. Then use Daemon Tools to mount the cue/bin image when you use the files. This way you maintain a true exact image. And Daemon Tools (also Alcohol CDR burning software, which has the same feature) mounts the image, and you see the files instead of the bin/cue.
BIN/CUE image format is quite common on the Internet. It might seem that finding an appropriate software for burning these images is quite hard. Luckily, it's not. In addition to Golden Hawk CDRWin, the original software for BIN/CUE format, you can also use Nero Burning Rom to burn the images.
Please make sure that you have the latest version of Nero, which now is 5.5.10.0
Verify the CUE-sheet and open it with Nero
Before doing anything else you have to verify that the path in the CUE-sheet is correct. A CUE-sheet is a plaintext file describing the structure and the location of the BIN-file. You can open up the .CUE -file using, for example, Notepad.
The file should look something like this:
FILE "IMAGE.BIN" BINARY
TRACK 01 MODE1/2352
INDEX 01 00:00:00
Usually the CUE-filename and the BIN-filename have the same body -- e.g. IMAGE. All you need to do is verify that there is no path information on the
FILE "IMAGE.BIN" BINARY
-line. Ie. it should NOT read e.g.
FILE "C:\TEMP\IMAGE.BIN" BINARY
If there is any path information on the line, just remove it so that you have just the name of the .BIN-file as in the example above. Also make sure that the name of the .BIN in the CUE-sheet is the same as the actual .BIN file you have on hard-disk.
Next load Nero Burning Rom and choose File, Burn Image....
Load the CUE-sheet in Nero
Choose the Files of Type: dropdown menu and select All Files *.*. Next just locate the .CUE file, select it and click Open. Make sure you select the .CUE -file, not the .BIN -file.
Burn the image
All you have to do then is choose the writing speed, select the Disc-At-Once Write Method, and click Write.
That's it! After a couple of minutes you'll have a CD with the BIN/CUE Image written on it.
NOTES:
--> Do not worry if the BIN file seems larger than the capacity of your CD-R or CD-RW. Bin files are raw data and once burned, the file size is smaller.
--> If you have a DVD burner, just burn the cue/bin directly onto the DVD. Then use Daemon Tools to mount the cue/bin image when you use the files. This way you maintain a true exact image. And Daemon Tools (also Alcohol CDR burning software, which has the same feature) mounts the image, and you see the files instead of the bin/cue.
2009-06-26
Computer Tips # 42 : Burn .bin file Without A .cue file
Burn .bin file Without A .cue file
You do exactly the same as for iso files, but when you click on “burn image,” you don’t browse to the bin itself, but instead to the cue file, and you open that one.
When the writer starts to burn, it will automatically search for the bin file and start burning it. In fact, the cue file tells the burning program where it can find the bin file that is attached to it. It is VERY IMPORTANT that you use the right cue file when you burn a bin. i.e both cue and bin files that are attached to each other must be located in the same folder, and every bin file has it’s own cue file.
Normally, when you download a bin file, you can download the appropriate cue file as well. If you do not have the cue file (or feel bold) you can make the cue file yourself, which is really easy to do:
a. Open notepad
b. Copy the folowing text into notepad:
FILE“nameofimage“BINARY
TRACK 01 MODE1/2352
INDEX 01 00:00:00
Where nameofimage.bin is the name of the bin file you want ot burn.
c. The rest is easy: just save the notepad text with the name of the bin, but with the cue extension.
d. The file should be saved in the same folder as its appropriate bin file and should be something like myfile.cue
Or you can use Alcohol 120% to burn directly from the bin file
You do exactly the same as for iso files, but when you click on “burn image,” you don’t browse to the bin itself, but instead to the cue file, and you open that one.
When the writer starts to burn, it will automatically search for the bin file and start burning it. In fact, the cue file tells the burning program where it can find the bin file that is attached to it. It is VERY IMPORTANT that you use the right cue file when you burn a bin. i.e both cue and bin files that are attached to each other must be located in the same folder, and every bin file has it’s own cue file.
Normally, when you download a bin file, you can download the appropriate cue file as well. If you do not have the cue file (or feel bold) you can make the cue file yourself, which is really easy to do:
a. Open notepad
b. Copy the folowing text into notepad:
FILE“nameofimage“BINARY
TRACK 01 MODE1/2352
INDEX 01 00:00:00
Where nameofimage.bin is the name of the bin file you want ot burn.
c. The rest is easy: just save the notepad text with the name of the bin, but with the cue extension.
d. The file should be saved in the same folder as its appropriate bin file and should be something like myfile.cue
Or you can use Alcohol 120% to burn directly from the bin file
Computer Tips # 41 : BulletProof FTP Server Tutorial
BulletProof FTP Server Tutorial
Configuring your Bulletproof FTP Server Tutorial
I am not sure where I found this tutorial, It’s been a while…It might even have been here... ..So if it is one of yours, my hat goes off to you once again....
