Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      Followers 0
      dEEpEst

      "Dream Formula" Second Generation | The First Office 0day Vulnerability (CVE-2018-0802) Analysis Revoked by Microsoft in (data Exploit 2018-01-10)

      By dEEpEst, in Bugs & Exploits

      Recommended Posts

      dEEpEst    34,855

      dEEpEst
      Staff
      Posted

      Introduction

      The Microsoft Security Patch of January 2018 fixes the Office 0day vulnerability (CVE-2018-0802) captured by the 360 Core Security Advanced Threat Response Team. This vulnerability affects almost all versions of Office that Microsoft currently supports.This is the second outbreak of high-level threats using zero-day loopholes since 360's first global interception of the Office 0day vulnerability (CVE-2017-11826).The 360 core security team has been actively communicating with Microsoft and working together to promote the repair of the 0day loophole so that the vulnerability can be properly resolved before disclosure of vulnerability information.The technical principle of the vulnerability is similar to the 17-year-old "Dream Formula" loophole (CVE-2017-11882). It is a re-initiated attack by the hacker using the EQNEDT32.EXE embedded in the office's embedded equation editor. We call it "Nightmare". Formula II (CVE-2018-0802).

      Attack process analysis

      We captured several in-field attacks of "Dream Formula II". The on-the-spot samples were embedded with two formulae objects using Nday and 0day loopholes. At the same time, Nday loopholes can attack unpatched systems, and 0day loopholes attack all patches. The system bypasses the ASLR (Address Randomization) security measures of the CVE-2017-11882 patch, and the attack will eventually implant a malicious remote control program on the user's computer.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure: "Dream Formula II" in the wild sample attack process

      Vulnerability analysis

      "Dream Formula II" is a patch bypass vulnerability of CVE-2017-11882. The type is stack overflow. The root cause is Microsoft's stack overflow in the "Dream Formula Generation" patch that does not fix the copy of the font FaceName.This vulnerability will only cause a crash on an unpatched version, but it can be perfectly utilized on a patched version.Below we analyze the CVE-2018-0802 vulnerability by poc samples.

      Static analysis

      As with CVE-2017-11882, the trigger data for this vulnerability is within the "Equation Native" stream of the extracted OLE object.The red coiled portion in Figure 1 is core data with a total of 0x99 = 153 bytes.0×08 represents the font tag, followed by 00 01 respectively represents the typeface and style of the font, and the area from 33 to 25 00 is the name of the Font, which is the data copied when the stack overflows.This part of the data contains shellcode, bypass ASLR tricks, process command lines, and related data for padding. We will analyze them later.

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      figure 1

      Equation Native data structure

      According to information published online, the entire "EquationNative" data structure is:

      EquationNative Stream Data = EQNOLEFILEHDR + MTEFData

      MTEFData = MTEF header + MTEF Byte Stream.

      The structure of QNOLEFILEHDR is shown in Figure 2:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      figure 2

      The structure of the MTEF header is shown in Table 1. Regarding this structure, there are differences between the actual data and the format specifications that we observed. The following table shows the actual observations:

      Offset Instructions value
      0 MTEF version number 0×03
      1 The data generation platform 0x00 is generated on Macintosh platform, 0x01 is generated on Windows platform
      2 Generated product of this data 0×00 is generated by MathType, 0×01 is generated by Equation Editor
      3 Product major version number 0×03
      4 Product minor version number 0x0A

      Table 1 

      In the attack sample, the MTEF ByteStream structure is shown in Table 2:

      Initial SIZE record
      FONT records
      FONT content
      Remaining data

      Table 2

      The FONT record and FONT content structure are shown in Table 3:

      member Instructions Note
      Tag 0×08 1 byte
      Tface Typeface number 1 byte
      Style Font style 1 byte
      Name Font name NULL-terminated ASCII string

      table 3

      Patch bypass analysis

      CVE-2018-0802 vulnerability trigger point is located in sub_21E39 (module address is set to 0 in the IDA), as shown in Figure 3, it can be seen that the function of the function is to initialize a LOGFONT structure according to the font data in the formula :

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      image 3 

      Let's take a look at Microsoft's description of the LOGFONT structure (Figure 4).You can see that the last member of this structure is lfFaceName,

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 4: LOGFONT Structure

      Let's take another look at Microsoft's description of the lfFaceName member (Figure 5).You can see that lfFaceName represents the typeface name of the font. On the version being analyzed, it is a null-terminated char string with a maximum length of 32, which contains the terminator NULL.

