29 Apr

I bought a software today…

I never buy software. Not sure why is that, probably I just don’t see a point in doing that. To me, most of the software seems ridiculously overpriced.

  • Paying 30 euros for a copy of WinRar? Are you kidding me?
  • Paying 70 euros for latest Need for Speed racing simulator I’m not even sure I’ll like? I’m not a hardcore gamer, I’m just looking for a good fun for a rainy evening.

And subscription-based software is even worse:

Do I look like a f*ing Rockefeller to you?

Hello Adguard!

Imagine my surprise when yesterday I noticed that my beloved Adguard actually has very reasonable prices. And they are offering 40% discount for all licences until May 4th, 2016. Lifetime license for less than a cup of Chai Latte in Starbucks? I’ll take that, thank you very much!

license purchased

Well, it’s actually half-true. If you just open their main page in the browser and go to “Purchase”, you’ll probably see that a lifetime license costs $14.97. Not exactly a cup of Chai Latte.

Hacking Adguard pricing

To get those extra nice prices, you’ll need to perform a little trick. Open the mobile version of the same page in your browser: m.adguard.com. Now go to purchase. And now switch to prices in Russian roubles. 179RUB for a lifetime license! :D

According to Paypal, I just got my lifetime license for:

Payment: 179.40 RUB
Payment sent to: pr@adguard.com
From amount: $2.94 USD

Cheers!

Summary

If you’re interested in a decent adblocker for Android device, I recommend that you give Adguard a chance. No root required! They also have adblockers for Windows and Mac but I haven’t tested those.

Full disclosure: the link above is my affiliate link with Adguard. If 4 people will follow this link, install and use Adguard for 30 minutes, I will get a free 1-year license. In that case, I will donate this license to LCF-AT to help with ad-filtering issues.

If you hate affiliate links of any kind, please feel free to visit using a direct link: adguard.com – it’s well worth it.

Have fun blocking the ads! :)

21 Apr

JS-boobytrapped ZIP files, or why morons shouldn’t be writing about security

This morning I noticed Softpedia article titled “How to Prevent ZIP Files from Executing Malicious JavaScript Behind Your Back“.

Here’s the beginning of the story in all it’s glory:
softpedia

Let me repeat that:

When unzipping the file, the JavaScript file would execute, automating various operations.

Naturally, I was curious about the cause of this issue and why I haven’t heard about it before.

Little bit of reading, little bit of Googling and here’s the original post from F-Secure: “How-To Disable Windows Script Host“. They write:

And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.

Somehow Softpedia authors managed to convert “user clicking on a JS file” into “JS file being launched automatically when unzipped”.

Dear Mr. Catalin Cimpanu, please stop writing about security. Open a hotdog stand or something, that’s much more suitable for your skill level.

19 Apr

One month with Avast

I’ve written about my troubles with Bitdefender AV solution before.. XXXX So, when my Bitdefender license expired, I was happy to switch to a different solution. I picked AVAST. In this post I’ll try to summarize my my impressions after using it for one month.

Setup

Bitdefender 2016 insisted on me creating user account for their cloud management crapshoot before I was actually able to get installer and install the software.

On the contrary, Avast’s setup was a snap. One, two, pick components, done.
01-setup
One minor issue I noticed – I’m quite sure Avast setup did not respect my choices and installed more components than I selected in the setup dialog. Or maybe I mis-clicked one checkbox. I’ll give them a benefit of doubt.

Avast – 1 : Bitdefender – 0.

User Interface

After all-dark-and-depressing Bitdefender UI, Avast feels much more brighter, colourful and cheerful. It feels much snappier and faster as well. Everything seems to be intuitive and easy to find.

Avast – 1 : Bitdefender – 0.

Configuration

Avast has all its settings in one place. Bitdefender requires you to open each component separately to access its settings. Avast would be a clear winner here, but..

But good luck trying to find which apps are allowed or blocked by Avast firewall!

Firewall configuration is under “Settings”, just like you would expect. From there you can configure “System rules” and “Packet rules”. However, you won’t find allowed/blocked applications there. Instead, you need to go to Tools->Firewall and locate teeny tiny “Application rules” hidden between “Firewall logs” and “Settings”. WTF?
02-firewall-apps

Taking that into account: Avast – 1/2 : Bitdefender – 1/2

Updates

Both antiviruses handle normal updates very well. No ads, no popups, no annoyances of any kind. Avast seems to have sort of ad hoc streaming updates 24/7 – or at least, that’s what the Statistics tabs shows:
03-stats

However… Today my Avast received a different kind of update that required restart. From what I can tell, this update replaced most of EXE/DLL files in the %PROGRAMFILES%\AVAST Software\Avast\ folder. After restart, my PC got stuck in semi-working state, services.exe and svchost.exe eating most of the CPU resources and Avast showing “try our new-and-cool-whatever-thing-I-don’t-give-a-crap-about” advertisement. In addition to that, Avast claimed that it’s firewall module cannot be started.