After reading the excellent tutorial on "Creating an FTP" that Norway posted…
(I would suggest reading and following his tutorial first, then following up with this one)
I thought that perhaps this tutorial might be pretty helpful for those interested in knowing how to configure their Bulletproof FTP Server that don't already know how... Here's how to get started…
This is for the BulletProof FTP Server 2.10. However, It should work fine on most following versions as well.
I'm assuming you have it installed and cracked.
Basics
1. Start the program.
2. Click on Setup > Main > General from the pull-down menu.
3. Enter your server name into the 'Server Name' box. Under Connection set the “Max number of users" to any number. This is the limit as to how many users can be on your sever at any time.
4. Click on the 'options' tab of that same panel (on the side)
5. Look at the bottom, under IP Options. Put a check in the box “Refuse Multiple Connections from the same IP”. This will prevent one person from blocking your FTP to others.
6. Also put a check in the 'Blocked Banned IP (instead of notifying client). VERY IMPORTANT! If somebody decides to 'Hammer' (attempt to login numerous times VERY quickly) your server/computer may CRASH if you don't enable this.
7. Click on the 'advanced' tab
8. At the bottom again look at the 'hammering area'
9. Enable 'anti-hammer' and 'do not reply to people hammering' Set it for the following: Block IP 120 min if 5 connections in 60 sec. You can set this at whatever you want to but that is pretty much a standard Click 'OK'
Adding Users
11. Setup > User accounts form pull-down.
12. Right click in the empty 'User Accounts' area on the right: choose 'Add'
13. Enter account name. (ie: logon name)
14. In the 'Access rights' box right click: choose ‘Add’.
15. Browse until you find the directory (folder) you want to share. In the right column you will see a bunch of checkboxes. Put a check in the following ones: Read, Write, Append, Make, List, and +Subdirs. Press 'select'.
16. Enter a password for your new FTP account.
17. Click on 'Miscellaneous' in the left column. Make sure 'Enable Account' is selected. Enable 'Max Number of Users' set it at a number other than zero. 1 for a personal account and more that one for a group account. Enable 'Max. no. of connects per IP' set it at 1
18. Under 'Files' enable 'show relative path' this is a security issue. A FTP client will now not be able to see the ENTIRE path of the FTP. It will only see the path from the main directory. Hide hidden flies as well.
Put a tick in both of these.
Advanced:
You don't need to do any of this stuff, but It will help tweak your server and help you maintain order on it. All of the following will be broken down into small little areas that will tell you how to do one thing at a time.
Changing the Port
The default port is always 21, but you can change this. Many ISPs will routinely do a scan of its own users to find a ftp server, also when people scan for pubs they may scan your IP, thus finding your ftp server. If you do decide to change it many suggest that you make the port over 10,000.
1. Setup > Main > General
2. In the 'Connection' Area is a setting labeled 'Listen on Port Number:'
3. Make it any number you want. That will be your port number.
4. Click 'OK'
Making an 'Upload Only' or 'Download Only' ftp server.
This is for the entire SERVER, not just a user.
1. Setup > Main > Advanced
2. In the advanced window you will have the following options: uploads and downloads, downloads only, and uploads only. By default upload and download will be checked. Change it to whatever you want.
3. Click 'OK’
While you are running your server, usually you will end up spending more time at your computer than you normally do. Don't be afraid to ban IP's. Remember, on your FTP you do as you want.
When you are online you must also select the open server button next to the on-line button which is the on-line Button
You also have to use the actual Numbered ip Address ie: 66.250.216.67
Or even Better yet, get a no-ip.com address
Configuring your Bulletproof FTP Server Tutorial
I am not sure where I found this tutorial, It’s been a while…It might even have been here... ..So if it is one of yours, my hat goes off to you once again....
After reading the excellent tutorial on "Creating an FTP" that Norway posted…
(I would suggest reading and following his tutorial first, then following up with this one)
I thought that perhaps this tutorial might be pretty helpful for those interested in knowing how to configure their Bulletproof FTP Server that don't already know how... Here's how to get started…
This is for the BulletProof FTP Server 2.10. However, It should work fine on most following versions as well.
I'm assuming you have it installed and cracked.
Basics
1. Start the program.
2. Click on Setup > Main > General from the pull-down menu.
3. Enter your server name into the 'Server Name' box. Under Connection set the “Max number of users" to any number. This is the limit as to how many users can be on your sever at any time.