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 5 

      The problem is obvious: the code in the red box in Figure 3 does not limit the copy length when copying the font FaceName, and the source data for the copy is the user-supplied font name, and the destination address is a LOGFONT structure body address passed in from the parent function.We look back to the parent function of sub_21E39 (Figure 6), you can see this address is located on the stack opened by the parent function, is a local variable of the parent function.The attacker constructs malicious data, overwrites the last two bytes of the return address of the parent function (sub_21774), and then directs the control flow to the shellcode on the stack.

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 6

      During the analysis, we found a place of suspected recursion. Figure 7 shows the disassembly code of sub_21774. We can see that sub_21774 first calls the vulnerability function sub_21E39 to initialize a LOGFONT structure, and then calls the relevant API to pass in the structure. The system gets a font name saved to Name.Then, it compares the obtained Name with the user-supplied lpLogFont. If it is inconsistent (and the sub_115A7 function needs to return False), it will continue to call or not call itself according to the condition specified by a3, while a3 is the third of sub_21E39 function. Parameters.

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 7

      Let's take a look at the third parameters of the parameters, otherwise there may be multiple recursive, can not effectively use this overflow.According to the previous CVE-2017-11882 debugging results (Figure 8), we can see that when parsing the user-supplied font data, the function calling sub_21774 is sub_214C6.Let's look back at sub_214C6 (Figure 9). Sub_214C6 calls sub_21774 to pass a value of 1 to the third parameter, so if(a3) in Figure 7 is true.Let's look at Figure 7, when sub_21774 recursively calls itself, the value passed to the 3rd parameter is 0, which means that sub_21774 will not call itself again, and the recursion level will only have 1 level.Analyzed here, recursive doubts have been solved.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 8: CVE-2017-11882 Triggered Execution Flow

       

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 9 

      One problem that has been analyzed here is that if _strcmpi(lpLogfont, &Name) is not true (if the font data is forged by the user, it certainly does not hold here), sub_115A7 will be called, which means that it will go to CVE-2017. -11882 overflow point.In the version without the November patch, if you want to successfully use CVE-2017-11882, CVE-2018-0802 points will not overflow because the former needs to have a much smaller overflow size than the latter, and the copy last has a NULL truncation (we know that the controllable eip that overflows to CVE-2017-11882 requires only 0x2C bytes, and through the analysis below (Figure 11) we can see that the controllable eip overflowing to CVE-2018-0802 requires 0x 94 bytes).On the other hand, if you want to trigger CVE-2018-0802 on a version that does not have an November patch, CVE-2017-11882 will be triggered first.In short, CVE-2018-0802 is not available on the pre-11 patch.

      However, as can be seen from Figure 10, in the November patch, before the copy of CVE-2017-11882 overflow point, Microsoft performed a length limit of 0x20 on the copy length, and after the copy was completed, it was manually copied at the end of the copy. A NULL was added to invalidate CVE-2017-11882.This directly leads to CVE-2018-0802 being unusable before patching!Now, as long as sub_115A7 returns False, the exploit can be perfectly exploited, and actual debugging finds that sub_115A7 returns False.

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 10

      Dynamic Analysis

      Spillover data copy

      With the above analysis, dynamic analysis becomes very simple.Since this overflow point will copy the data, let's monitor the source string and the corresponding stack traceback for each copy. We first enter the OLE data-related Load function (sub_6881), and then break the point before copying the data and proceed. Output, the result is shown in the code:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Hidden Content

        Give reaction to this post to see the hidden content.
       

      It can be seen from the log that there are two copies, and we can know from the stack trace back that these two copies are the two calls to sub_21174 in the static analysis.The first time is the sub_214c6 call to sub_21174, and the second is the sub_21174 call to itself.It can be seen that the stack overflow obviously occurs on the first copy.Here to mention a little bit, cb ce cc e5 stands for Songs.

      Let us calculate in detail how much length we need to overflow to control the return address of the parent function (sub_21174). (The conclusion of this question has been mentioned in the “Patch bypass analysis” section). From Figure 11 we can see from lfFaceName(-0× 90) Overflow to ret_addr (+0x4), a total of 0x94 bytes are required. Exceeding the 0x94 portion of the byte will cover the return address one by one from the low address.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 11

      We look at the data in the POC. As shown in Figure 12, the blue part is the first 0x94 bytes of the overflow, the 2500 is the last two bytes of the overflow, and 00 is the terminator. When the copy encounters 00 Stop.According to the little end address layout, when the poc is running, the EIP will only cover the lower 2 bytes.Why did you do this?The answer is to bypass ASLR.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 12

      Bypass ASLR

      Let's take a look at why two bytes of a district can bypass ASLR.