Few “repair installation” and Windows restarts later the problem disappeared. As a side effect – all my carefully set privacy settings were reset to defaults, “show offers for other Avast products” was enabled again and all File System Shield exceptions are gone.

Even though I really enjoy invisible 24/7 updates of Avast, I have to reduce Avast’s score due to this major f*ckup.

Avast – 0 : Bitdefender – 1

Bugs and issues

As I described earlier, Bitdefender was far from being perfect. On the contrary, my first impressions of Avast were extremely positive. Great setup, aesthetically pleasing UI, plenty of user-configurable settings. Everything I could ask for!

However, first few weeks of using Avast has been nothing but a source of frustration.

Issue #1 – I’ve configured File System Shield to scan files only on execute. All scans on write or access are disabled for executable files using Avast’s UI.
04-avast-no-write-scan
05-avast-no-access-scan
However, any time I copy-paste suspicious executable files from one PC to another using Remote Desktop Client, Avast File System shield pops up and blocks the copy operation. WTF?!

06-detect-on-copy-paste

Issue #2 – There is no “Beggar off, I know what I’m doing” option in the detection dialog, even for heuristic detections. The previous issue wouldn’t be a big one, if I had a possibility to dismiss detections dialog and continue copying files. But I can’t.
07-no-ignore
So, the only option for me is to disable File System Shield completely. That kinda defeats the purpose of having the antivirus, doesn’t it?

Issue #3 – Myriad of “Win32:Malware-gen” and “Win32:Evo-gen [susp]” detections.
In effort to reduce number of false positives, I’ve set the heuristics and HIPS sensitivity to “Low”. But even then Avast keeps producing plenty of detections on clean files like Goliath obfuscator, ScyllaHide and other reversing tools.

Issue #4 – Leaving statistics tab open for a long time will cause the CPU usage to go high. No idea what causes it, probably the braindead decision to use embedded Chromium and Flash to show the pretty graphs and stuff.

Taking all that into account: Avast – 1/2 : Bitdefender – 1/2

Summary

Avast is a great product – for your grandma’s or neighbour’s PC. But if you ever work with malware, cracked files or anything remotely suspicious, Avast’s super-sensitive File System Shield will drive you mad.

I’ll give it one more shot and try to tweak configuration files manually. But if I can’t make it play nice, I’ll be looking for a different solution for my PC.

24 Mar

MoleBox goes out of business

Molebox as it used to be

A bit of history

MoleBox 2 was released in year 2003 and it was one of the first file virtualization solutions in the market. It bundled executable with the DLL and data files into a single EXE file. At that time that was something new and innovative.

They had quite a success and released another product (MoleBox Ultra, later renamed to MoleBox Virtualization Solution) in year 2009. Apparently it was very hard to fight in the increasingly more competitive market of application virtualization solutions and the last version of MoleBox Virtualization Solution was released in 2013.

Game over

In February 2016 domain molebox.com was sold for $1526. Yesterday their web server started serving generic WordPress page with dating-related spam. And that is just sad. :(
MoleBox dating advice

Release of static unpacker

However, both editions of MoleBox are still very popular with private game server owners, as they allow to bundle patched EXE files together with their custom data files. It’s not a bullet-proof security but stops newbies from stealing their valuable data.

Since the MoleBox company is officially out of business now, I have no more reasons to keep my static Molebox unpacker private. It supports most versions of MoleBox 2.x including the external box files.

Have fun guys! Download link: https://www.mediafire.com/?4mbxycgd8qisq03

P.S. This post was made just because I noticed changes in MoleBox web, I wasn’t planning to release the unpacker today. So, please keep in mind this code was written in year 2009 and has had only one small fix applied in 2015. It’s likely that you’ll encounter some bugs and quirks – please send me the problematic file and I’ll fix the bug. :)

P.P.S. I have static unpacker for MoleBox Virtualization Solution as well. But it doesn’t have a nice UI yet, so it will be released on a later day.

11 Mar

About .NET, googling and lazy programmers.

Delphi fail. .NET win.

Recently, several people sent me bug reports where my EnigmaVB unpacker failed to extract files. In all cases, the problem was caused by really large files, like 3.5GB in size. So, what’s causing the problem?

EnigmaVB unpacker is a 32bit application written in Delphi. And Delphi streams are retarded. They look like they’ve been written in 1990s and were never updated. TMemoryStream uses a continuous memory range, so it can never support anything larger than 2GB. TFileStream internally uses longint, so it doesn’t properly support files larger than 2GB. WTF?

So, I have two choices. I can either make a custom stream class in Delphi, or I can pick another framework and rewrite my tool to use that.

I’m not a programmer, I’m a reverser. I don’t want to spend my time developing custom stream classes. I’d very much rather use this time breaking some code. So, say hello to .NET framework – my next version of EnigmaVB unpacker will be made in C#.. :)

Am I a programmer or a googler?