4. Click on the 'options' tab of that same panel (on the side)
5. Look at the bottom, under IP Options. Put a check in the box “Refuse Multiple Connections from the same IP”. This will prevent one person from blocking your FTP to others.
6. Also put a check in the 'Blocked Banned IP (instead of notifying client). VERY IMPORTANT! If somebody decides to 'Hammer' (attempt to login numerous times VERY quickly) your server/computer may CRASH if you don't enable this.
7. Click on the 'advanced' tab
8. At the bottom again look at the 'hammering area'
9. Enable 'anti-hammer' and 'do not reply to people hammering' Set it for the following: Block IP 120 min if 5 connections in 60 sec. You can set this at whatever you want to but that is pretty much a standard Click 'OK'
Adding Users
11. Setup > User accounts form pull-down.
12. Right click in the empty 'User Accounts' area on the right: choose 'Add'
13. Enter account name. (ie: logon name)
14. In the 'Access rights' box right click: choose ‘Add’.
15. Browse until you find the directory (folder) you want to share. In the right column you will see a bunch of checkboxes. Put a check in the following ones: Read, Write, Append, Make, List, and +Subdirs. Press 'select'.
16. Enter a password for your new FTP account.
17. Click on 'Miscellaneous' in the left column. Make sure 'Enable Account' is selected. Enable 'Max Number of Users' set it at a number other than zero. 1 for a personal account and more that one for a group account. Enable 'Max. no. of connects per IP' set it at 1
18. Under 'Files' enable 'show relative path' this is a security issue. A FTP client will now not be able to see the ENTIRE path of the FTP. It will only see the path from the main directory. Hide hidden flies as well.
Put a tick in both of these.
Advanced:
You don't need to do any of this stuff, but It will help tweak your server and help you maintain order on it. All of the following will be broken down into small little areas that will tell you how to do one thing at a time.
Changing the Port
The default port is always 21, but you can change this. Many ISPs will routinely do a scan of its own users to find a ftp server, also when people scan for pubs they may scan your IP, thus finding your ftp server. If you do decide to change it many suggest that you make the port over 10,000.
1. Setup > Main > General
2. In the 'Connection' Area is a setting labeled 'Listen on Port Number:'
3. Make it any number you want. That will be your port number.
4. Click 'OK'
Making an 'Upload Only' or 'Download Only' ftp server.
This is for the entire SERVER, not just a user.
1. Setup > Main > Advanced
2. In the advanced window you will have the following options: uploads and downloads, downloads only, and uploads only. By default upload and download will be checked. Change it to whatever you want.
3. Click 'OK’
While you are running your server, usually you will end up spending more time at your computer than you normally do. Don't be afraid to ban IP's. Remember, on your FTP you do as you want.
When you are online you must also select the open server button next to the on-line button which is the on-line Button
You also have to use the actual Numbered ip Address ie: 66.250.216.67
Or even Better yet, get a no-ip.com address
Computer Tips # 40 : Bulk Editing Of .xxx to .zip or .mp3
Bulk Editing Of .xxx to .zip or .mp3
ets us say you have just download a new album or game
but all the files are .xxx and you need them to be
zip's, rar's, mp3's etc.....
then do the following
-create a new folder
-put all the files needing editing in the new folder
-then goto "run" in the start menu
-type in CMD and click ok
-the next thing needsa few bits of old dos commands
-you need to navagate CMD to the folder whree the files are
-you can do this by 1st getting the total adress of the folder
-and then typing it in cmd with a "cd" in frount
QUOTE
cd c:\xxx\yyy\ccc\
once you in the folder where the files are you can move on
nb u can cheek you in the right folder by typing dir to get a list of files
-now type in....
QUOTE
rename *.* *.zip
Nb change the zip to what ever the extention needs to be (.rar, .mp3 ect)
all done
you should hv now changed the .* to what ever you needed
ets us say you have just download a new album or game
but all the files are .xxx and you need them to be
zip's, rar's, mp3's etc.....
then do the following
-create a new folder
-put all the files needing editing in the new folder
-then goto "run" in the start menu
-type in CMD and click ok
-the next thing needsa few bits of old dos commands
-you need to navagate CMD to the folder whree the files are
-you can do this by 1st getting the total adress of the folder
-and then typing it in cmd with a "cd" in frount
QUOTE
cd c:\xxx\yyy\ccc\
once you in the folder where the files are you can move on
nb u can cheek you in the right folder by typing dir to get a list of files
-now type in....
QUOTE
rename *.* *.zip
Nb change the zip to what ever the extention needs to be (.rar, .mp3 ect)
all done
you should hv now changed the .* to what ever you needed
สมัครสมาชิก:
บทความ (Atom)
