stas'den - assembler

inPEct .EXE binder

Tue, 02 Jan 2007 00:00:00 -0200

inPEct means "infect", applicable to PE ("Portable Executable") format. It is an executable binder, thus, it's able to join two .exe files in one. Now, why should anyone want to do that, is a question apart (screenshot is self-explanatory
At the time I've wrote inPEct, most executable binders were similar to SFX ("Self-Extract") stubs: they simply extracted their content to somewhere (commonly %TEMP% directory). inPEct is a bit different, as it expands the host executable and encrypts & inserts the hosted executable inside it. When someone executes the bound application, the host executable runs normally, and the hosted executable is extracted and then executed. inPEct also has a feature to execute the hosted executable only once ('smart feature'): if the bound program is executed by user again, hosted file won't be extracted anymore. And inPEct is very fast and small, as it's written entirely in pure assembler (in fact, inPEct's loader has only 800 bytes!). It's encryption algorithm is very cheap, but still uses a random seed. Thus, I expect that inPEct is more stealthy than similar binders.
Please note that almost every AntiVirus program detects and quarantines inPEct (and files produced by it)! This shows it's popularity in the past, I guess

But today it's useful mostly as a pure assembler programming example... And for AntiVirus research, as this paper actually shows.

GRP packer plugin

Sat, 06 May 2006 00:19:20 -0300

The .grp (group) file format, used by the game Duke Nukem 3D, is just a collection of a lot of files stored into 1 big one. The Build engine, upon which Duke Nukem 3D was constructed, went on to become one of the most successful engine in terms of number of games released. Other notable games developed using the Build engine include Witchaven, TekWar, Shadow Warrior, Blood, PowerSlave and Redneck Rampage (check for a more complete list and more stuff about the Build engine at http://www.icculus.org/BUILD/). Thus, all of them use the GRP file format
So, here is the plugin I wrote for the Total Commander (TC for short) to access .grp files directly. It is able to list, unpack & pack GRP files (file deletion is unsupported by the format itself...). By the way, this TC plugin is the first one (and probably the only one ever ) to be written in the pure assembler language. I suppose that it's also the smallest TC plugin, with it's 5.5 KB size! And here's a screenshot showing it in action (opening the DUKE3D.GRP).

Installation:

The same as for most TC packer plugins:

Unzip the grp.wcx to the TC directory (usually C:\totalcmd)
Choose 'Configuration - Options'
Open the 'Packer' page
Click 'Configure packer extension DLLs'
type grp as the extension
Click 'new type', and select the "grp.wcx"
Click OK

Micro$oft Messenger Hack

Fri, 05 May 2006 01:53:01 -0300

"Micro$oft Messenger Hack" (MSMH for short is a GUI alternative to the command line "net send", with some nice additional features. Please remember that "Messenger" referred here is a Windows NT/2k/XP system service, that "Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger.". Messages transferred using this service looks just like this one:

MSMH is able to send the same message as above example. It lists machines on the local network, so you won't mistype host names anymore. It can send messages multiple times, also (just imagine yourself flooding "*" . And, using "WinPopup" method, both "From" and "To" fields can be spoofed. By the other side, "net send" method can send messages beyond your LAN, given the IP address of the remote host.
MSMH executable is very small, as I programmed it in assembler language. But beware: Service Packs make the Messenger service disabled by default, and firewalls won't allow remote host to receive your messages. Well, MSMH was much funnier when I wrote it a long time ago