Page 5 of 5 FirstFirst 12345
Results 41 to 50 of 50

Thread: Mamba Black Copy and the Chinese

  1. #41
    Join Date
    Apr 2007
    Location
    Toronto Canada
    Posts
    1,120

    Default

    Ok ok guys relax. If my apology is needed here it is!

    What this is puzzling me?!? Why the hell you would crack the program which is for sale and put a trojan inside inside. It just doesn't make any sense.
    I hired an Italian guy to do my wires. Now they look like spaghetti!

  2. #42
    mixedgas's Avatar
    mixedgas is offline Creaky Old Award Winning Bastard Technologist
    Infinitus Excellentia Ion Laser Dominatus
    Join Date
    May 2007
    Location
    A lab with some dripping water on the floor.
    Posts
    9,890

    Default

    [QUOTE=drlava;95875]Ouch! So how did you get such a poor opinion of programmers?

    Up until the end of DOS< I admired programmers.

    I think I can say I limit my anger to PC programmers.

    It started some time after windows 95 SP II. It got worse when I was defacto sysadmin for about 30 windows machines used mainly by foreign nationals. Spent more time maintaining then using, spent countless hours recovering, disinfecting etc. At one time I advocated the death penalty for only two things, treason and writing viri. And normally I oppose the death penalty on the grounds of expense and morals and innocents who get falsely convicted.

    One kid nearly lost his entire thesis to a click this window and win scheme.
    That took me two days to pull off the trashed disk, mainly by hand, digging for bytes. (no backup, he was too busy to do it)

    At UA it came down to blinkylights. Hit any key, see a flash of the hub blinkenlichten synced to the keystroke. Happened more then I care to remember. Come into the lab late at night to finish a task, and watch a idled hard drive spin up for no reason at all. I left the sides off many of the machines so we could get cables in and out off IO cards. I could hear the drives spin.

    Then there was TT&T aka Thai Telephone and Telegraph. One of the grad students brought people into the lab late at night and used something very much skype like to let his friends and others call home. Its packets were far, far, larger then needed to send VOIP.

    Two or three other incidents I cant discuss here.

    My own team trying to datamine our campus computers on behalf of their nation, browser plugins doing datamining for God only knows who. The campus computer bunch trying to settle scores, and on and on and on.

    Not to mention some of micro$ofts autoupdates that set things backwards or rendered files that were created with certain codecs useless.

    finally we got a Information Services VP that was more interested in performence then the good ole days of VAXEN and installed real firewalls.


    And please, when you have OSes that have 16 million or more lines of code, how do the script kiddies find some of the holes? Surely they don't go through compiled OS code line after line with a debugger. I have long suspected the anti-virus bunch leaks vunerabilities. After all 2000NT ran almost well enough to be the last OS needed.

    Dont get me started on RED STAR browser plugins and BOTNET ZOMBIES.

    Or the teenager that used our campus system to bust into NIST and DOD. Rather then charge him, lets just say hes now a highly paid consultant.

    Two or three other incidents I cant discuss here.

    Call me paranoid, but 49$ a year or 19$ a month for some of these antivirus schemes must rake in the money. If viri stopped, a lot of people would loose a lot of money.

    Then we can get into the applications side of things, many apps are written very poorly, and before the dot com blowup, it was guys who got paid to write 12 to 15 lines a day, and never really tested their products. Or code farmed out to least bidders in far away places. Funny how much "freeware" is better written then a lot of commercial code.

    A certain 16 million dollar POS by a major accounting software multinational that ran paperless purchasing and accounts payable and payroll and benefits for the campus, and cost 1 million dollars a year to upgrade and support, for two years I needed to submit both hardcopy and software parts requisitions because of cruddy code, that thing lost recs and accounts etc. We would have been better off staying with paper.

    END RANT.

    Steve
    Last edited by mixedgas; 05-11-2009 at 13:52.
    Qui habet Christos, habet Vitam!
    I should have rented the space under my name for advertising.
    When I still could have...

  3. #43
    Join Date
    Apr 2007
    Location
    Toronto Canada
    Posts
    1,120

    Default

    Quote Originally Posted by gottaluvlasers View Post
    dr laser...
    i applaud some of your questioning, but ya did kinda get carried away with your accusations and degrees of "questioning intentions." ESPECIALLY toward adam, who probably helps and supports more threads and people here than the rest of us combined. maybe your a sarcastic SOB like me i dont know, but sometimes that is VERY hard to detect over typed words on a screen. im sure you didnt mean to personally attack him the way that it came across (well, i hope not anyway).
    English is my SECOND Language!
    I hired an Italian guy to do my wires. Now they look like spaghetti!

