Tuesday, August 2, 2016

OLD NEWS ...MAYBE HANDY

Dolch Computer sells a 400-MHz rugged notebook

Dolch Computer Systems Inc. has released one of the first ruggedized 400-MHz Pentium II
notebook PCs.


The MegaPAC-P2 has Intel Corp.’s new 440BX chip set and 100-MHz motherboard bus.
It can hold as many as nine full-size ISA/PCI expansion boards.


The notebook runs on 120- or 220-volt alternating current or on 160-watt Power Anywhere
power supplies or uninterruptible power systems. The 25-pound, shock-mounted unit has an
alloy chassis and composite case.


A black coating on the 10.4-inch active-matrix display reduces glare and reflection.

The MegaPAC-P2 has 32M of EDO RAM, expandable to 128M, and a hard drive as large as 9G.
It will run MS-DOS, any Microsoft Windows operating system, IBM OS/2 or Santa Cruz
Operation Unix.


Federal users of Dolch products include the Air Force, Army, Coast Guard, Environmental
Protection Agency, Federal Aviation Administration, Marine Corps and Navy.


The Fremont, Calif., company sells notebooks on its General Services Administration
Information Technology Schedule contract, as well as on Unisys Corp.’s Air Force
Unified LAN Architecture II buy and Electronic Data Systems Corp.’s NASA Scientific
and Engineering Workstation Procurement II contract.


GSA pricing for the Dolch MegaPAC-P2 starts at $8,746.

https://gcn.com/articles/1998/08/03/dolch-computer-sells-a-400mhz-rugged-notebook.aspx 

Whitepixel breaks 28.6 billion password/sec

Keywords: amd attack bruteforcing gpu hardware performance
I am glad to announce, firstly, the release of whitepixel, an open source GPU-accelerated password hash auditing software for AMD/ATI graphics cards that qualifies as the world's fastest single-hash MD5 brute forcer; and secondly, that a Linux computer built with four dual-GPU AMD Radeon HD 5970 graphics cards for the purpose of running whitepixel is the first demonstration of eight AMD GPUs concurrently running this type of cryptographic workload on a single system. This software and hardware combination achieves a rate of 28.6 billion MD5 password hashes tested per second, consumes 1230 Watt at full load, and costs 2700 USD as of December 2010. The capital and operating costs of such a system are only a small fraction of running the same workload on Amazon EC2 GPU instances, as I will detail in this post.
[Update 2010-12-14: whitepixel v2 achieves a higher rate of 33.1 billion password/sec on 4xHD 5970.]

Software: whitepixel

See the whitepixel project page for more information, source code, and documentation.
Currently, whitepixel supports attacking MD5 password hashes only, but more hash types will come soon. What prompted me to write it was that sometime in 2010, ATI Catalyst drivers started supporting up to 8 GPUs (on Linux at least) when previously they were limited to 4, which made it very exciting to be able to play with this amount of raw computing performance, especially given that AMD GPUs are roughly 2x-3x faster than Nvidia GPUs on ALU-bound workloads. Also, I had previously worked on MD5 chosen-prefix collisions on AMD/ATI GPUs. I had a decent MD5 implementation, wanted to optimize it further, and put it to other uses.

Overview of whitepixel

  • It is the fastest of all single-hash brute forcing tools: ighashgpu, BarsWF, oclHashcat, Cryptohaze Multiforcer, InsidePro Extreme GPU Bruteforcer, ElcomSoft Lightning Hash Cracker, ElcomSoft Distributed Password Recovery.
  • Targets AMD HD 5000 series and above GPUs, which are roughly 2x-3x faster than high-end Nvidia GPUs on ALU-bound workloads.
  • Best AMD multi-GPU support. Works on at least 8 GPUs. Whitepixel is built directly on top of CAL (Compute Abstract Layer) on Linux. Other brute forcers support fewer AMD GPUs due to OpenCL libraries or Windows platform/drivers limitations.
  • Hand-optimized AMD IL (Intermediate Language) MD5 implementation.
  • Leverages the bitalign instruction to implement rotate operations in 1 clock cycle.
  • MD5 step reversing. The last few of the 64 steps are pre-computed in reverse so that the brute forcing loop only needs to execute 46 of them to evaluate potential password matches, which speeds it up by 1.39x.
  • Linux support only.
  • Last but not least, it is the only performant open source brute forcer for AMD GPUs. The author of BarsWF recently open sourced his code but as shown in the graphs below it is about 4 times slower.
That said, speed is not everything. Whitepixel is currently very early-stage software and lacks features such as cracking multiple hashes concurrently, charset selection, and attacking hash algorithms other than MD5.
To compile and test whitepixel, install the ATI Catalyst Display drivers (I have heavily tested 10.11), install the latest ATI Stream SDK (2.2 as of December 2010), adjust the include path in the Makefile, build with "make", and start cracking with "./whitepixel $HASH". Performance-wise, whitepixel scales linearly with the number of GPUs and the number of ALUs times the frequency clock (as documented in this handy reference from the author of ighashgpu). 

