Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and ... - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

Ant wrote:
Quoted text here. Click to load it

That's good!

Life is short ..... and not to be wasted!  :-)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Not really. He's under the mistaken impression that we don't semi know each  
other.  
  
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

Ant wrote:
Quoted text here. Click to load it

I do so LIKE you. "Ant"!  ;-)

An HONEST poster, for sure!

D.


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Ant wrote:
Quoted text here. Click to load it

I do so LIKE you. "Ant"!  ;-)

An HONEST poster, for sure!

D.
--  
Only for now. The time will come when you will go after ant,
just like all the others.  


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

BurfordTJustice wrote:
Quoted text here. Click to load it

Seems like you've been stalking me, Burford.

That's illegal nowadays!

https://www.gov.uk/report-stalker

Perhaps it's time for a request to be made to Ray Banana for your IP  
address. I do hope you are well hidden - like Jax!

--  
The only people who make a difference are the people who believe they can.

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Didn't say otherwise with respect to your knowledge level.
  
Quoted text here. Click to load it

I don't know how many samples you've personally seen, but I doubt you and I  
have seen anywhere near the same amount. And like I said, the program isn't  
perfect, wasn't intended to be perfect, was simply designed to seperate  
executables from junk files often included from users who submit .zip files  
containing god knows what to sites like virustotal and uploadmalware.com.

That was all. The entire point in posting the source code was simply to  
prove a point concerning a specific poster. I asked him a simple question  
and he couldn't answer it. Everything else really, just doesn't matter.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

No.
  
Quoted text here. Click to load it

I expected more deflection, not semi honesty from you here. you shouldn't  
give a rats arse, because you aren't a coder. You didn't play along because  
you lack the technical knowledgebase to get in the game. There's no other  
explanation, sorry.

  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"Dustin" wrote:

Quoted text here. Click to load it

Yes.

I've found 3 Windows PE packers which put invalid values into words 2
and 3 of the MZ header. They are:

 Dwing's Upack
 SLV Code Protector
 BeRo Exe Packer

For example, the 1st 14 bytes of a Upack exe are: MZKERNEL32.DLL which
means words 1 & 2 have values of 17739 and 20050 respectively. That's
a size 10 megabytes.

Your program uses the variable 'totalsize' for the size reported by
the header and 'file_length' for the size reported by the file system.
Then the comparison of totalsize being greater than file_length is
used to determine if the file is likely corrupt. Since most Upacked
files are less than 10 megs they would be reported as corrupt and
deleted if the delete option had been chosen.

Upack has been used a lot to pack malware, the others not so much. All
samples fail the validity test by your program.



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

A 10 megabyte file? Yep, I believe I've answered this question previously.  
I'll do it again as I'm sure Pooh will jump on the trolling opportunity.  

Neither version of EXEVALID was designed to process possible malware  
samples several megabytes in size. I usually put the cut off around 8 megs  
or so, myself. Files that large were sent to another folder; they were huge  
for malware, even if it was HLL. When I wrote EXEVALID, I had much smaller  
malware sample filesizes in mind. Now, if it started getting funky on 1-
3meg or so files, I'd considered it to have been a problem and reworked the  
code.

This program was shared in original format years ago and served the needed  
purpose for the other researchers well. Nobody that I know of, would  
consider using it to cull any files reaching megabytes in size.  

I don't disagree it could pose a problem if you used it irresponsibly, but  
I don't think researchers would.




--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"Dustin" wrote:

Quoted text here. Click to load it

Correction: That should read words 2 & 3.

Quoted text here. Click to load it

Are you deliberately misunderstanding my words? The header SAYS it's
10 megs but of course the actual file size is not. It's only a few K.

Quoted text here. Click to load it

It's a bad idea to use it on PE files where that MZ header value only
reflects the size of the MSDOS stub or is invalid as I've repeatedly
said and now shown. It should not be relied upon to validate Windows
executables.

I see in a later post you've acknowledged it will fail on some valid
exes.



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Ant...... it's not good that Exevalid will fail on some exes and needs an
additonal check to make sure all exes are found. Makes one wonder why
bother with Exevalid at all if it doesn't do it's job properly.  

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Umm, EXEVALID is one tool that was/still is? used by Malwarebytes and  
several other researchers/organizations. Along with other culling tools.

Quoted text here. Click to load it

Umm, no. It doesn't work that way, script kiddie.

Malware samples of multi megabyte sizes are seperated for further analysis;  
they could be anything really. At this point, nobody even knows if it's  
malware. An executable, an archive of some sort, some dumpfile someone  
accidently zipped and sent. EXEVALID, wasn't afaik, used on files  
10megabytes or more in size.  
  
Quoted text here. Click to load it

A back end process? You think this is something unique to Malwarebytes?  
Sample culling? Did you notice the date of the exevalid application? It's  
something I used well before I began working for them. They don't own it,  
it's not proprietary technology, it's not something unique to them.

What flaws? It wouldn't be used on a 10+ mega executable, stupid. You  
wouldn't be able to "trick" it, Pooh.

I find it funny that despite you having seen the exe file layout, you  
didn't know about any of this. And your demos would do the same thing, even  
the "corrected" ones you whined so much about. Didn't fix anything at the  
end of the day. did *nothing* abs wasn't already doing; because EXEVALID  
was *never* designed to be used against LARGE files.  

I hope you've had fun trolling Ant into this discussion, but at the end of  
the day, he didn't know what the app was actually for either. You both  
assume way too much. no offense.
  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

Quoted text here. Click to load it

Dustin isn't that the same as saying Exevalid should not be used in  
situations where its bug will make it fail?  

Well that's true of every buggy program. Think about it!

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

I don't mind if you believe me or not. You don't have access to the forums  
where other researchers do and have used the tool. The same forums where  
things like, unpublished exploits, various source code, stolen user  
identities, etc, can all be had. You're a loser without the needed access.  
What you believe doesn't matter.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Dustin that sounds like you're a script kiddie who hangs out on forums
with real techs and copies their work.  

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

On 5/8/2014 9:53 AM, Jax wrote:
Quoted text here. Click to load it
Isn't that what you're doing here jackie?  You've admitted you don't  
understand what's being discussed.  Haven't you actually claimed "techs"  
that were, in reality, posters in other groups?



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Nope. Script kiddies like pooh have no access to these places. Nobody wants  
to have to sit around and explain how the stuff in the posts works or is to  
be used. No hand holding. Sorry.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Dustin nobody, except you, has dumped their garbage code into A.C.F.  

So don't be surprised if it got thrown back at you. We run a tight ship
here and don't have much room for flakey code. Just saying!

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

On 5/8/2014 1:44 PM, Jax wrote:
Quoted text here. Click to load it

Really?  And who is responsible for the idiotic cross posting?

Quoted text here. Click to load it
You don't run anything.  You don't even understand much of what's  
discussed, by your own admission.  You're not a coder, a programmer or a  
developer.  You're a hack claiming things you don't even understand.  
You're not the appointed netkop, you're a troll.  Stop crossposting and  
all of this would end immediately.  Truth is, you enjoy the hate,  
discontent and chaos you start.


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Linda the reason I can see the tech stuff so well is that I stand on the  
shoulders of technical giants. Think about it!

--  
Jax    :)

Site Timeline