  4. #44
    Join Date
    Jul 2006
    Location
    Connecticut, USA
    Posts
    2,478

    Default

    Quote Originally Posted by Dr Laser View Post
    English is my SECOND Language!
    all good doc. i didnt know that and to be honest, not sure if adam does either. you just came across wrong. thats all. if i know adam (which i think i do to a point) he isnt the type to hold a grudge. this forum has proven to let people bitch it out for a little bit and then buy each other a beer. so, i dont think theres too many hard feeelings.

    NOW---

    THE SOFTWARE IS FUBAR!!!!!! DONT USE IT!!!!!!!!!!!!!!

    shouldnt really wanna support pirated software in this industry anyway. (im NOT accusing ANYONE here of supporting it! just saying it as a genEralization!!!)

    -Marc
    http://www.laserist.org/images/ildalogos/ILDA-logo_colored-beams_Corporate_150w.jpg

    ILDA- U.S. Laser Regulatory Committee

    Authorized Dealer for:

    • Pangolin Laser Software and Hardware
    • KVANT Laser Modules & Laser Systems
    • X-Laser USA
    • CNI Lasers
    • Cambridge Technology & Eye Magic Professional Scanning Systems

    FDA/CDRH Certified Professional LuminanceRGB Laser Light Show Systems


  5. #45
    mixedgas's Avatar
    mixedgas is offline Creaky Old Award Winning Bastard Technologist
    Infinitus Excellentia Ion Laser Dominatus
    Join Date
    May 2007
    Location
    A lab with some dripping water on the floor.
    Posts
    9,890

    Default

    Quote Originally Posted by Dr Laser View Post
    Ok ok guys relax. If my apology is needed here it is!

    What this is puzzling me?!? Why the hell you would crack the program which is for sale and put a trojan inside inside. It just doesn't make any sense.


    Does anything evil make sense any more?

    Only if the trojan gets you access to more laser technology setting on somebodies' hard drive, or if you a Chinese national setting behind their national firewall and want out, just insert either criminal or james bond illogical ploy here. Maybe they want .ILD frames or social security numbers, who knows.
    Heck, do Nigerian letters make sense?

    It has to be insidious.

    Old Grumpy posted the wrapper the crackers use, its interesting to say the least.

    Steve
    Qui habet Christos, habet Vitam!
    I should have rented the space under my name for advertising.
    When I still could have...

  6. #46
    Join Date
    Jan 2006
    Location
    Charleston, SC
    Posts
    2,147,489,446

    Cool

    Quote Originally Posted by Dr Laser View Post
    What this is puzzling me?!? Why the hell you would crack the program which is for sale and put a trojan inside inside. It just doesn't make any sense.
    I actually have two theories about that. One benign, and one malicious. I do not know if either one is true, but these are my theories.

    The benign theory is that some one in China happened across one of the older versions of Mamba that had a bug in the copy protection. (Either via bit torrent, or DC++, or some other warez-sharing site.) They made a few simple changes to it and started distributing that version as their own. And at some point, the machine that they were using to burn copies of the disc got infected with a virus, and thus so did the distribution. (Or, alternately, the version they originally obtained was already infected.) Yeah, I agree that this is a long shot, but it's one possible theory. The sellers may simply be unaware that their software is infected.

    The other, more malicious theory goes something like this: They installed the virus intentionally, with the hope that the people that buy the software won't detect it. Then, once the machines are infected, they can be used to assemble a bot-net, which can be sold to other groups for DDOS attacks or other nefarious crimes. This, I think, is a little more likely, simply because there is more and more of this sort of thing going on these days - particularly in Eastern European and Asian markets.

    The real story behind how the virus got there will probably never be known. However, several people have reported that the software is infected now, and that is the important thing to remember.

    Adam

  7. #47
    Join Date
    Jul 2008
    Location
    Maryland
    Posts
    1,691

    Default

    My theory goes like this..

    The DAC sellers were looking for software to include with their dac, they requested a cracked version of the mamba software from a "We can crack your software for you" group. As is standard practice, the cracker included the malicious code without the vendor knowing about it. the software was distributed and then the virus was found and defeated by up to date anti virus software.
    Quis custodiet ipsos custodies?
    Solid State Builders Group

  8. #48
    Join Date
    Feb 2007
    Posts
    1,725

    Default

    Pardon the lenghty multi-quote; This thread got so convoluted I had to use notepad. Hopefully my post will be seen as informative and serve to end part of this drama.