While researching all the Delphi limitations and possible workarounds, I ran into this great article by Scott Hanselman. Reading both the post and the comments made me think a lot.

Does using Google to solve your programming tasks makes you less of a programmer? I don’t think so.

In fact, I’m just lazy. Most people are. Why should I spend 30 minutes remembering basic algorithms for converting string to hex, if Google query can solve it in 10 seconds? Why reinvent the wheel and write CRC calculation from scratch? I’ll just open StackOverflow and have a solution that’s already tried and tested. It doesn’t mean I can’t do those boring tasks – I just don’t want to.

How about you? Would you be able to write some tools without using Google and StackOverflow?

16 Feb

Updated Meltdown and EnigmaVB Unpacker

About Error Messages

Users can’t read.

Or maybe they don’t want to read. I don’t know.

But one thing I know for sure – you must make your tools foolproof. If your tool is showing an error message, make sure even your grandma could understand it. Otherwise you’ll be getting lots and lots of invalid bug reports.

For example, this is the error message my EnigmaVB unpacker used to show (as reported by ho3ein at Tuts4You):
enigmavb_error_message

It seemed to be very clear to me. First, tool tells user all the versions of Enigma Virtual Box it supports. Then tool explains that it expects to see a PE section with a name “.enigma2” but it found section with a name “.rsrc” instead. To me it’s absolutely clear what happened: this file is not protected with Enigma Virtual Box (or it’s hacked).

But you won’t believe how many times this gets reported as a bug.

There was a similar problem with Meltdown. It clearly stated which versions of DeepFreeze it supports. Then it printed the detected DeepFreeze version. However, the error message didn’t explicitly say “This version of DeepFreeze is not supported”, it said “DeviceIoControl failed.” It makes perfect sense from developer’s point of view, but apparently is very confusing for users.

So, here are improved versions of my tools, fixing the error messages and some other stuff..

Improved EnigmaVB Unpacker

First of all, I fixed the error message. I also added detection and tested compatibility with the latest EnigmaVB v7.40. Hopefully, this will make users happier and less confused. :)
EnigmaVBUnpacker_v034

Improved Meltdown

Meltdown 1.7 fixes confusing error message with DeepFreeze Standard v8.x. Thanks to Alexander for reporting it.

I also took a closer look at DeepFreeze Enterprise versions and found a way to make Meltdown more user friendly. If DeepFreeze Enterprise v7.20+ is detected, Meltdown will get OTP Token automatically and immediately generate correct password.

meltdown17

Download links

Enigma Virtual Box Unpacker: Please get latest version from this post
Meltdown v1.7: https://www.mediafire.com/?b0bamd3t2d6bbkq

10 Feb

How to lose 20% of your readers in one day

I was reading “How WIRED Is Going to Handle Ad Blocking” article and didn’t know if I should laugh or cry. Here are some excerpts:

On an average day, more than 20 percent of the traffic to WIRED.com comes from a reader who is blocking our ads. We know that you come to our site primarily to read our content

Translation: we know that more than 20% of our users hate our irrelevant ads covering half the page. Fucking freeloaders, we can’t make a penny out of them!

We know that there are many reasons for running an ad blocker, from simply wanting a faster, cleaner browsing experience to concerns about security and tracking software.

Translation: we know that ads can be obnoxious and sometimes distribute malware. Hell, big companies like Forbes distributed malware twice last year. We don’t care, as long as we get paid.

So, in the coming weeks, we will restrict access to articles on WIRED.com if you are using an ad blocker. There will be two easy options to access that content.

Translation: WIRED just gave a middle finger to 20% of its users. What a great idea!


EDIT: lots of companies seem to be reacting to WIRED’s move in one way or another. For comparison, here’s the comment by Stack Overflow advertising managers. Now, that’s an attitude that actually makes sense!

20 Jan

Is your password ‘123456’? Mine too!

Last few days everyone is writing about passwords. How the most popular password last year was ‘123456’, how it’s all bad and that we all are idiots.

Let me tell you something – that’s bullshit.

There are 2 types of resources: few important ones (my internet bank, company login, some RE forums, my blog, etc.) and the ones I don’t really care about (2shared, codeproject and everyone else with mandatory registration).

For the important resources I have strong passwords. Unique ones with 8+ characters, mixed case letters, numbers and special symbols. You know the drill.

For everything else I’m using a throwaway email like Mailinator and password ‘123456’. Why? Because I don’t give a crap. You want to crack my Codeproject login to download few files? Please do so. Hijack my Kickass Torrent account and post childish comment or two? Please. Use my account to download something from 2shared? Yeah, why not! I don’t care! :)

So, next time someone runs around screaming about use of insecure passwords, ask yourself – where does this password list come from and who is this person making these statements? Maybe he just wants to sell you something?

Use a password manager such as {software_name} to organize and protect passwords, generate random passwords, and automatically log into websites

Right, let’s make more FUD in effort to sell your software. Genius!

Stay cool, stay safe!