      First of all, we must be clear that the patch file is opened ASLR, as shown in Figure 13.As a result, the base address for loading EQNEDT32.EXE is random each time, so the first problem to be considered when overflowing is how to bypass ASLR.(As for DEP, you can see from Figure 14 that DEQ is not enabled in EQNEDT32.EXE in the patch file, so it is not necessary to consider DEP under normal circumstances)

      Unfortunately, attackers clearly understand the Windows system mechanisms and defenses.Because on the Windows platform, the ASLR of a 32-bit process only randomizes the upper 2 bytes of the address each time, while the lower 2 bytes remain unchanged.If a ret instruction can be found in the same low 0xFFFF space of the covered address, and the address is 0xABCD00XY (where ABCD and XY are 6 arbitrary hexadecimal numbers, the second to last byte in the address Must be 0x00, because after the copy needs to be accurately truncated, you can directly use this ret to jump to the stack.Since there is no need to bypass DEP, shellcode can be executed directly on the stack.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 13: ASLR Status of EQNEDT32.EXE is Enabled and DEP is Non-Permanent DEP

       

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 14: DEP Status of EQNEDT32.EXE is Disabled

      More unfortunately, within the EQNEDT32.EXE module, Microsoft really gave and gave only one such address (Figure 15). There are only one address that satisfies the condition, namely, 20025, two bytes that are covered in the eip. 25 00 is unique, there is no second ret that satisfies the condition.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 15

      Let's consider what the original return address of sub_21174 is.Of course, sub_214C6 calls the address of the next instruction of sub_21174. It can be seen from Fig. 16 that the offset of this address is 214E2. According to the overlay of Fig. 12, the offset after the overlay becomes 20025, which consists of the above analysis and Fig. 17 As you can see, this address is a ret instruction.This instruction will pop up sub_214C6 to the first parameter of sub_21174 and switch the control flow to this value to execute.To make matters worse, this first parameter happens to be lpLogFont, which is the FontName provided by the user.So after ret is executed, the control flow will be transferred to the stack and it will just start executing the first byte of the user-supplied FontName.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 16

       

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 17

      Sample A Shellcode Analysis

      In poc for sample A transformation, control flow hijacking and execution of the shellcode section are shown in Figure 18:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 18: Due to the existence of recursion, we need to return twice from the sub_21774 function, which explains the first two rets

               Immediately after the jmpeax instruction, WinExec is called, and the command line parameter happens to be calc.exe, as shown in Figure 19:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 19

      Sample B Shellcode Analysis

      Sample B bypasses ASLR in the same way as Sample A, but the shellcode portion is not the same as Sample A.Sample B's shellcode finds the kernel32.dll export table (Figures 20 and 21) through the PEB, and then searches through the export table for a hash of the desired function through a specific hash algorithm (Figure 21). The hash value is given in shellcode.The shellcode then saves the searched function address to where the hash value was previously stored (Figure 22).

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 20: Hash value and copy path name given in sample B's shellcode

       

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 21: Finding the required function in the export table of kernel32.dll with the hash value

      Hidden Content

        Give reaction to this post to see the hidden content.
       

       

      Figure 22: Comparison of data on the stack before and after finding the function address

       After successfully finding the function and saving the address on the stack, first call the ExpandEnvironmentStringsA function to expand the short path (the short path is saved in the shellcode), and then call CopyFileA to copy the payload to the word plugin directory so that the payload will follow the word next time. Start automatically loaded into memory.Finally call ExitProcess to exit the Equation Editor process (Figure 23).The entire process does not affect the normal opening of the document.

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Figure 23: Expand the short path, copy the file, and exit the process

      to sum up

      The 0day vulnerabilities used by "CVE-2018-0802" are called CVE-2017-11882's twin vulnerabilities. One vulnerability in the attack sample is for unpatched systems, and the other is for vulnerabilities. The system uses two OLEs to attack at the same time. The hackers' well-constructed attacks are perfectly compatible with the different circumstances of the system vulnerability patch environment.The use of this loophole and the Bypass ASLR approach have a certain degree of coincidence, if there is no ret instruction in the EQNEDT32.EXE module can be used to bypass the ASLR, if lpLogFont is not the first parameter of sub_21774, if CVE - 2017-11882 patch repair method forced DEP protection, "Dream Formula II" will not have the opportunity.

      The latest 360 security products have been able to detect and prevent this zero-day vulnerability, and we recommend that users update the Microsoft Security Patch for January 2018.

      reference

      Hidden Content

        Give reaction to this post to see the hidden content.

      Code .py

      Hidden Content

        Give reaction to this post to see the hidden content.
       

      Share this post

      Link to post
      Share on other sites

      zhanghuhu    0

      zhanghuhu
      Posted

      hello subject looks great let see if its really works 

      Share this post

      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.
      Sign in to follow this  
      Followers 0
      Go To Topic Listing

      • Similar Content

        • itsMe
          Name-That-Hash v1.10 - The Modern Hash Identification System
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Name-That-Hash
          What is this?
          Have you ever come across a hash such as 5f4dcc3b5aa765d61d8327deb882cf99 and wondered what type of hash that is? 🤔
          Name-that-hash will name that hash type!
          🔥 Features
              📺 Popularity Ratings – Name that hash will show you the most popular hashes first. In older systems, it would prioritise Skype Hash the same as Active Directory’s NTLM! Which makes as much sense as saying that my GitHub is as popular as VSCode 📈
              ✍ Hash Summaries – no more wondering whether it’s MD5 or NTLM. It will summarise the main usage of each hash, allowing you to make an informed & decisive choice ⚡
              🌈 Colour Output – Don’t worry, the colours were hand-selected with a designer to be 100% accessible and gnarly 😎
              🤖 JSON output && API – Want to use it in your project? We are API first, CLI second. Use JSON output or import us as a Python module! 💾
              👵 Updated! – HashID was last updated in 2015. Hash-Identifier in 2011! It is a 2021 project 🦧
              ♿ Accessible – We are 100% committed to making this an accessible hacking tool 🙏
              🎫 Extensible – Add new hashes as quickly as you can edit this README. No, seriously — it’s that easy! 🎱
          Changelog
          v1.10
          This test matrix goes through all of our hash database and:
              Updates the Hashcat mode
              Updates the John mode (if it can find it, not all of John the Ripper modes are easy to find)
              Checks the regex against that hash, ensuring all regex are correct

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          The Comprehensive 2021 Android Development Masterclass
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Master Modern Android API's: ROOM Database, ML Kit Face Recognition, Firestore, Firebase, Maps and Android Studio IDE
          What you'll learn
              Master Java Programming Language
              Build Dynamic Android Apps From Scratch
              Master Android Development and MVC Pattern when Building Android Apps
              Master Modern Android Development with DataBinding
              Build Several Android Apps with the latest Android API's: ROOM, Firebase, Firestore and ML Kit Face Recognition
              Learn Android Development Best Practices
              Learn Android User Interface Design
              Master the Android Studio IDE and Become More Productive
              Learn How to Publish Android Apps to Google Play
          Course content
          51 sections • 388 lectures • 49h 33m total length
          Requirements
              Basic programming experience in general is helpful but not required. The course covers everything you'll need to build Android Apps
              Be Willing to Work and Learn
          Description
          [Feb 26 Update]: Added a new Section (3+ hrs) - Build a Todois Clone App
          [Feb 24 Update]: Added a new Section (3 hrs) - Build a National Parks App
          [January 18 Update]: Updated one section - Trivia App Challenge & Solution
          [January 2nd Update]: Updated two new sections!!
          [December 30th Update]: Updated 12 Sections!! And more to come.
          [November 2020 Update]: Added 11 Coding Exercises; Added two new lectures; added 19 quizzes!
          --------------------------
          Android App Development will open many doors for you since Android is the most popular operating system in the World.
          You may have many reasons why you want to learn Android development - maybe you have lots of app ideas but don't know where to start?  Or maybe it's time for a career change, and Android Development picked your interest?  Or perhaps you want to be more valuable at your company... whatever the reason, you're are on the right path by being here!
          Build a strong foundation in Android Development, Android Studio, and object-oriented Java Programming with this Complete, Up-to-date course.  This is the Android Development Bootcamp you'll ever need to learn Android Development from scratch!
          In this Android App Development Bootcamp course, you will be:
              Building Android apps from scratch using Android Studio and Java Programming Language
              Fully learn the Java Programming Language, which is used to build Android Apps.
              Android Building Blocks
              Building several full-fledged apps from scratch
              Learning how to leverage Android Internal Persistence API's (SharedPreference and SQLite)
              Master Android App Design, from start to finish (Android Material Design)
              Android DataBinding
              Master new Android APIs such as ROOM Persistence, Firestore Realtime Database, and ML Kit - Face Recognition.
              Uploading your apps to Google Play Store and reach Millions of Android users worldwide!
              And so much more...
          This is a hands-on course, which means you will be actually building several android apps as you learn!
          The course is structured in such a way to improve your knowledge retention - by having a lot of hands-on projects. In each section of the course, you will be practicing and building something meaningful, which will further your understanding of Android App Development. There are quizzes and challenges as well.
          No Prior Programming Experience is Required!
          If you are not an experienced developer, don't worry. This course was designed with beginners in mind - you don't have to have any prior experience!
          All you need is an open mind and be willing to work (and some patience, too).
          You'll start by learning the Java programming language fundaments such as creating Java variables, variable types, relational and logical operators, loops, and methods.  Once the language basics are covered, you'll then move on to learning Java Object-Oriented Programming concepts - classes, Java Inheritance, and how to create objects from Java classes.
          Next, you'll learn the most fundamental Java Data Structures, which help programmers store and manipulate programs' data efficiently and easily (Arrays and ArrayLists).
          If you are familiar with the Java programming language, you can always fast-forward to the Android Development part of the course, which introduces the fool Bootcamp for Android App Development.  In the Android App Development part of the course, you'll focus on building an Android app from the get-go.  You'll be learning Android concepts such as Android Activities, Android Basic Project Structure, Android Layouts, and XML by actually doing the work, building android apps from scratch!
          The goal is to take you through the whole process of learning Android development, from zero to hero, meaning from building simple Android apps to building apps that connect to Firebase (remote realtime-database), apps that recognize faces on a photo (MLKit Face Recognition), to learning how to build Android map-driven applications!  Along the way, you'll learn how to store data in android (SQLite and Sharedpreferences).  You'll learn how to use the fundamental design pattern called MVC - Model-View-Controller to structure your Android projects. You'll learn how to use the most modern Android libraries and APIs like Android ROOM - an alternative way to save Android data!  You'll master how to use Android Fragments to make your apps more versatile and run on different device sizes (phone, tablet).
          Additionally, you'll learn how to play sound (Android SoundPool, Android ExoPlayer) and use Android native classes to draw shapes on the screen - by using the Android Canvas class and so much more!
          As you can see, this is the course you'll need to get started in Android Development with Java - this is your Android Development Bootcamp course that will take you from zero to hero!
          Why Should You Take This Course?
          My name is Paulo Dichone, creator of the most best-selling online programming courses (with over 100,000 happy and satisfied students). This time, I have designed this Android Masterclass course - especially for YOU.
          I know how hard it can be to learn programming and Android development - there's a lot of information out there, but the problem is that none is complete, nor is it updated.  I understand how frustrating it's to try to learn something on your own and spend months without seeing progress!
          That's why I do what I do - teach.
          My sole goal is to show you that you can get started right away with Android development and start building your app ideas!
          Don't just take our word for it; see what my past students had to say about the course:
          "I liked the course and the professor. I'm taking another course with him because he's excellent in my opinion, starts from beginner to advanced, very organized classes. A lot of examples in the course, and he was updating the course often too. Money well spent." - Kevin ★★★★ (4.5 stars rating)
          "Great course. Very easy in understanding and friendly learning. Good Job, Sir. Thanks for this." - Muhammad - ★★★★ (5 stars rating)
          "Well, in my opinion, this is a great course since I knew nothing about java and by now I'm able to write my own apps pretty easily." - Michael - ★★★★ (5 stars rating)
          "Great course! I learned a lot from the numerous examples. I now have the confidence to build my own apps and to explore different areas of Android programming. - ★★★★ (4.5 stars rating)
          Great Course!!!! Thanks, Paulo!!!!!" - Ian - ★★★★ (5 stars rating)
          "I am delighted with this course. I have only attended the Android part because I had a basic knowledge of Java. I really like how Paulo teaches. He goes step by step, and you can understand everything. My first language is not English, but he speaks very; clearly, I can understand every word. Also, he is a happy guy, and you can hear that through the courses that he really loves what he is doing." - Antal - ★★★★ (5 stars rating)
          "Very well thought-out course. Flows smoothly with great delivery. I have been developing Android Apps for several years, and I still found this course informative, relevant, and helpful. I would recommend everyone take this course if you are new to Android or returning for a refresher course." - Douglas - ★★★★ (5 stars rating)
          Sign up today, and look forward to:
              Over 45 hours of HD 1080p video content (and growing)
              Build several fully-fledged apps, including ones that use ML Kit Face Recognition, Android ROOM Database, Firebase, Maps and JSON API's, etc.
              Challenges and Solutions
              Fast and helpful support if you need anything or have questions
              My great sense of humor :)
          So what are you waiting for?  Start learning in this ultimate Android Development tutorial, where you'll go deep into android development tools, such as Android Studio and Android App Development.
          Enroll today and start learning.
          See you inside.
          Paulo
          Who this course is for:
              Beginner Android Developers
              Web Developers who want to Learn Android and Java
              Curious students who Want to Build their own Android Apps
              Project Managers who Want to Learn How Android Apps are Built
              Anyone who wants to Learn Java and Android Development
          Hidden Content
          Give reaction to this post to see the hidden content.
          Torrent File

