After figuring out what vbaVarTstEq is doing, stumbling across the answer came a lot quicker. Add a break point to the vbaVarTstEq then take a few steps in to the application. Now the problem is not finding the answer, but finding the correct answer. There is several strings that will show up, but that should not stop you.
After poking around I have figured out that it is not lazy when holding the string we need in memory when it does not need it. So while stepping through the application will eventually lead me to the answer, it is going to take a lot of time unless I know exactly what I am looking for.
After much stepping around I did not find the answer as quickly as I wanted, so then I wen to locate the VB calls from inside app8win.exe.
00401180 .-FF25 44104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaChkstk
00401186 $-FF25 60104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaExceptHandler; Structured exception handler
0040118C .-FF25 70104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaFPException
00401192 .-FF25 34104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdiv_m16i
00401198 .-FF25 28104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdiv_m32
0040119E .-FF25 7C104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdiv_m32i
004011A4 .-FF25 14104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdiv_m64
004011AA .-FF25 90104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdiv_r
004011B0 .-FF25 38104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdivr_m16i
004011B6 .-FF25 8C104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdivr_m32
004011BC .-FF25 80104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdivr_m32i
004011C2 .-FF25 6C104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fdivr_m64
004011C8 .-FF25 50104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fpatan
004011CE .-FF25 68104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fprem
004011D4 .-FF25 1C104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fprem1
004011DA .-FF25 04104000 JMP DWORD PTR DS: ; MSVBVM60._adj_fptan
004011E0 .-FF25 9C104000 JMP DWORD PTR DS: ; MSVBVM60._CIatan
004011E6 .-FF25 00104000 JMP DWORD PTR DS: ; MSVBVM60._CIcos
004011EC .-FF25 AC104000 JMP DWORD PTR DS: ; MSVBVM60._CIexp
004011F2 .-FF25 78104000 JMP DWORD PTR DS: ; MSVBVM60._CIlog
004011F8 .-FF25 3C104000 JMP DWORD PTR DS: ; MSVBVM60._CIsin
004011FE .-FF25 58104000 JMP DWORD PTR DS: ; MSVBVM60._CIsqrt
00401204 .-FF25 A8104000 JMP DWORD PTR DS: ; MSVBVM60._CItan
0040120A .-FF25 A4104000 JMP DWORD PTR DS: ; MSVBVM60._allmul
00401210 .-FF25 08104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaLenBstr
00401216 .-FF25 98104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaVarDup
0040121C .-FF25 30104000 JMP DWORD PTR DS: ; MSVBVM60.rtcMsgBox
00401222 .-FF25 10104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaFreeVarList
00401228 .-FF25 B4104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaFreeObj
0040122E .-FF25 40104000 JMP DWORD PTR DS: ; MSVBVM60.rtcMidCharVar
00401234 .-FF25 74104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaVarCat
0040123A .-FF25 4C104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaVarTstEq
00401240 .-FF25 0C104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaEnd
00401246 .-FF25 18104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaFreeObjList
0040124C .-FF25 88104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaFreeStrList
00401252 .-FF25 24104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaHresultCheckObj
00401258 .-FF25 20104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaStrCat
0040125E .-FF25 2C104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaObjSet
00401264 .-FF25 B0104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaFreeStr
0040126A >-FF25 64104000 JMP DWORD PTR DS: ; MSVBVM60.rtcStrReverse
00401270 .-FF25 A0104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaStrMove
00401276 .-FF25 84104000 JMP DWORD PTR DS: ; MSVBVM60.__vbaStrCopy
0040127C .-FF25 5C104000 JMP DWORD PTR DS: ; MSVBVM60.EVENT_SINK_QueryInterface
00401282 .-FF25 48104000 JMP DWORD PTR DS: ; MSVBVM60.EVENT_SINK_AddRef
00401288 .-FF25 54104000 JMP DWORD PTR DS: ; MSVBVM60.EVENT_SINK_Release
0040128E $-FF25 94104000 JMP DWORD PTR DS: ; MSVBVM60.ThunRTMain
I really don’t do this type of stuff to VB very often, so I started trying to figure out what the purpose of all of these are. A few of them were intuitive, vbaStrCopy, vbaStrMove, and vbaVarCat. One I was not able to find a clean explanation of it to link to for this example.
It was vbaVarTstEq, I found the explanation here. If you scroll down you will find “vbaVarTstEq is like StrCmp in native code- it checks two entities to see if they match.”, now that looks important.
I have been following this project for a while and I am hoping to get time to install it in the next couple of months. Check it out here, I don’t think it needs a description the main page does a good job.
The Open Web Application Security Project (OWASP), if you have never heard of it, produces great material.
They have a posting regarding virtual patching, or I guess you could call it a stop gap. Basically if you are in a situation where you have a vulnerability in your environment but you do not have the ability to remove it, it’s a handy cheat sheet to assist you with it. Also if you need to sell this for your environment it should help a lot, it is very well worded and does an excellent job of explaining things.
You can read it here.
Lots of analysis, the sections breaking down vulnerabilities by vendors and severity. Some of the total counts with the vendors were unexpected to me, the counts made sense when you finally see them. It’s just that I did not expect some of the orders.
The later charts only including the high severity counts were more of what I expected.
You can read the report here, it’s not huge.
Lost of work has been done. The biggest on my list is now all of the packages are Debian compliant now.
Go check it out.
It seems that every few months I have the “I know it’s clean” conversation. Most of the time it is not easy to convince the stake holders in the taking the machine offline and rebuilding vs attempting to clean debate.
Cleaning the machines can work, but it’s not 100% and it takes time. Rebuilding can take more time, and if done from known good sources you won’t have any doubts about the status of the machine.
The Internet Storm Center has a two part blog posting with some great information on this subject.
After taking looking at this for sometime, I have had to start going through the application step by step. I think I have finally found the section where it is comparing my input so I just need to find the correct JMP to manipulate. I have already found the exit condition I want to reach.
I hope to have this figured out this week.
I have started working on App8win.exe, when you run the exe it brings up something like a calculator and wants you to enter the 6 digit code to pass. I have been digging around inside the file and it appears to have some XMP data in it. I think that there might be something there to follow but I have not had time to yet.
I also did a quick look around the binary for anything, and could not find anything. I should have this figured out by the end of the week.
Megaupload is still getting several million visitors a month, even with nothing on it or it not even resolving anywhere. Just a surprising it is still ranked in the top 2,500 sites on the internet and is just behind Kim Dotcom’s newest site.
I guess he really was getting 50 million visitors a month when it had content, if the site can get that much traffic with nothing to offer.