http://blog.zorinaq.com/whitepixel-breaks-286-billion-passwordsec/ 

Sunday, July 31, 2016

 
 
   
 
A carregar
 
 
 
 

Carnarvon fortune and Rothschild hidden vaults

HighClere Castle

GENERATE 70 COMBINATIONS IN 1 SECOND ....WHAT YOU SAY 500 MILLION..HALF A BILLION...

 Knuth: Generating All Combinations

I ran into a tricky little problem today: efficiently generating all combinations of k elements from a set of size N. I came up with some ideas but they weren’t efficient enough. I turned to a Knuth Volume 4 preprint on his website, and found all sorts of crazy algorithms for it. Here is a C# implementation I just coded up and tested that people might find useful. It allows you to make a Combination object, and use foreach on it to get all the members.
Note that I had a chance to use the C# 2.0 yield statement; it let me do a fairly direct translation from the pseudocode, although I made a few tiny changes to simplify things. See the comments for a few ways to improve efficiency a tiny bit but it doesn’t affect time complexity. If I understood Knuth, this algorithm runs in O(N choose t) – it’s linear in the number of elements in the output.
Combination class code: Combination.cs
Test class: CombinationsTest.cs
See also: Combinadic on Wikipedia

https://seekwell.wordpress.com/2007/11/17/knuth-generating-all-combinations/ 

 

C Program to Implement Fisher-Yates Algorithm for Array Shuffling

This C program implements Fisher-Yates algorithm for array shuffling. The Fisher–Yates shuffle (named after Ronald Fisher and Frank Yates), also known as the Knuth shuffle (after Donald Knuth), is an algorithm for generating a random permutation of a finite set—in plain terms, for randomly shuffling the set. A variant of the Fisher–Yates shuffle, known as Sattolo’s algorithm, may be used to generate random cycles of length n instead. The Fisher–Yates shuffle is unbiased, so that every permutation is equally likely. The modern version of the algorithm is also rather efficient, requiring only time proportional to the number of items being shuffled and no additional storage space. Here is the source code of the C program to shuffle an array using Fisher-Yates algorithm. The C program is successfully compiled and run on a Linux system. The program output is also shown below. 

http://www.sanfoundry.com/c-program-implement-fisher-yates-algorithm-array-shuffling/ 


Sunday, July 24, 2016

Loading custom DLLs instead of original DLLs (Let's talk about Stuxnet again and forget Kapsersky...)

The question below is for educational purposes only and the discussed featured are not meant to alter registered DLLs or develop a malware but for learning and experiencing.


Recently I've been exploring few methods to load my own custom DLLs instead of an application's original DLLs. One of the methods that came up was the .local method.
After experiencing with this method a little bit and after I removed the KnownDlls entry from the registry I managed to replace some system DLLs with my patched DLLs successfully.
These are the DLLs:
enter image description here
However, the DLLs are IN the local folder:
enter image description here
However, there are still some DLLs that insist loading from the system32 directory, although they are present in the local folder.
Is there any way I can force the DLL's to load from the local folder instead of the system32 folder?





7  
Any program that tries to substitute system DLLs Ian malware by definition – David Heffernan Jun 26 at 20:17
5  
@WeatherVane there are many legitimate reasons to do so. 1. Use proxy DLLs to monitor API calls. 2. Replace functionality as I wish. 3. Because some people are enthusiastic to learn and experience. – Aviv Jun 26 at 20:20
3  
To allow for patches to 3rd party libraries. Not to replace core system libraries. – IInspectable Jun 26 at 20:29
4  
@Aviv You claim that .local redirection is possible here. What do you know that we don't. We say that's impossible because the system loader loads those DLLs. Why don't you use hooking? The reality is that you don't want to do that because you want to foist your bogus DLLs on somebody else's process. – David Heffernan Jun 26 at 21:44
6  
@Aviv: David's right with his last two comments. The MSDN page msdn.microsoft.com/en-us/library/windows/desktop/… is pretty clear that the app.exe.local file changes the behavior of LoadLibrary and LoadLibraryEx. ntdll.dll and kernel32.dll are what provide LoadLibrary(Ex), so by chicken-and-egg analysis you can see that they aren't loaded by LoadLibrary(Ex), and therefore are not affected by DLL redirection. In fact, I think you'll find that ntdll and kernel32 aren't loaded into a new process at all, they are in the initial module table. – Ben Voigt Jun 26 at 21:59

This is not an answer so much as a rambling, unsourced, brain dump.
It does serve to explain why I am not surprised at your result. This boils down, for me, to the crucial difference between CreateProcess and LoadLibrary, and how Win32 processes work.
Normally, when using LoadLibrary, you are using it from within the process you want the dll to be loaded into. As such, it can take advantage of a whole bunch of in-process context information about activation contexts, dll search paths etc. including knowledge of things like the app.local flag. All these values are specific to the current process and it is not the job of any other process (or even the Kernel) to track stuff like this.
But, if we look at CreateProcess we can see some problems. When it is initially called, it is called in the context of the launching, not destination, process, so it knows nothing of the destination processes activation context. In fact, the destination process does not exist yet.
The CreateProcess implementation needs to create a NT process, and execute some code in it asap to perform the process load as it doesn't make any sense to instantiate all that per process context stuff in the current process.
But, to do that, there needs to be at least some code in the destination process: The kernel code responsible for parsing the EXE files header, extracting the headers and building the activation contexts that will be used to load the remaining dlls.
This means that, unfortunately for you, kernel32.dll and some dependencies need to be mapped into a process long before that process is capable of building a dll search context, noticing the app.local flag etc.


    
It's indeed a bit rambling. Perhaps most importantly, CreateProcess doesn't actually do that much work. It kicks off kernel code which then creates the new process, maps a few core DLL's, and then starts running the new process. But all that isn't CreateProcess. Have a peek at NtCreateProcess –  
 

You should look at how the Windows loader works. This is OS version dependent, but some of those DLLs load before your program and the loader always looks for them on a path provided by the system. Look at the sequence by starting your program with WinDbg.

http://stackoverflow.com/questions/38042757/loading-custom-dlls-instead-of-original-dlls 

This is a very, very nice tool...what I mean by this is that, on the case of bilock's casino and vault chit, there's a vulnerability called "pull plug forward and not turn"...but as the description says : "The tool is also especially useful in car openings applying picking techniques (e.g. in the case of BMW, Daimler-Chrysler), because here the lock must be picked in the locking direction and then must be flipped into the unlocking direction very quickly..."

Wednesday, July 20, 2016

How to make a cheap transponder key bypass

Hack the diagnostics connector, steal yourself a BMW in 3 minutes

  Your BMW comes with a $160 key with a computer chip and security code inside to make the car hard to steal. The common thief can’t steal your Bimmer, but in Europe, at least, hacker-thieves apparently have been able to subvert the car’s intrusion alarm in a separate step to break in, then access the car’s OBD (on-board diagnostics) connector, collect unsecured or easily decoded information on the key codes, program a new key, and drive away.




Hacking Automotive Ultrasonic Sensors


Step 1: Hardware

Picture of Hardware
TxRx_Circuit.JPG
TxRx_Board.JPG
MBed_Setup.JPG


Each sensor has three pins. The pins are +8.5 volt supply, single wire half duplex comm, and ground.  In a vehicle, the UPA module provides the 8.5 volt regulated supply to the sensors.  The UPA is able to switch this supply on, and off, at will.  As an example, while traveling down the highway the sensors are switched off.  When the vehicle slows below some magic speed threshold the sensors are switched back on.

The single wire comm between the UPA module and sensor seems a bit strange to me.  When inactive the bus is idle at eight volts.  In an open collector kinda fashion, the UPA module and sensor communicate using pulses which pull the bus low for short pulses.  The strange part is that the UPA sends digital commands to the sensor and the sensor responds with either a digital waveform that looks like the actual echo, or normal digital bits.  It depends on the command.  For the echo response it's like they just took the analog right off the piezo element, ran it through a op-amp comparator, and sent the op-amp output out into the comm wire.  It's strange and slick at the same time.  Downside is, the micro has to use a fast timer to measure all those echo pulses.  No simple UART action to receive an echo response.

After power-up, the UPA sends a bunch of data to the sensor.  I'm guessing the first set of pulses initialize the sensor with a certain gain level.  I'm guessing each different type of vehicle has a different initialization string of data pulses.  Looks like the UPA then sends a couple of reset commands to the sensor.  Of course, there is an acknowledgment from the sensor.  Finally, a sensor scan sequence starts on the UPA where one sensors is commanded to ping while one or two other sensors are simultaneously commanded to listen only.  Using one sensor to ping and one / two sensors to listen allows very close objects to be detected.  All the results from the sensors are sucked up by the micro in the UPA.  Note, the Star12 micro in the UPA can capture timer values based on pulses come in.  There are eight pins on the Star12 that have this ability.  So, a pulse triggers the Start12 to capture the timer automatically, at the same time an interrupt flag is set for that pin.  In the interrupt routine the micro buffers off the captured value, clears the interrupt flag, and returns.  The cool part is that captured timer value is done in hardware right when the trigger happens.  So, even if there is jitter in the interrupt response, it doesn't matter because the timer had already been captured.  Motorola really knows how to design automotive micros.  OK, I admit it, as an X Motorola employee I still have a soft spot for old Moto.  Note, Motorola sold the micro division to Freescale some 6 / 8 years ago.  Motorola has also sold my old automotive division.

Do you how Motorola got it's name?  Well, a 100 years ago a Victrola played records.  So, Motorola got it's name by putting a Victrola (not an actual Victrola but just the idea playing a record) in a Motor vehicle. Motor Car + Victrola = Motorola Car Radio.  Motorola got its start by manufacturing automotive radios.  Now, Motorola is totally out of the automotive business.  Makes me sad. Anyway, a bit of trivia.

Back to the hardware setup.  The development board shown below that I built interfaces four sensors to an MBed development micro.  Each sensor must have a buffer circuit to convert the bus voltages down to the 3.3V TTL values used by the MBed micro.  You can think of the sensor bus as a half duplex communications bus.  It appears the communications on the bus is 9600 baud serial.  At lease my LSA (logic state analyzer) can decode the pulses if set to 9600 baud.

I simply used pins P21 through P28 on the MBed to interface to the four sensors on my development board.  The MBed looks to be even better at processing pulse trains than the Star12.  It has all the bells and whistles that the Star12 does, plus a lot more.


STEP 2 AND STEP 3 :
http://www.instructables.com/id/Hacking-Automotive-Ultrasonic-Sensors/ 


How to read BMW fault codes with c110 code reader


Creator c110 BMW code reader v4.0 supports BMW from 2000 to 2013 years. And it can read trouble codes, clear trouble codes, displays live data stream, component testing, clear adapation and vehicle information.
Creator c110
C110 BMW code reader is readily available at most automotive retailers.
How to use BMW c110 OBD2 scanner read BMW fault codes?
First: Slide the key into the ignition. Don’t start your car or switch on the electrical system, just leave the key there.
Second: Connect the c110 OBD2 scan tool to the OBD port beneath the dashboard and steering column. You may have to feel around for it, but it’s a large outlet and you will not need tools to find it.
Third: Turn the BMW c110 OBD2 scanner on.
Fifth: Wait for the code to appear on the c110 OBD2 scanner, then jot the alpha-numeric code onto a scrap of paper before unplug the c110 scanner and turn off the vehicle ignition.
Creator c110-2
Finally: Copy the alpha-numeric trouble code into google.com. You will likely get a page of results that offer definitions for that particular fault code.