    -bart- : What was the exact name of the threat/trojan etc, etc.
    This I would be interested in knowing also. The executable in question along with its exploit, wrapper and payload would go a long way to answering a number of the questions here.

    keeperx : agreed.. a Trojan does not eat processor cycles. It sits and waits for an event or trigger to activate it.. often times the payload is downloaded and installed without the user even knowing it. but the trojan itself is never that complex.

    trojans work in a few ways
    <snip>
    A trojan is modeled after the trojan horse of legend. It is benign in nature and the payload is the scary part *however* with the complexity of operating systems these days one misplaced NOP can drop a boxen faster than a nail-gun to a race horse past its prime.

    Dr Laser : I totally agree. Besides craking can lead to severe memory leaks and CPU usage.
    Exactly, these holes and leaks are byproducts of a process that is performed in less than clean room environments with the equivalent of a blindfold on. One poorly placed JMP/NOP is all it takes.

    mixedgas: If you want to find out which little snippet of infectious code is there, set up a spare, isolated , machine, download the code, and see what happens.
    This "forensic" approach to the problem is something I personally find entertaining and can make for a very interesting weekend with a friend of mine and a bottle of scotch.

    keeperx : If the virus was embedded in the autorun of the CD, or the installer file (triggered by the autorun), then it probably was/is a dropper.
    This is inconsequential even without the extra information as requested above.

    Dr Laser : It puts autorun.inf together with a executable file on evey drive. You insert flash drive...booomm it's infected!
    Pentesters are very apt to talk about their "white-hat" exploits. There is one "report" I read where the group left a box of thumb drives in a bank parking lot and made it look like the box fell off a truck. This is white-hat as the sec audit was requested by the bank to see how secure they really were and this group went the extra mile. End result: Numerous employees were "curious" about these thumb drives and plugged them in to their work computers. I imagine, given US banking regulations, they couldn't pop the host remotely and needed something good for the high-dollar report.

    Things : Also keep in mind, it is *CRACKED* software, so it may even have the cracking program on the disk, to crack the program when it runs! In that case, your AV would be picking up the keygen/cracking proggy, and not the program itself.
    This is likely the case. Encapsulation techniques/Exploits are easier to detect than actual payloads *most* of the time do to the simple fact you can encrypt the payload and then after the exploit has proven efficacy, decrypt it using the targets resources. Quick ref: http://milw0rm.com/shellcode/win32 and theres always the trusty, however dated, Metasploit.

    Don't get me started on Core Impact though.

    http://insecure.org/

    liteglow : And it have losses of functions, and no updates whatsoever !
    I have no idea how the software handles updates or anything like that however a loss of function should be expected if they used the Rockey 4 thing to its full potential by adding verification checks all over the codebase. It's likely some of the verif steps would be missed but I want to stress that my thoughts on this matter is based solely on conjecture and reading some of the provided docs here : http://www.rockey.nl/en/support/rockey-download.html

    Dr Laser : I have a very strange suspicion that our LED controlling software is calling home.
    A packet sniffer is your friend.

    buffo : But just because you don't know how to test your software (or are too lazy to do it) doesn't give you free reign to accuse others of lying about a legitimate problem with this pirated version of Mamba Black.
    Vitriol aside; buffo brings up a very good point... just about everything here is spoken from an outside perspective. No one here has any real idea what the whole picture is so it is *best* from my perspective to limit the conversation to "what is known" instead of generating theories.

    I apologize if there is more information available on this topic elsewhere like the assorted mailing lists referenced. I am not on these lists.

    mixedgas : remember many governments, including China, ordered microsoft to give them the source code to Windows, this means they know about any internal debugging tools or back doors, and you know that data had to leak.
    The last time I heard about any of these source leaks was back in 2004. http://www.kuro5hin.org/story/2004/2/15/71552/7795 From what I gathered "the leak" was a tiny fraction of the actual codebase. Still though, yea, if a group had enough time and expertise to dig through the code they would likely find unsigned ints which could lead to a "novel and new" exploit.

    Anywho; I digress.

    Dr Laser : I used to do Assembly programming HEX debugging and know how to call functions. You can call from anywhere actually if you know what you're doing.
    As referenced above; Yea *if* you know what you are doing and have bypassed the proverbial veil and get root/sys access privs. Play around in metasploit with a patch0 copy of windows xp to get an idea of the complexity behind this.

    drlava: To you and Dr Laser, you can run a bidirectional firewall like the free sygate personal firewall that will ask your permission before allowing programs to contact the internet.
    Thats one way of going about it. It boils down to just how secure you want your boxen to be. Perfect security? Keep the machine isolated from everything including people... Really does defeat the purpose of having and using said machine if its in a locked room under armed guard. Again; I digress.

    gottaluvlasers : why does it seem to always come down to "the man trying to bring the small hobbyist down!?!?"

    seems like whenever something like this comes up or some sort of a sotware issue arises its ALWAYS about pangolin and ILDA conspiring against everyone/everything else.
    I tire of these conspiracy theories and always do a mental Occam's razor check before taking any of it seriously. I loathe having to say "Ahh, so that's what my foot tastes like..."

    gottaluvlasers : this software is INFESTED. plain and simple. i dont think hundreds of people got together in some round room and decided to come up with a conspiracy theory about some pirated chinese software that moves laser beams around.
    EXACTLY.