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          Reverse Engineering and Exploit development in ARM
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Introduction to Arm exploitation Part one
          What you'll learn
              Arm exploitation
              Binary exploitation
              Reverse engineering
              Basic arm instructions
              Gdb primer
              Patching binaries
              Ghidra,Binary ninja,Hopper etc
              Exploit development
              Format string vulnerabilities
              Ret2zp Attack
              Nx Bypass
              Buffer overflow
          Requirements
              A PC
              Basic programming concept(not necessary)
              Some interest
          Description
          Hello,
          Welcome to the cheapest and first course of Arm exploitation in Udemy.This course is purely for beginners.As you all know arm based devices are becoming more and more prominent these days so its important to learn about the securing them.i made this course highly practical so that it doesn't bore you as you go.This course Only requires just a PC we shouldn't be needing any raspberry pi or anything we will using emulated labs .This course is very basic and if you are already familiar with buffer overflows and format string exploitation this wouldn't be much help to you but still this can help you as a primer and as an introduction to ARM exploitation.
          This course is focused on Arm v6 vulnerabilities and Exploitation (32 bit ).We will start off with some basic arm instructions and will move to the practical exploitation.The core sections of these course is Reverse engineering and binary exploitation.We will reverse and modify the behaviour of simple crackme programs using Ghidra,Binary ninja,Hopper etc.Then we will move into exploiting various binaries using format string vulnerabilities and buffer overflows.After that we will be look at  the protections used  by the binaries and bypassing them.We will be using ctf style examples mostly.As this is the part one of the course we will cover everything from the scratch.This course has a 30 day refund policy so even if you dont like this course you can just surely get your money 100%.
          (NB : Its a ongoing course new contents will be added)
          I suggest you to watch the sample videos and then deciding to buy this.
          Who this course is for:
              Anyone Interested in learning binary exploitation
              Hackers
              Ctf players
              Reverse engineers
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          The complete Cryptocurrency trading course A to Z in 2021
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Invest and trade cryptocurrencies on Binance. Bitcoin margin trading in 2021. Trade Bitcoin and other cryptocurrencies.
          What you'll learn
              How to buy Bitcoin/other cryptocurrencies
              How to use Tradingview
              How to use Binance cryptocurrency exchange
              Complete trading strategy
              The types of orders on Binance and how to use them
              Candlesticks explained
              How to sell short
              How to set stop losses
              How to Margin trade cryptocurrencies on Binance platform
              What is Margin trading
              When to use margin trading
              How professionals use margin trading
              The 3 cycles in the Cryptocurrency market
              3 strategies to identify the current cycle
              How to make the best trading decisions based on what cycle we are currently in
              Strategies and tricks to know when people are getting too greedy/fearful
              How to spot where the losers are
              Trading screeners for finding setups
          Requirements
              You don`t need any previous experience in trading cryptocurrencies
          Description
          Bitcoin Is Outperforming Every Mainstream Asset Class In 2021
          Bitcoin Is World’s Best Performing Asset Class Over Past 10 Years (Since It Was Created)?
          Bitcoin was released in 2009 as a new digital currency known as a cryptocurrency and has proven to be a very large investing opportunity. You're here because you've completed some research and are starting to understand the opportunity and potential that cryptocurrency has! 99.9% of people do not invest in cryptocurrency because they've never heard of it, or don't understand it! When the general public starts to invest, the price of Bitcoin and other cryptocurrencies will sky rocket, meaning potentially really high returns to early investors.
          2017 was a huge year for Cryptocurrency! Bitcoin quadrupled in price, many countries around the world recognized it as a form of currency, it received a ton of news coverage and online interest because of the value increase of Bitcoin and the implementation of the blockchain technology in the medical, banking and tech industries to securely store and track information.
          In this cryptocurrency beginners course, your Instructor will teach you how to buy, sell and start trading Bitcoin and other cryptocurrencies.
          Bitcoin's price since released:
              July 2009 1 BTC = 0.0001 USD
              July 2011 1 BTC = 15 USD
              July 2013 1 BTC = 100 USD
              July 2015 1 BTC = 220 USD
              July 2017 1 BTC = 2420 USD
              July 2020 1 BTC = 9000 USD
          It posted gains of more than 9,000,000% since July 2010, according to data compiled by Bloomberg.
          Bitcoin and other Cryptocurrencies like Ethereum, Monero, Ripple, and others are growing exponentially in value.
          However, we are still in the early phases of an emerging market. Which means there is tremendous upside and great opportunities for investors in Cryptocurrency but also more risk for those who do not understand this rapidly evolving market.
          Want to learn how to trade Bitcoin and other cryptocurrencies?
          Then this course is for You!
          And the best part, you do not need any prior experience to get started!
          This course will not remain this price forever! It's time to take action!
          Click the "Enroll now" button ...every hour you delay is costing you money...
          What is more?
              You will be able to ask me as many questions as you like
              You will get a lifetime access to this course, without any limits!
              The course will keep updating frequently with more up-to-date learning resources.
              You also have 30- Day Money-Back Guarantee
              If you are not satisfied you can get 100% of your money back.
          So don`t hesitate Enroll Now.
          See you in the course!
          Sincerely,
          Bobby B
          Who this course is for:
              Everyone who wants to learn how to make money trading and investing in Bitcoin
              Everyone who wants to trade this market
              Everyone who wants to learn Margin trading on Binance


          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          FileInsight-plugins: decoding toolbox of McAfee FileInsight hex editor for malware analysis
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. FileInsight-plugins is a large set of plugins for the McAfee FileInsight hex editor. It adds many capabilities such as decryption, decompression, searching XOR-ed text strings, scanning with a YARA rule, code emulation, disassembly, and more! It is useful for various kinds of decoding tasks in malware analysis (e.g. extracting malware executables and decoy documents from malicious document files).
          List of plugins (113 plugins)
          Basic operations
              Copy to new file
              Copy selected region (the whole file if not selected) to a new file
              Bookmark
              Bookmark selected region with specified comment and color
              Cut binary to clipboard
              Cut binary data of selected region to clipboard as hex-encoded text
              Copy binary to clipboard
              Copy binary data of selected region to clipboard as hex-encoded text
              Paste binary from clipboard
              Paste binary data (converted from hex-encoded text) from clipboard
              Delete before
              Delete all region before the current cursor position
              Delete after
              Delete all region after the current cursor position
              Fill
              Fill selected region with specified hex pattern
              Invert
              Invert bits of selected region
              Reverse order
              Reverse order of selected region
              Swap nibbles
              Swap each pair of nibbles of selected region
              Swap two bytes
              Swap each pair of bytes of selected region
              To upper case
              Convert text to upper case of selected region
              To lower case
              Convert text to lower case of selected region
              Swap case
              Swap case of selected region
          Compression operations
          Compress
              aPLib
              Compress selected region with aPLib compression library
              Bzip2
              Compress selected region with bzip2 algorithm
              Gzip
              Compress selected region with gzip format
              LZ4
              Compress selected region with LZ4 algorithm
              LZMA
              Compress selected region with LZMA algorithm
              LZNT1
              Compress selected region with LZNT1 algorithm
              LZO
              Compress selected region with LZO algorithm
              PPMd
              Compress selected region with PPMd algorithm
              QuickLZ
              Compress selected region with QuickLZ compression library
              Raw deflate
              Compress selected region with Deflate algorithm without header and checksum (equivalent to gzdeflate() in PHP language)
              XZ
              Compress selected region with XZ format
              zlib (deflate)
              Compress selected region with zlib (Deflate algorithm)
              Zstandard
              Compress selected region with Zstandard algorithm
          Decompress
              aPLib
              Decompress selected region with aPLib compression library
              Bzip2
              Decompress selected region with bzip2 algorithm
              Gzip
              Decompress selected gzip-compressed region
              LZ4
              Decompress selected region with LZ4 algorithm
              LZMA
              Decompress selected region with LZMA algorithm
              LZNT1
              Decompress selected region with LZNT1 algorithm
              LZO
              Decompress selected region with LZO algorithm
              PPMd
              Decompress selected region with PPMd algorithm
              QuickLZ
              Decompress selected region with QuickLZ compression library
              Raw inflate
              Decompress selected Deflate compressed region that does not have header and checksum (equivalent to gzinflate() in PHP language)
              XZ
              Decompress selected XZ compressed region
              zlib (inflate)
              Decompress selected region with zlib (Deflate algorithm)
              Zstandard
              Decompress selected region with Zstandard algorithm
          Crypto operations
          Decrypt
              AES
              Decrypt selected region with AES
              ARC2
              Decrypt selected region with ARC2 (Alleged RC2)
              ARC4
              Decrypt selected region with ARC4 (Alleged RC4)
              Blowfish
              Decrypt selected region with Blowfish
              ChaCha20
              Decrypt selected region with ChaCha20
              DES
              Decrypt selected region with DES
              Salsa20
              Decrypt selected region with Salsa20
              TEA
              Decrypt selected region with TEA (Tiny Encryption Algorithm)
              Triple DES
              Decrypt selected region with Triple DES
              XTEA
              Decrypt selected region with XTEA (eXtended Tiny Encryption Algorithm)
          Encrypt
              AES
              Encrypt selected region with AES
              ARC2
              Encrypt selected region with ARC2 (Alleged RC2)
              ARC4
              Encrypt selected region with ARC4 (Alleged RC4)
              Blowfish
              Encrypt selected region with Blowfish
              ChaCha20
              Encrypt selected region with ChaCha20
              DES
              Encrypt selected region with DES
              Salsa20
              Encrypt selected region with Salsa20
              TEA
              Encrypt selected region with TEA (Tiny Encryption Algorithm)
              Triple DES
              Encrypt selected region with Triple DES
              XTEA
              Encrypt selected region with XTEA (eXtended Tiny Encryption Algorithm)
          Encoding operations
          Decode
              Hex text to binary data
              Convert hex text of selected region into binary
              Decimal text to binary data
              Convert decimal text of selected region into binary data
              Octal text to binary data
              Convert octal text of selected region into binary data
              Binary text to binary data
              Convert binary text of selected region into binary data
              Custom base16 decode
              Decode selected region with custom base16 table
              Custom base32 decode
              Decode selected region with custom base32 table
              Custom base58 decode
              Decode selected region with custom base58 table
              Custom base64 decode
              Decode selected region with custom base64 table
              Custom base85 decode
              Decode selected region with custom base85 table
              Protobuf decode
              Decode selected region as Protocol Buffers serialized data without .proto files
              From quoted printable
              Decode selected region as quoted printable text
              Unicode unescape
              Unescape Unicode escape sequence of selected region
              URL decode
              Decode selected region as percent-encoded text that is used by URL
          Encode
              Binary data to hex text
              Convert binary of selected region into hex text
              Binary data to decimal text
              Convert binary of selected region into decimal text
              Binary data to octal text
              Convert binary of selected region into octal text
              Binary data to binary text
              Convert binary of selected region into binary text
              Custom base16 encode
              Encode selected region with custom base16 table
              Custom base32 encode
              Encode selected region with custom base32 table
              Custom base58 encode
              Encode selected region with custom base58 table
              Custom base64 encode
              Encode selected region with custom base64 table
              Custom base85 encode
              Encode selected region with custom base85 table
              ROT13
              Rotate alphabet characters in selected region by the specified amount (default: 13)
              To quoted printable
              Encode selected region into quoted printable text
              Unicode escape
              Escape Unicode characters of selected region
              URL encode
              Encode selected region into percent-encoded text that is used by URL
          Misc operations
              Emulate code
              Emulate selected region as an executable or shellcode with Qiling Framework (the whole file if not selected)
              File comparison
              Compare contents of two files
              Hash values
              Calculate MD5, SHA1, SHA256, ssdeep, imphash, impfuzzy hash values of selected region (the whole file if not selected)
              Send to
              Send selected region (the whole file if not selected) to other programs
          Parsing operations
              Binwalk scan
              Scan selected region (the whole file if not selected) to find embedded files
              Disassemble
              Disassemble selected region (the whole file if not selected)
              File type
              Identify file type of selected region (the whole file if not selected)
              Find PE file
              Find PE file from selected region (the whole file if not selected)
              Parse file structure
              Parse file structure of selected region (the whole file if not selected) with Kaitai Struct
              Supported file formats: Gzip, RAR, ZIP, ELF, Mach-O, PE, MBR partition table, BMP, GIF, JPEG, PNG, Windows shortcut
              Show metadata
              Show metadata of selected region (the whole file if not selected) with ExifTool
              Strings
              Extract text strings from selected region (the whole file if not selected)
          Search operations
              Regex search
              Search with regular expression in selected region (the whole file if not selected)
              Replace
              Replace matched data in selected region (the whole file if not selected) with specified data
              XOR hex search
              Search XORed / bit-rotated data in selected region (the whole file if not selected)
              XOR text search
              Search XORed / bit-rotated string in selected region (the whole file if not selected)
              YARA scan
              Scan selected region (the whole file if not selected) with YARA.
          Visualization operations
              Bitmap view
              Visualize the whole file as a bitmap representation
              Byte histogram
              Show byte histogram of selected region (the whole file if not selected)
              Entropy graph
              Show entropy graph of selected region\n(the whole file if not selected)
          XOR operations
              Decremental XOR
              XOR selected region while decrementing XOR key
              Incremental XOR
              XOR selected region while incrementing XOR key
              Null-preserving XOR
              XOR selected region while skipping null bytes and XOR key itself
              XOR with next byte
              XOR selected region while using next byte as XOR key
              Guess multibyte XOR keys
              Guess multibyte XOR keys from the selected region (the whole file if not selected) based on revealed keys that are XORed with 0x00
              Visual encrypt
              Encode selected region with visual encrypt algorithm that is used by Zeus trojan
              Visual decrypt
              Decode selected region with visual decrypt algorithm that is used by Zeus trojan

          Hidden Content
          Give reaction to this post to see the hidden content.