Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and ... - Page 7

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Asic & exe stuff [was: Dustin fess up or you're fired...]


Quoted text here. Click to load it

Dustin..... just wondering why you left out my link to your old thread.
I've put it back in above because it's very interesting to read!  

--  
Jax    :)

Re: Asic & exe stuff [was: Dustin fess up or you're fired...]

127.0.0.1:

Quoted text here. Click to load it

Okay. I'll leave them in. Feel free to read them. [g]

And while you're doing that, check out this:

rem Since I couldn't make this smaller as is
rem  I decided to see what could be done  
rem about the exe file itself.  
rem Compile as a .com, put this header in front of it to make it an .EXE  
again; but smaller :)
rem header included:
rem DATA &HEX4D,&HEX5A,&HEX95,&HEX1,&HEX3,&HEX0,&HEX0,&HEX0,&HEX2,&HEX0
rem DATA &HEX0,&HEX0,&HEXFF,&HEXFF,&HEXF0,&HEXFF,&HEXFE,&HEXFF,&HEX0,&HEX0
rem DATA &HEX0,&HEX1,&HEXF0,&HEXFF,&HEX1C,&HEX0,&HEX0,&HEX0,&HEX0,&HEX0
rem DATA &HEX0,&HEX0

rem This results in a much smaller .exe. compile asicc dustn.asi e b/com
rem copy/b mz1.exe+dustn.com dustn.exe (walla!) 1429 bytes.

print"Dusty Buster. Version 3"
print"Written by Pooh the cat April 25th, 2014"
print""
print"Enter filename: ";
input filename$;
bload filename$ 0 6
y=2
gosub humptydumpty:
partialblock=512-c&
gosub humptydumpty:
c&=c&*512
c&=c&-partialblock
print""
print"Totalsize ";
print c&;
print" bytes"
end

math_run:  
b=a
gosub next_value:
c&=256*a
c&=c&+b
return

next_value:
a=peek(y)
y=y+1
return

humptydumpty:
gosub next_value:
gosub math_run:
return

  
1429 bytes, using my own header. [g] *spank that ass!*



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Resite Post stuff [result treat no differently] lo!

| > Dustin explained :
| >> It's one of several oddities about the language that don't quite match
| >> what the manual says. Another is the dim command. In the examples and
| >> in the manual, nothing is ever said about the array element actually
| >> starting at (0), not (1). So for a ten element array, it needs to be
| >> dim apples(9), not dim apples(10), unless you want to waste an element
| >> or you can't deal with start at 0 instead of 1 situations.
| > From ASIC.DOC
| > "ARRAYS - Each element in an array requires two bytes.  (Don't forget
| > arrays have an element zero (i.e.  DIM A(2) is comprised of A(0), A(1),
| > and A(2))."
|
| Other than my obvious incorrect memory recall on what the manual says,  
what
| did you think about the rest of my post? I have no problem if you want to
| play trolling games as well as Pooh, but I'll treat you no differently as  
a
| result.

     Correct Memory Recall
  That the Dustin we all know
Who Treat no One differently

        Pooh-Who-Bear  


Re: Asic & exe stuff [was: Dustin fess up or you're fired...]

"Dustin" wrote:

Quoted text here. Click to load it

Now that's something I either didn't know or have forgotten about -
the fact that DOS will recognise 'ZM' as an exe signature. I don't
recall seeing any like that. Do you know why it's used?

Quoted text here. Click to load it

I wonder if that's another ASIC bug or the faualt of NTVDM? NTVDM is
pretty crap at running a lot of MSDOS programs.



Re: Asic & exe stuff [was: Dustin fess up or you're fired...]


Quoted text here. Click to load it

I think it's a relic from older DOS days. Otherwise, I'm not sure.
  
Quoted text here. Click to load it

This one isn't duplicated if an app written using ASIC is running under real  
DOS. So I'd say it's porobably an issue with the NTVDM.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Asic & exe stuff [was: Dustin fess up or you're fired...]


Quoted text here. Click to load it

Ant... I have a hunch that it may be yet another ASIC bug.

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

p-0''0-h the cat (ES) formulated on Thursday :
Quoted text here. Click to load it

...and there you have it, LOL. Funny, in your sigfile you seemed so  
proud of your trolling accomplishments - you almost wear it like a  
badge of hono(u)r.



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

p-0''0-h the cat (ES) presented the following explanation :
Quoted text here. Click to load it

LOL



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"p-0''0-h the cat (ES)" wrote:

Quoted text here. Click to load it

Keep your hair on.

Quoted text here. Click to load it

Probably, in some posts. I don't know you but from your sig and style
of posting it seems that way to me. I mean no offence. Heck, I've done
it myself in the past. Nothing wrong with a good troll now and again.

Dustin is accusing me of helping you troll him. That's nonesense as
I'm sure you can see from my posts. I try to stick with technical info
I have knowledge of and not get into slanging matches about people's
personalities. Both you and Dustin are poking sticks at each other,
name-calling, ad hominems, trolling each other, perhaps, or whatever
you want to call it.

Quoted text here. Click to load it

I don't care either. My criticism was not aimed at you but Dustin for
effectively admitting to being trolled and yet continuing to respond.



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"Dustin" wrote:

Quoted text here. Click to load it

You said I'm not a professional researcher, as if that mattered to the
subject under discussion.

Quoted text here. Click to load it

Perhaps I've seen more. I've been studying malware samples for several
years.

Quoted text here. Click to load it

I've already commented that it's fine for MSDOS-style exes.

Quoted text here. Click to load it

Unfortunately, it will also remove some valid Windows malware. See my
other post.

Quoted text here. Click to load it

It matters to me when you make statements about my experience as facts
when you don't know about it. In that case, I'm going to respond.



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.



Quoted text here. Click to load it

As I said, it's possible, but I doubt it. The schedule we maintained at  
Malwarebytes wasn't an easy time...Lots of samples on a daily basis..  
seemed like it never ended.

I've been studying malware both professionally and as a hobbyist for years  
as well.

Quoted text here. Click to load it

Okay... I'll have a looksee.
  
Quoted text here. Click to load it

I'm sorry, I was simply going by the fact that I've been doing this  
professionally for years. I assumed, perhaps mistakenly so, that my  
processing hundreds of samples per day/week in some cases might put the  
amount I've seen a bit higher than yours. maybe I'm wrong? If so, I  
apologize.



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"Dustin" wrote:
Quoted text here. Click to load it

Don't worry about it. Probably more have passed through your hands but
I've inspected many in some depth. I've seen enough to know the many
forms that Windows malware takes.



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

dnZ2d@brightview.co.uk:

Quoted text here. Click to load it

That's the advantage doing it as a hobbyist vs professionally that you  
sometimes can afford. I don't always have the luxury of spending an  
afternoon on a single executable. I've also seen many samples and never  
considered it enough of an issue to worry about. As I never distributed  
exevalid to joe public and left it in the hands of other knowledgable  
people.

If I'd released this as some freeware app meant for everyone, I would have  
taken the dull diligence and made it very stupid user/bad input forgiving.

I didn't post the source to exevalid so much as to discuss it, vs make a  
very simple point with a simple question. Essentially, here's some easy  
human readable source code, can you tell me what it's doing? He couldn't do  
so.  

I got tired of calling him out for the poseur he is, so I thought I'd  
demonstrate (or rather, let him demonstrate) that he actually is a poseur.  
EXEVALID seemed good for this task. Comit would have sufficed too, but  
there's really not much going on in that one. it's just dropping another  
program, basically.  

Although I did write the program it's dropping from scratch, it's still  
nothing fancy and anybody who knows asm can do the same thing. If you took  
a look at it, you can see it's about as simple as it gets for doing this  
and it's been done thousands of times. Drops a .com for size advantage on  
this, obviously. Back then, .coms were still popular enough.

In any event, that was my goal with posting exevalid. Had no idea it would  
stretch on this long.



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Dustin when you wrote "I never distributed exevalid to joe public"....did
you remember you posted the code for Exevalid to the Usenet? The Usenet is  
public.  

Think about it!

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"Dustin" wrote:

Quoted text here. Click to load it

I must have missed some of the discussion that led up to you posting
it. I'm reading only in ACAV. I saw a subject of "OT: EXEVALID" where
you posted the source without saying why. In other words, I didn't
know why you posted it.

Quoted text here. Click to load it

Perhaps next time you can avoid the cross-posting. WTF does scorched
earth politics have to do with anything anyway?



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Yep, you missed alot of the conversation. Poohs been using what you've  
provided to critique my work as ammo. [g]
  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

And because I kept my mouth shut about an issue (the only real issue)  
concerning exevalid, you wrongly assumed I knew nothing about it. I didn't  
know upack was going to return a 10meg file size, but I did know that the  
MZ stub wasn't going to be "reliable" for normal windows files.  

I was working my way up to disclosing that little diddy, AFTER I figured  
for sure, Pooh couldn't possibly excuse his demo's having the same "flaw".

After all, he thought he fixed my program by improving it's accuracy for  
the MZ header; and he wasn't able to do that until I showed him how ASIC  
treated integers.

Like I said, the source was just to make a point concerning Pooh.  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it

Dustin I told you my tech David said that your test for MZ was inadequate.
You said it was perfectly okay and made some insulting comments about
David.  

Now you're pretending you knew about the bug all the time......

    "And because I kept my mouth shut about an issue concerning  
    exevalid, you wrongly assumed I knew nothing about it".  

What amazing chutzpah!

--  
Jax    :)

Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.

"Dustin" wrote:

Quoted text here. Click to load it

Your reply to my first post on this subject in another thread said:

"You're forgetting? that the MZ stub does contain the correct amount of
 blocks that the entire EXE file *should* be. Which does include PE code at
 that point, obviously. The MZ stubs block size isn't setup just for the
 STUB."

So my comments about what you thought were based on what you wrote;
they were not assumptions. You clearly thought that the PE sise is
indicated in the MZ header



Re: Dustin fess up or you're fired. I asked for you to post tighter source than mine, and for it to be on my desk this morning. You have one hour.


Quoted text here. Click to load it
  
The gigs pretty well up, I've been baited into who can make the smallest  
program at this point anyhow; so I'll come clean. I may even lose that one,  
Pooh's willing to get very down and dirty... lol. I'm sixteenbytes below  
his in size now, so I guess we'll see.

I posted exevalid with a simple question for Pooh. Can you tell me what the  
program is doing. Yes or no. he could not do so.

His fix was never going to work and I didn't plan to tell him why for quite  
sometime. Until you came along and started commenting about the program,  
midway thru a discussion that was badly enough deflected from my original  
point. I've tried several times to winky winky at you to please stop  
explaining things so that he can try and fake his way around further and I  
can continue what I was originally doing. I've even resorted to becoming  
semi hostile and "defensive", and you still kept telling him things I was  
planning to ask him later, that at the time, he would have known nothing  
about.

I have no way to contact you outside of usenet. I didn't know you were  
going to come along and explain anything to anyone concerning exevalid. I  
did my best to try and get you to stop, but you wouldn't. I'd try to keep  
something on the down low, you'd bring it right up in the spotlight.  
EXEVALID wasn't for normal joe public, I only posted it to show that  
someone was faking an understanding of some things from another discussion.

I even tried evading and then lying about the PE header information being  
retained in the header. You *still* kept going with it. Not only  
"correcting" me, or so you thought, but telling Pooh what he needed to know  
to fake an actual understanding of something he had no clue about; which  
was the entire point my having posted the original program to begin with.

OTH, I did *not* know upack was going to do something like that to my  
program, any version. I do not have a complete list of other packers which  
will cause the validity check to fail either. So I'm not claiming I knew  
everything you've shared here, but I did lie a little bit concerning the PE  
header information. You weren't part of the plan, no offense.

I'm glad you joined in the discussion and critique'd my work as you did  
(whether you knew I knew what I did doesn't matter, your point concerning  
how it can fail is completely valid). I've told several individuals that  
various peers of mine had me under a microscope and if I published  
malicious code, or tried to trick them into doing something harmful; i'd  
get called out on it.  

Although I did neither in this case, you did call me out on the problem  
both versions of EXEVALID have. So I have no doubt you'd call me out if I  
did try something shady/malicious.

The calling out wasn't happening much, so I think I was beginning to lose  
credibility with the claim. I believe you've reinforced my credibility  
concerning peer review.

It would be nice to have some other way of contacting you tho in the event  
I was posting relatively harmless code that couldn't be compiled as is (it  
couldn't, either version) so I could tell you what I was upto and this  
wouldn't happen so soon in the future. I'd have no problem if you went back  
after I'd made my point and disclosed issues with what I'd done, but this  
was way too soon. Although I personally think I made my point, I'm not  
convinced many others are.

And of course, I'd expect you on my ass the second I posted something  
malicious, prior contact or not.

Later.

--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Site Timeline