    Dr Laser : What this is puzzling me?!? Why the hell you would crack the program which is for sale and put a trojan inside inside. It just doesn't make any sense.
    EXACTLY. Though your reasoning and line was accusatory I believe this message rings true. It doesn't make sense from any perceivable angle. Combinatorial logic and Game Theory would elude to no parties having any perceivable gain by adding a payload to the crack. My guess? Same as around here somewhere, a machine that made copies of the cracked software was infected and if you will pardon the terminology, bootstrapped itself, to the executables before discs were burned.

    mixedgas : And please, when you have OSes that have 16 million or more lines of code, how do the script kiddies find some of the holes? Surely they don't go through compiled OS code line after line with a debugger. I have long suspected the anti-virus bunch leaks vunerabilities. After all 2000NT ran almost well enough to be the last OS needed.
    Thats the thing with compiled code... there are no real lines to go through and a debugger is effective if you already have the source to compare against thus defeating the need for it in this specific instance. Think about it... If "They(Tm)" had access to the source code one could just go through it and find/replace all the rockey4 calls then compile it. (To any hardcore w32asm/assembly/programming jocks out there, I know I am simplifying this to the point of absurdity, I figure the majority of the audience here wouldn't understand why when I drink I sometimes run around the room yelling NOP! when I fail something simple like opening a door handle.)

    For compiled code reverse engineering *only* Fuzzers are ok if you have some time to kill, a great idea, a good starting point, and a lot of knowledge on the topic at hand.

    mixedgas : ...many apps are written very poorly...

    Old Grumpy posted the wrapper the crackers use, its interesting to say the least.
    Poorly isn't the word. I would choose abysmal. To take the "programmer/artist" analogy to a logical end point how many artists do you know care about the construction of their medium and the binders in the paint being used?

    That aside; I'd be interested in this wrapper.

    buffo :
    The other, more malicious theory goes something like this: They installed the virus intentionally, with the hope that the people that buy the software won't detect it. Then, once the machines are infected, they can be used to assemble a bot-net, which can be sold to other groups for DDOS attacks or other nefarious crimes. This, I think, is a little more likely, simply because there is more and more of this sort of thing going on these days - particularly in Eastern European and Asian markets.
    Unlikely though not improbable. The "Laserist market" is pretty small and why bother crafting something this complicated when a simple XSS exploit on a myspace page will bag and tag a far larger number of users who are less technically literate and subsequently more likely to let the infection pass unnoticed?

    keeperx : My theory goes like this..

    The DAC sellers were looking for software to include with their dac, they requested a cracked version of the mamba software from a "We can crack your software for you" group. As is standard practice, the cracker included the malicious code without the vendor knowing about it. the software was distributed and then the virus was found and defeated by up to date anti virus software.
    You are wrong to the point I will not even bother driving a mack truck through the holes you have left in your theory. Just... No.

  9. #49
    Join Date
    Nov 2007
    Location
    Cairns, Australia
    Posts
    1,896

    Default

    ^^ Well said

    I dont think they would PAY anyone to crack some software for them, chances are one of them had a little knowledge and found a "backdoor" into the program, so they don't have to bother making their own.

    Cheers,
    Dan

  10. #50
    mixedgas's Avatar
    mixedgas is offline Creaky Old Award Winning Bastard Technologist
    Infinitus Excellentia Ion Laser Dominatus
    Join Date
    May 2007
    Location
    A lab with some dripping water on the floor.
    Posts
    9,890

    Default

    From cracklab.ru

    Quote:

    Hi, would be very very happy if someone could crack this , searched everywhere , but nothing found.


    1. Mamba Black 1.90
    2. http://www.jmlaser.com/downloads/mamba_black_demo.zip
    3. 11,5 MB
    4. No output to Laserprojector
    5. Dongle (i thing), Borland Delphi 6.0 - 7.0
    6. Programm for Lasershow Playback
    7. ~400ˆ

    Thanks!! TheGhoS26.12.2008 03:45:21
    Qui habet Christos, habet Vitam!
    I should have rented the space under my name for advertising.
    When I still could have...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •