Friday, December 23, 2011

REMnux 3.0 is Ready

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. This is version 3.0 of the REMnux distribution.

To learn about REMnux and for tips on getting started, please visit

There are 2 versions available for download at

  • Live CD ISO (830MB)
  • VMware virtual appliance (717MB)
You can refer to for the list of malware analysis tool set in REMnux.

Wednesday, December 21, 2011

Petals Around the Rose

Today I just become a Potentate of the Rose. You should give the game a try at Lloyd Borrett - Computing - Play the Petals Around the Rose game (JavaScript).

P/s: Bill Gate was introduced to this game in 1977.

Thursday, December 15, 2011

An Engineer Vs A Manager

A man is flying in a hot air balloon and realizes he is lost.

He reduces height and spots a man down below. He lowers the balloon further and shouts,"Excuse me, can you help me? I promised my friend I would meet him half an
hour ago, but I don't know where I am."

The man below says, "Yes. You are in a hot air balloon, hovering approximately 30 feet above this field. You are between 40 and 42 degrees North latitude, and between 58 and 60 degrees West longitude."

"You must be an engineer," says the balloonist.

"I am," replies the man. "How did you know?"

"Well," says the balloonist, "everything you have told me is technically correct, but I have no idea what to make of your information, and the fact is I am still lost."

The man below says, "You must be a manager?"

"I am," replies the balloonist, "but how did you know?"

"Well," says the man, "You don't know where you are, or where you are going. You have made a promise which you have no idea how to keep, and you expect me to solve your problem. The fact is you are in the exact same position you were in before we met, but now it is somehow my fault."

Thursday, November 24, 2011

Geek Jokes

Just found a page of 1-liner geek joke at

Those with underline are what I like most!
  • There are 10 types of people in the world: those who understand binary, and those who don't
  • If at first you don't succeed; call it version 1.0
  • I'm not anti-social; I'm just not user friendly
  • My software never has bugs. It just develops random features
  • Roses are #FF0000 , Violets are #0000FF , All my base belongs to you
  • In a world without fences and walls, who needs Gates and Windows?
  • Hand over the calculator, friends don't let friends derive drunk
  • I would love to change the world, but they won't give me the source code
  • Enter any 11-digit prime number to continue...
  • The box said 'Requires Windows 95 or better'. So I installed LINUX
  • A penny saved is 1.39 cents earned, if you consider income tax
  • Unix, DOS and Windows...the good, the bad and the ugly
  • A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila
  • The code that is the hardest to debug is the code that you know cannot possibly be wrong
  • UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity
  • Ethernet (n): something used to catch the etherbunny
  • C://dos
  • You know it's love when you memorize her IP number to skip DNS overhead
  • 1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
  • Alcohol & calculus don't mix. Never drink & derive
  • How do I set a laser printer to stun?
  • There is only one satisfying way to boot a computer
  • Concept: On the keyboard of life, always keep one finger on the escape button
  • It's not bogus, it's an IBM standard
  • Be nice to the nerds, for all you know they might be the next Bill Gates!
  • The farther south you go, the more dollar stores there are
  • Beware of programmers that carry screwdrivers
  • The difference between e-mail and regular mail is that computers handle e-mail, and computers never decide to come to work one day and shoot all the other computers
  • If you want a language that tries to lock up all the sharp objects and fire-making implements, use Pascal or Ada: the Nerf languages, harmless fun for children of all ages, and they won't mar the furniture
  • COFFEE.EXE Missing - Insert Cup and Press Any Key
  • Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning
  • LISP = Lots of Irritating Silly Parentheses
  • The beginning of the programmer's wisdom is understanding the difference between getting program to run and having a runnable program
  • Squash one bug, you'll see ten new bugs popping
  • Everytime i time i touch my code, i give birth to ten new bugs
  • boast = blogging is open & amiable sharing of thoughts
  • We are sorry, but the number you have dialed is imaginary. Please rotate your phone 90 degrees and try again
  • Cannot find REALITY.SYS. Universe halted
  • If it weren't for C, we'd all be programming in BASI and OBO
  • Bad command or file name! Go stand in the corner
  • Bad or corrupt header, go get a haircut
  • Unrecognized input, get out of the class
  • Warning! Buffer overflow, close the tumbler !
  • WinErr 547: LPT1 not found... Use backup... PENCIL & PAPER
  • Bad or missing mouse driver. Spank the cat? (Y/N)
  • Computers make very fast, very accurate mistakes
  • Best file compression around: "rm *.*" = 100% compression
  • Hackers in hollywood movies are phenomenal. All they need to do is "c:\> hack into fbi"
  • BREAKFAST.COM Halted...Cereal Port Not Responding
  • I survived an NT installation
  • The name is Baud......James Baud
  • My new car runs at 56Kbps
  • Why doesn't DOS ever say "EXCELLENT command or filename!"
  • File not found. Should I fake it? (Y/N)
  • Cannot read data, leech the next boy's paper? (Y/N)
  • CONGRESS.SYS Corrupted: Re-boot Washington D.C (Y/n)?
  • Does fuzzy logic tickle?
  • Helpdesk : Sir, you need to add 10GB space to your HD , Customer : Could you please tell where I can download that?
  • Windows: Just another pane in the glass
  • Who's General Failure & why's he reading my disk?
  • RAM disk is not an installation procedure
  • Shell to DOS...Come in DOS, do you copy? Shell to DOS...
  • The truth is out there...anybody got the URL?
  • Smash forehead on keyboard to continue.....
  • E-mail returned to sender -- insufficient voltage
  • Help! I'm modeming... and I can't hang up!!!
  • All wiyht. Rho sritched mg kegtops awound?
  • Once I got this error on my Linux box: Error. Keyboard not attached. Press F1 to continue
  • Once I got this error on my Linux box: Error. Mouse not attached. Please left click the 'OK' button to continue
  • Press any key to continue or any other key to quit...
  • Press every key to continue
  • Helpdesk: Sir if you see the blue screen, press any key to continue. Customer : hm.. just a min.. where's that 'any key'..
  • Idiot, Go ahead, make my data!
  • Old programmers never die; they just give up their resources
  • To err is human - and to blame it on a computer is even more so
  • (001) Logical Error CLINTON.SYS: Truth table missing
  • Clinton:/> READ | PARSE | WRITE | DUMP >> MONKIA.SYS
  • (D)inner not ready: (A)bort (R)etry (P)izza
  • Computers can never replace human stupidity
  • A typical Yahoo! inbox : Inbox(0), Junk(9855210)
  • (A)bort, (R)etry, (P)anic?
  • Bugs come in through open Windows
  • Penguins love cold, they wont survive the sun
  • Unix is user friendly...its just selective about who its friends are
  • Artificial intelligence usually beats real stupidity
  • Bell Labs Unix -- Reach out and grep someone.
  • To err is really foul up requires the root password.
  • Invalid password : Please enter the correct password to (Abort / Retry / Ignore )
  • FUBAR - where Geeks go for a drink
  • I degaussed my girlfriend and I'm just not attracted to her anymore
  • Scandisk : Found 2 bad sectors. Please enter a new HD to continue scanning
  • Black holes are where God divided by zero
  • Hey! It compiles! Ship it!
  • Thank god, my baby just compiled
  • Yes! My code compiled, and my wife just produced the output
  • Windows 98 supports real multitasking - it can boot and crash simultaneously
  • Zap! And there was the blue screen !
  • Please send all spam to my main address, root@localhost :-)
  • MailerD(a)emon: You just received 9133547 spam. (O)pen all, (R)ead one by one, (C)heck for more spam
  • A: Can you teach me how to use a computer? B: No. I just fix the machines, I don't use them
  • PayPal: Your funds have been frozen for 668974 days
  • 1-800-404 : The subscriber you are trying to call does not exist
  • 1-800-403 : Access to that subscriber was denied
  • Error message: "Out of paper on drive D:"
  • If I wanted a warm fuzzy feeling, I'd antialias my graphics!
  • A printer consists of three main parts: the case, the jammed paper tray and the blinking red light
  • "Mr. Worf, scan that ship." "Aye Captain. 300 dpi?"
  • Smith & Wesson: The Original Point And Click Interface
  • Shout onto a newsgroup : It echoes back flames and spam
  • Firewall : Intruder detected. (A)llow in (D)eactivate the firewall
  • Real programmers can write assembly code in any language
  • Warning! Perl script detected! (K)ill it , (D)eactivate it
  • Firewall : Do you want to place a motion detector on port 80 ?
  • Helpdesk: Sir, please refill your ink catridges Customer : Where can i download that?
  • All computers run at the same speed... with the power off
  • You have successfully logged in, Now press any key to log out
  • Sorry, the password you tried is already being used by Dorthy, please try something else.
  • Sorry, that username already exists. (O)verwrite it (C)ancel
  • Please send all flames, trolls, and complaints to /dev/toilet
  • Shut up, or i'll flush you out
  • Cron : Enter cron command \ Now enter the number of minutes in an hour
  • We are experiencing system trouble -- do not adjust your terminal
  • You have successfully hacked in, Welcome to the FBI mainframes.
  • I'm sorry, our software is perfect. The problem must be you
  • Never underestimate the bandwidth of a station wagon full of tapes hurling down the highway
  • Webhost livehelp: Sir you ran out of bandwidth, User: Where can I download that?
  • If Ruby is not and Perl is the answer, you don't understand the question
  • Having soundcards is nice... having embedded sound in web pages is not
  • My computer was full, so I deleted everything on the right half
  • You have received a new mail which is 195537 hours old
  • Yahoo! Mail: Your email was sent successfully. The email will delivered in 4 days and 8 hours
  • I'm sorry for the double slash (Tim Berners-Lee in a Panel Discussion, WWW7, Brisbane, 1998)
  • Ah, young webmaster... java leads to shockwave. Shockwave leads to realaudio. And realaudio leads to suffering
  • What color do you want that database?
  • C++ is a write-only language. I can write programs in C++, but I can't read any of them
  • As of next week, passwords will be entered in Morse code
  • earth is 98% full ... please delete anyone you can
  • A typical yahoo chat room: "A has signed in, A has signed out, B has signed in, B has signed out, C has signed in, C has signed out.."
  • When someone says "I want a programming language in which I need only say what I wish done," give him a lollipop
  • Warning! No processor found! Press any key to continue
  • Failure is not an option. It comes bundled with your Microsoft product
  • NT is the only OS that has caused me to beat a piece of hardware to death with my bare hands
  • Warning! Kernel crashed, Run for your lives !
  • NASA uses Windows? Oh great. If Apollo 13 went off course today the manual would just tell them to open the airlock, flush the astronauts out, and re-install new one
  • JavaScript: An authorizing language designed to make Netscape crash
  • How's my programming? Call 1-800-DEV-NULL
  • Yes, friends and neighbors, boys and girls - my PC speaker crashed NT
  • root:> Sorry, you entered the wrong password, the correct password is 'a_49qwXk'
  • New linux package released. Please install on /dev/null
  • Quake and uptime do not like each other
  • if used before: Tue Jan 19 03:14:08 GMT 2038
  • As you well know, magic and weapons are prohibited inside the cafeteria -- Final Fantasy VIII
  • Man is the best computer we can put aboard a spacecraft...and the only one that can be mass produced with unskilled labo
  • Unix is the only virus with a command line interface
  • Windows 95 makes Unix look like an operating system
  • How are we supposed to hack your system if it's always down!
  • God is real, unless declared integer
  • I'm tempted to buy the slashdot staff a grammar checker. What do they do for 40 hours a week?
  • Paypal : Please enter your credit card number to continue
  • It takes a million monkeys at typewriters to write Shakespeare, but only a dozen monkeys at computers to run Network Solutions
  • Please help - firewall burnt down - lost packet - reward $$
  • If Linux were a beer, it would be shipped in open barrels so that anybody could piss in it before delivery
  • Thank you Mario! But our princess is in another castle
  • Perl, the only language that looks the same before and after RSA encryption
  • Norton: Incoming virus - (D)ownload and save (R)un after download
  • I had a dream... and there were 1's and 0's everywhere, and I think I saw a 2!
  • You sir, are an unknown USB device driver
  • C isn't that hard: void (*(*f[])())() defines f as an array of unspecified size, of pointers to functions that return pointers to functions that return void

Tuesday, November 15, 2011

THC-SSL-DoS on BackTrack5

One Oct 24, 2011, The Hacker Choice (THC) released a DoS tool that targeting vulnerable SSL/https servers. Here's how I compile it on BT5 together with a modified version.

First, I download the modified version of thc-ssl-dos.c from of conducting a real DoS attack, the modified version will merely check if the target server vulnerable or not.

Secondly, I have to install the libssl-dev. I download the latest copy of OpenSSL and point the configure script to the libraries.

# tar zxvf openssl-1.0.0e.tar.gz
# cd openssl-1.0.0e
# make
# cd ../thc-ssl-dos-1.4
# ./configure --prefix=/opt/thc-ssl-dos --with-includes=/opt/openssl-1.0.0e/include/ --with-libs=/opt/openssl-1.0.0e/
# make
# cd /opt/thc-ssl-dos/src

# ./thc-ssl-dos 
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/

          Twitter @hackerschoice

Greetingz: the french underground

./thc-ssl-dos [options] 
  -h      help
  -l   Limit parallel connections [default: 400] 

# mv /opt/thc-ssl-dos /opt/thc-ssl-dos-attack
# cd ..

# tar zxvf thc-ssl-dos-1.4.tag.gz

# cd ../thc-ssl-dos-1.4/src
# cp /opt/SSL_Renegotiation_Check_-_thc-ssl-dos.c_modification.txt thc-ssl-dos.c
# ..
# ./configure --prefix=/opt/thc-ssl-dos --with-includes=/opt/openssl-1.0.0e/include/ --with-libs=/opt/openssl-1.0.0e/
# make
# cd ..
# mv /opt/thc-ssl-dos /opt/thc-ssl-dos-check

Install Chromium in Backtrack 5

I installed BackTrack 5 recently. I follow the instruction from

Here's how I install the Chromium browser into my Backtrack:
  1. apt-get install chromium-browser
  2. cd /usr/lib/chromium-browser
  3. hexedit chromium-browser

  • [Tab] to mode string
  • [ctrl-s], type geteuid
  • Replace geteuid as getppid
  • [ctrl-x] to save-and exit.

The reason to modify the geteuid with hexedit is to bypass the restriction on running Google Chrome browser as root. 

Bossa Vino on Google+ Page

Tuesday, November 01, 2011

New Google Reader is like SHIT

With the new Google Reader interface becomes like shit, all my notes in Reader gone.

After some googling, then I manage to find back my note in Reader.

To access the notes:

To access the RSS feed of the notes:

To limit to 100 notes to display:

P/s: the new Google Reader is damn slow in performance.

Thursday, October 27, 2011

Installation/Uninstallation of VMware Player Hangs

If you are like me, where the installation or uninstallation of VMware Player keeps hang/fail, then you are lucky here.

I used to install VMware Player and then I upgrade to VMware Workstation 7.1 (trial). After the trial expire, and I'm planning to uninstall VMware Workstation and keeps only VMware Player (which is free).

I tried multiple times, the uninstallation process keeps hang (forever). Then I try to download the latest copy of VMware Player, and wish I could install to override it. It doesn't work.

Then I tried to be a "good-boy" and follow the installation instruction (manual way) provided by VMware at the following URL:

Same thing happens. I even tried install the new copy using command line as below:
VMware-player-4.0.0-471780.exe /z "action"="install"
Still fails. :-(

Then I also tried extract the installation EXE to a temporary folder:
VMware-player-4.0.0-471780.exe /e tempdir
And then double click the MSI to install it. End up the same shit happens.

Finally, when I about to give up on VMware, I found 1 last thing to do before switching to VirtualBox.

  1. start regedit.exe
  2. Browse to the following sub-key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  3. You should see keys named 0, 1, 2, 3 and 4. In my case I had a folder named "L" before the 0.
  4. Remove the key with "L" (actually it is  "└", unicode #2514)

It works like a charm now.

P/s: This is due to Microsoft screws up the registry Internet Zone settings in the registry. With the "└" key, it cause Javascript not to be called from an application. 

Monday, October 24, 2011

iPhone still sucks

There are 2 groups of iPhone users: those who love it so much and hate it. This is the post for those who hate it.

OK, we all know iPhone sucks, partly it is due to iTune (another crap). And the number 1 reason I say "iPhone sucks" is because it has no easy way for your iPhone to connect to a new laptop. It will wipe off everything on your phone if you try to do it. Having a new laptop or re-install your laptop nowadays in common. It may due to virus or loss of your laptop. (Don't tell me to use MacBook, your MacBook can be stolen or affected by virus too).

Today, I found a way to overcome this issue when you bang into a similar situation next time.

Here's the step:

  1. Authorize your new laptop with the same iTunes account.
  2. Plug in your iPhone to the new laptop, and select File > Transfer Purchases [ This cause iTunes to transfer apps from iPhone to new laptop]
  3. Sync your iPhone with iTunes by click the Apps tab, ticking the sync apps link, and applying.  
  4. Now, right-click your device in the iTunes sidebar and select backup. 
  5. Now, just apply any update like iOS 5 like you normally would by click the Update button. 
All your apps and settings should remain in tact. Now should I say iPhone is not suck anymore?

No, iPhone still sucks because this method only transfer apps you've grabbed through the iTunes Store, which means, for example, the MP3s you'd synced to your device that you didn't buy from Apple probably gone (forever).

Wednesday, October 19, 2011

WhatIsMyIPAddress by Google

You can now ask Google what is your public IP address by query with the following:

  • my ip
  • my ip address
  • show my ip
  • what is my ip

Very cool ;-)

Automated Telnet Commands with VB script

Here's a VB script that can automate simple Telnet commands. Below is what happens during the telnet session in manual way:

  • Connect to an IP address on specific TCP port.
  • Press [ Enter ] to login.
  • Input the numeric key "5" and follow by an [ Enter ] key.
Below is the VB script that can automate the steps above:

<script language="VBScript">
Option Explicit
On Error Resume Next
Dim WshShell
set WshShell=CreateObject("WScript.Shell") "cmd.exe"
WScript.Sleep 1000
'Send commands to the window as needed - IP and commands need to be customized
'Step 1 - Telnet to remote IP and port 99'
WshShell.SendKeys "telnet 99"
WshShell.SendKeys ("{Enter}")
WScript.Sleep 1000
'Step 2 - Issue Commands with pauses'
WshShell.SendKeys ("{Enter}")
WScript.Sleep 1000
WshShell.SendKeys "5"
WshShell.SendKeys ("{Enter}")
WScript.Sleep 1000
'Step 3 - Exit Command Window
WshShell.SendKeys "exit"
WshShell.SendKeys ("{Enter}")

>>>> Original article at MakeUseOf

Saturday, October 15, 2011

Update My Nexus S to CM 7.1

Below are the steps I took to upgrade my Nexus S to CM 7.1 recently.
  1. Step 1: Download the file of CyanogenMod 7.1 for my phone. 
  2. Step 2: Transfer the .zip file to the root folder.
  3. Step 3: Turn off my phone once the transfer is complete. 
  4. Step 4: Boot into ClockworkMod Recovery mode by holding volume up and power buttons.
  5. Step 5: Using the volume up/down (to navigate) and power key (to select), then navigate to backup and storage > backup. 
  6. Step 6: From the main menu: install zip from sdcard > choose zip from sdcard >
  7. Step 7: Once flashing is complete, reboot and it is done.

CyanogenMod 7.1

Monday, September 19, 2011

Activate ActiveX Filtering in IE9

ActiveX Filtering is a new feature available in IE9 and it is disable by default.

It allows a whitelist style protection scheme. When enabled NO ActiveX Controls are allowed to run, then when you go to a site that requires ActiveX Controls, if you trust the site you can add them to the whitelist. Only websites on the list will be able to run ActiveX Controls.

To enable ActiveX Filtering, go to Tools Menu>Safety and then select the ActiveX Filtering Option.

Enable ActiveX Filtering

Thursday, August 25, 2011

Penetration Testing Execution Standard

There is a new homepage created for "Penetration Testing Execution Standard" at

Although it is still at alpha release, you can see the coverage of many tools. The web site is created in the form of wiki and mind map. Here's the brief summary:
  1. Pre-engagement Interactions
  2. Intelligence Gathering
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post Exploitation
  7. Reporting

Tuesday, August 23, 2011

Hacking Resistance (Time-to-Hack)

After I read from the article, "ModSecurity SQLi Challenge: Lesson Learned", I learned a lot more about SQLi.

I can see a lot of creative ways to bypass security rules in order to inject SQL statements. The rule of thumb is blacklist filtering is not adequate to fully prevent SQLi.

In the last section of the article is what that catch my eyes, the "Hacking Resistance (Time-to-Hack)".  In the article,

The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.  
The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions. 
Think of a WAF as a tool to identify and block the initial probes and to alert incident response personnel.  It is up to the IR teams to match wits with an attacker and protect the application as necessary.

The article also include the analysis of how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0.  Here's the result:

  • Avg. # of Requests to find an evasion: 433
  • Avg. Duration (Time to find an evasion): 72 hrs
  • Shortest # of Requests to find an evasion: 118
  • Shortest Duration (Time to find an evasion): 10 hrs

The conclusion is: the data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses.

Friday, August 12, 2011

Google+ Games

I just have my Google+ Games enabled today.

Google+ Games

And this is the first game that I play.

Angry Bird in Google+ Games

Thursday, July 21, 2011

Backup Your Data from The Cloud

Cloud computing is hot. It is the backend system that supports many information systems such as email, social networks, photos, etc. However, have you ever plan to backup your data from the Cloud one day?

There are 2 options: Google Takeout and Cloud Export.

Google Takeout (from Google) allows you to download all your data from their services. This includes +1, Buzz, Contacts and Circles, Picasa web albums, profile and streams.

Cloud Export is a Windows application that will backup everything for you. Once login, it will download your contacts, Gmail, Reader subscriptions, Blogger entries, and more and store them all locally. The service supports Google accounts, Google Apps accounts, and even Twitter,, and more.

Wednesday, July 13, 2011

Gmail Shortcuts

I didn't know that there is a keyboard shortcut in GMail until today. This is by accidentally, I press the "?" or "Shift + /".


Saturday, July 09, 2011

Tuesday, July 05, 2011

FaceNiff and Activator

Heard about FaceNiff? How about Firesheep?

Firesheep is so hot since last year. It is an add-on to the Firefox browser which can hijack any non-SSL Facebook session (and others like Gmail, etc). It is still cool today!

FaceNiff takes it to the next level, by doing the same thing as Firesheep, and run on rooted Android phone.
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).
Now, the apk you download from FaceNiff is limited to 3 hijacked profiles. But there is a way to unlock the application. You need a FaceNiff Activator. Just follow the instruction from the article on and download the SOneActivator.apk.

As far as I understand, the reason why FaceNiff works on WPA2 network is because it does ARP poisoning to the WiFi network.

Now, I have my FaceNiff running with me everywhere I go!

Monday, July 04, 2011

Root Nexus S Android 2.3.3 Gingerbread using SuperBoot

Just found another article on how to root Nexus S Android 2.3.3 Gingerbread using SuperBoot.

This is a much simple way to root your Nexus S. Just want to share here.

Sunday, July 03, 2011

Rooting Nexus S on Android 2.3.3 Gingerbread

After I unlock my Nexus S, I need to start rooting it in order to get full permission to the filesystem.

Here's the steps that I followed:
  • Reboot Nexus S into bootloader mode. To do so, use the following command at terminal or press the Volume Up + Power key simultaneously.
adb reboot bootloader
  • Unlock the bootloader using the following command:
fastboot oem unlock
  • Download recovery-clockwork-herring.img from here.
  • Now install Clockwork recovery image on Nexus S by using the following command:
fastboot flash recovery recovery-clockwork-herring.img
  • Reboot into recovery mode by using the following command at terminal or choose recovery from fastboot menu
adb reboot recovery
  • Download Koush's unsecure boot image (rootboot.img) from here and put it in your /sdk/tools/ folder
  • Now boot into fastboot and use the following command to install the rooted boot image:
fastboot flash boot rootboot.img
  • Download CHainsDD's Superuser zip ( from here.
  • Open the zip file, place the su binary and Superuser.apk in your sdk/tools/ folder.
  • Now use the following set of commands at terminal to install Superuser app
adb remount
adb push su /system/bin/
adb push Superuser.apk /system/app/
adb shell
chmod 6755 /system/bin/su
adb reboot

Saturday, July 02, 2011

Unlocking Google Nexus S Bootloader

I need to get full permission control on my Google phone in order to start research on it. I need to perform 2 things before I start any development: unlocking & rooting Nexus S.

Unlocking the bootloader will allow me to install custom ROM. And by rooting it, I can gain full access to the filesystem.

My phone comes with Android 2.3.3 Gingerbread. Here's the steps to unlock it:
  • Download and install Android 2.3 SDK along with fastboot from here.
  • Turn off your Nexus S completely.
  • Now hold down the Volume Up + Power key simultaneously.
  • Now you should be in standard recovery mode.
  • Open Command Prompt on Windows and type the following command to confirm if your device is connected via USB cable or not.
fastboot devices
  • If fastboot is showing your device as connected, use the following command to unlock the bootloader of your Nexus S.
fastboot oem unlock
  • Thats it! Now your Nexus S' bootloader is unlocked and you can easily install custom ROMs on your device.

Friday, July 01, 2011

My Google Nexus S

Recently I just get my first Android phone (Nexus S). Thus I can start my research on Android phone from now on.

Bye Bye, my iPhone 3G!

Wednesday, June 29, 2011

Dark Bar from Google

See the dark bar on the top?

Microsoft Office 365

Microsoft Office 365 drops its BETA tag today.

Microsoft published release notes and unveiled tiered pricing plans that start at $6/month per user for small businesses and ranges between $10 and $27/month per user for large enterprises depending on the features needed.

Office 365 combines Office Web Apps with additional collaboration services for businesses, including Outlook through Exchange Online, document sharing with Sharepoint Online, and corporate instant messaging and presence with Lync Server.

Tuesday, June 28, 2011

Enhancing your vlookup function

Here's another tip to help enhancing the way how you use your vlookup function by removing the "#N/A" when the unique key isn't available.

We can remedy this by judicious use of Excel’s IF() and ISBLANK() functions. We change our formula from this…
=VLOOKUP(A11,’Product Database’!A2:D7,2,FALSE)
…to this…
=IF(ISBLANK(A11),”",VLOOKUP(A11,’Product Database’!A2:D7,2,FALSE))

Lock the Table_array in vlookup function

A lot of time, we use vlookup function to help us to retrieve information from another table and we will like to lock the Table_array range. By default, Excel doesn't fix the range and keep shifting it when you copy and paste the vlookup function.

Here's the quick fix.

After you create the 1st vlookup function, it will like this:
VLOOKUP(A11,’Product Database’!A2:D7,2,FALSE)
To lock the table range before you copy and paste the function, add the $ to fix the cell reference, as below:
VLOOKUP(A11,’Product Database’!A$2:D$7,2,FALSE)
This fix the row 2 to row 7. Of course, you can also fix the column A to column D at the same time:
VLOOKUP(A11,’Product Database’!$A$2:$D$7,2,FALSE)

Using VLOOKUP in Excel

This is a short description on how to use "vlookup" function in Excel.

Vlookup function is one of the the most powerful Excel tips that I learn. It works like a database tables, where it can retrieve information from another database table by supplying it an unique identifier. For instance, you can use vlookup function to retrieve the product description (from another sheet) by supplying it the product code.

From the menu Formulas, Insert functions, search the function called vlookup. You need to supply 3 mandatory parameters and 1 optional parameter:

  • Lookup_value: [ the unique key]
  • Table_array: [ the table range ]
  • Col_index_num: [ the column of the retrieved information in the table range]
  • Range_lookup (optional): [ sorted or unsorted 1st column in the table range ]

Monday, June 27, 2011

Quickly Remove Blank Row in Excel

Here's a handy way to help you to remove any blank row in a long list.

  1. Remove any blank column manually.
  2. Select the 1st blank cell in the 1st column.
  3. Hit F5 (Edit, Goto).
  4. Click Special.
  5. Select the Blank option and click OK. This will select all the blank row for you.
  6. Now, choose Edit, Delete, select the Entire Row option and click OK.

Thursday, June 23, 2011

Friday, June 03, 2011 is Hacked via sqli

Sony Pictures web site is hacked, via SQL injection. All the user ID, emails, and password are shown in plaintext (and available for download).

RSA (March), PSN (April~May), Sony Pictures (June), what's next?

A good write up on Sony PSN attack at Deciphering the Sony PSN Attack.

Wednesday, June 01, 2011

Incident Response Methodologies (IRM)

Go download a copy of all the IRM cheat sheets published at CERT Societe Generale. It provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields on which a CERT team can be involved.

There are all in PDF format:

  • IRM-1: Worm infection
  • IRM-2: Windows Intrusion
  • IRM-3: UNIX Intrusion
  • IRM-4: Distributed Denial of Services
  • IRM-5: Malicious Network Behavior
  • IRM-6: Website Defacement

Friday, May 27, 2011

Error in Static HTML on Facebook

It reviews the directory path, table name and field names in the database.

Fighting Mail Spam Takes A Month

User: "Hi (mail) administrator, I keep receive some spam mails from a user. Can you advise me what should I be doing? And here are the samples of the spams I received."

(after 1 week)

Mail Admin: "We received your request. After an in-depth study, we found that we can't do much about it. Because the source of the spam is coming from our business partner. We'll pass this case to Security Forensic team for further investigation."

(after 3 days)

Forensic team lead: "Hi Mail Admin, we confirm that this is a real spam from our business partner. However,  we cannot simply block them at the mail gateway. Or else it may cause some legal issue with our business partner. We'll have a discussion with legal team for further action."

(after 1 week)

Legal team : "Hi, forensic team! Unfortunately the answer is No.  We can't block [ ALL ] their emails. This will cause the loss in business and if we can't receive email from the business partner, we may be having legal issues with them. No, please don't do anything stupid."

(after 3 days)

Forensic team: "Hi Mail Admin, there is nothing much I can do. The advice from the legal team is [ no ]. Please advise the user that we can't afford to loss the business. And make sure our mail gateway  never ever [ block ] any email from the business partner."

(after 1 week)

Mail Admin: "Hi user, after some discussions with forensic and legal teams, we would not will never block the spam mail (from the business partner) for you. It may involve complicated legal issue and the loss of business."

"However, we'll offer you another solution. You may configure a filter in your Outlook to filter all the emails for you. With this, you will not see any more spam mails. Please follow the instruction at our sharepoint site. There is a detail step-by-step instruction there."

User: "Thank you very much, Mail Admin. It really solve my problem now after I follow the instructions from the sharepoint site."

Saturday, May 21, 2011

Google Vs Facebook

We all know that Facebook is hot now. But how much more does it better than Google?

We can "google" the answer for this, using Google Trends. As always, a picture worth thousand of words.



Google Vs. Facebook

Wednesday, May 18, 2011

Angry Birds

Google Chrome team releases an online HTML5/Javascript game, Angry Birds. You can install it as an app via1 Web Store if you are using Chrome.

There are 2 quick hacks for this game. 1 for you to access to all levels, including the special Chrome level. Another 1 is for you to set all levels locked.

In the talk Rovio did at Google IO, they mentioned they were using HTML5′s LocalStorage. If you open up Web Inspector in chrome, you’ll see they are keeping track of your score and stars with localstorage. Lucky for us, that means we can use setItem() set all 70 levels to 3 and get access to them all.

To unlock all levels:
javascript: var i = 0; while (i<=69) { localStorage.setItem('level_star_'+i,'3'); i++; } window.location.reload();

To lock all the levels:
javascript: var i = 1; while (i<=69) { localStorage.setItem('level_star_'+i,'-1'); i++; } window.location.reload();

Tuesday, May 17, 2011

Social Networks Security

Social Networks are a security game changer. Don't you see everyone is playing games on the FB apps nowadays?

Monday, May 09, 2011

Robots and Humans

Other robots.txt, Google site does show some humor where they do have human beside having the robots. Here's the list of URL and the snippets:

Google Robots:


Youtube Robots:

# robots.txt file for YouTube# Created in the distant future (the year 2000) after# the robotic uprising of the mid 90's which wiped out all humans.

Google humans:

Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you'd like to help us out, see

Sunday, May 08, 2011

Monthly Report [ infosec ]

"This is the monthly incident report.", said Security Administrator.

"Put together with last month report, and I'll review it next month." said IT director.

Saturday, May 07, 2011

"The Worst Information Security Advice Ever"

Get inspired from Lenny's post on "The Worst Information Security Advice Ever", I put a few here:

  • "We can save the money on firewall, because we will have an excellent IPS deployed next week.", said CIO.
  • "We hire the consultants to create the policy for us, and we will pay them to audit our PCI compliance status later on. So I know we are safe.", said CISO.
  • Disable the "change password" capability. This helps users from forgetting their password and save us from having to reset for them.
  • Limit the event log size to 3MB in order to avoid the hard disk full.
  • We're just too big to FAIL.

p/s: All the "advice" above are what I collected (in real life) over many years of working experience. This is not the recommendations they themselves made.

Friday, May 06, 2011

Malware Analyser

A malware analysis tool, Malware Analyser, now has a new home at

It is written in Python, and it is a freeware tool to perform static and dynamic analysis on malware.

Here's a few of the features:

  • String based analysis: API, DLL, registry, etc.
  • Showing PE header, symbols.
  • Code analysis by disassembling
  • Check for packer.
  • etc.

It can be downloaded from:

Thursday, May 05, 2011

Windows Update Error 80240030

When you get the Windows Update error code 80240030, then you are most likely having issue with:

  • Can't update your windows. Windows Update fails.
  • Can't access your proxy setting in MSIE. IE crashes once you click the "LAN setting".
  • IE can't access Internet (thru proxy).
I'm having all these issues since I upgrade to IE9. And here I find the solution to fix/repair  the 80240030 error for me:
  1. Open command prompt (with Administrator mode).
  2. Type "netsh winhttp reset proxy"
  3. Type "net stop wuauserv"
  4. Type "net start wuauserv"
It does works in Windows 7 (32-bit & 64-bit) too. Enjoy!

Wednesday, May 04, 2011

MD5 in 64-Bit OS?

We all familiar with MD5 hashing. But let's see the screenshot below.

MD5 Hashing and File Size
You see, two files with different file sizes are having the same MD5 hash value (8ae6dd9a6d246004da047f704f0cc487). Is it MD5 hash coalition? No, once we use the right tool, md5deep64, we get the right result.

For an explanation of WOW64, see Microsoft documentation on Wow64 and some implementation details.

So, let's make sure you have the right tools for your new 64-bit OS today.


Tuesday, May 03, 2011


Everyone of us heard about ophrack - the awesome time/memory trade-off password cracker. If not, see Ophcrack and Rainbow Table.

Wophcrack is the web interface for Ophcrack password cracking tools.

Wophcrack - Web Interface for Ophcrack
Wophcrack Search Page

Wophcrack was designed to work on Backtrack 4 R2. It is a quick and dirty PHP based web frontend for Ophcrack.

Read more info here after download Wophcrack here:

Updating Malware Cookbook DVD Tools

If you haven't got yourself a copy of Malware Analyst's Cookbook, do it now, then you may download the DVD tools which available online. This is a must-have if you are serious in REM.

I just did it by:
$ cd ~/rem 
$ svn checkout malwarecookbook-read-only

Sunday, May 01, 2011

Unity Shortcuts Wallpaper

Everyone probably know that Unity-powered Ubuntu 11.04 is out. Of course, it comes with new interface, which includes a slew of new keyboard shortcuts.

The Unity interface is pretty big overhaul. So, here's a wallpaper that keeps a list of keyboard shortcuts for you from AskUbuntu.

English version


Saturday, April 30, 2011

A New Life with Cloud Computing

Most people know what Cloud Computing is. But, do you know how can someone begin his life with Cloud Computing?

Take an example of Amazon S3 cloud computing services. It stands for Simple Storage Service.

First, we can backup and/or archive all the local files (documents, media, etc) to S3, which available online from everywhere later on. Most of us may currently backup/archive our files using a portable hard disk. Let's see what's the cost of choosing S3 instead of portable hard disk.

S3 operates on a basis of paying only for what you use, with separate fees for storage, data transfer and data requests. Ignoring data request fees because the cost is minimal, the fees break down as follows:

Storage: 5GB free, then $0.15/GB per month (100GB = $15)
Data Transfer (Upload): $0.10/GB
Data Transfer (Download): $0.15/GB

As an example then – if you used it to store 100GB of data – it would cost you $10 to upload it all, $15 per month to store it, and a further $15 when you decided to download it all again.

So do you need to buy a 250GB portable hard disk and carry it everywhere you go?

Secondly, we may want to backup/archive all the online information we had, such as social feeds and online personas.

Again, by using Amazon S3 and Backupify, it simplifies and automates the backup/archive of all these below.
Automatic Backup by Backupify

Most important is, it allows you to search from the backup easily!

And finally, your life will be uncluttered with this cloud computing.

Friday, April 29, 2011

Remote Command Executor

RemCom is RAT [Remote Administration Tool] that lets you execute processes on remote windows systems, copy files, process there output and stream it back. It allows execution of remote shell commands directly with full interactive console.

It is similar to psexec except it is open source.

Download RCE at
For more info, refer to

Thursday, April 28, 2011

Two Visualization Tools for Twitter

Two visualization tools for Twitter are introduced here: mentionmapp and twiangulate.

Mention Map is a Twitter visualization tool that displays the connections to a Twitter account. The tool is being upgraded but the original version is still available (click on the "classic link" at the bottom of the page.)

Twiangulate is another Twitter visualization tool that enables you to compare two or more Twitter accounts. The end result is a Venn diagram of commonalities as well as a table of the top followers.

Thursday, April 21, 2011

MyEmail 404

Front-end powered by UNIX Apache; Back-end powered by Microsoft.

Goto the default web page and all I get is an instruction to cPanel. :-)

MyEmail Default Web Page

Wednesday, April 20, 2011

RawCap - Network Sniffer for Windows

RawCap (only 17kB)  is a free raw sockets network sniffer for Windows. It requires no external libraries or DLL, just standalone exe.

It can sniff any interface including loopback, WiFi, PPP interfaces.

Personally, I use it for 2 purposes: penetration testing and incident response:
  • Sniff additional credential after break into remote machine (admin) without Winpcap or NDIS driver.
  • Sniff loopback interface to detect data leakage via SSL tunnelling proxy.
  • Sniff WiFi (WPA2) for any suspicious TCP connections.

RawCap is provided for free and can be downloaded from here:

Monday, April 18, 2011


FindDomains is a multithreaded search engine discovery tool.

It retrieves domain names/web sites which are located on specified ip address/hostname. It can be very useful for penetration testers during reconnaissance domain names/web sites/virtual hosts/virtual IP.

Main highlights:
  • Uses Bing search engine. Works with first 1000 records.
  • Multithreaded on crawling and DNS resolution.
  • Performs DNS resolution for extracted domains to eleminate cached/old records.
  • Has a console interface.
  • Works with Mono (under Linux), but running under Windows is more efficient.
  • Requires .NET framework 3.5
Find it at

Monday, April 11, 2011

Open Computing Project

Under an initiative dubbed the Open Compute Project, Facebook released designs for the technology powering its new data center in Prineville, Ore., which Facebook says is 38 percent more efficient and 24 percent cheaper to run thanks to its custom engineering.

Tuesday, April 05, 2011

Network Forensic Analysis of SSL MITM Attacks

SSL is not a panacea. If someone performs a man-in-the-middle (MITM) attack on HTTPS traffic (i.e. HTTP over SSL), he would be able to see all encrypted content in clear text format.

There are some legitimate reasons to eavesdrop the HTTPS traffic, such as your employer or your government.

If you suspect your network traffic is been monitor, how would you go about doing forensic analysis of captured network traffic from a suspected MITM attack?

Here's the summary of the articles that shows you how:

  • Extract the X.509 certificates (with *.cer) from the captured SSL traffic with NetworkMiner.
  • Inspect the extracted files.
  • Verify the IP and DNS
  • Look for any self-signed cert, revoked cert and non-trusted CA signing cert.
  • Verify MD5 fingerprint of an SSL cert with OpenSSL

$ openssl x509 -inform DER -in -noout -fingerprint -md5
MD5 Fingerprint=52:12:A2:B1:27:E3:BB:CC:E5:F5:AA:BD:A1:A1:E6:F8

More references:

Tuesday, March 22, 2011

Windows PE Header

Understanding Windows PE Header is essential to perform Reverse Engineering Malware.

Each executable file has a COFF (Common Object File Format), which is used from the OS loader to run the program. Windows Portable Executable (PE) is one of the COFF available in Windows Operating System, while the Executable Linking File (ELF) is the main Linux COFF.

Microsoft migrated to the PE format with the introduction of the Windows NT 3.1 operating system. PE/COFF headers still include an MS-DOS executable program, which is by default a stub that displays the simple message "This program cannot be run in DOS mode" (or similar). PE also continues to serve the changing Windows platform. Some extensions include the .NET PE format (see below), a 64-bit version called PE32+ (sometimes PE+), and a specification for Windows CE.

MZ are the first 2 bytes you will see in any PE file opened in a hex editor. The DOS header occupies the first 64 bytes of the file - ie the first 4 rows seen in the hexeditor in the picture below. The last DWORD before the DOS stub begins contains 00h 01h 00h 00h, which is the offset where the PE header begins. The DOS stub is the piece of software that runs if the executable is run from DOS environment (for example DOS shell). For retro-compatibility it often executes a printf("This program must be run under Win32");. 

The PE header begins with its signature 50h, 45h, 00h, 00h (the letters "PE" followed by two terminating zeroes). If in the Signature field of the PE header, you find an NE signature here rather than a PE, you're working with a 16-bit Windows New Executable file. Likewise, an LE in the signature field would indicate a Windows 3.x virtual device driver (VxD). An LX here would be the mark of a file for OS/2 2.0. FileHeader is the next 20 bytes of the PE file and contains info about the physical layout & properties of the file e.g. number of sections. OptionalHeader is always present and forms the next 224 bytes. It contains info about the logical layout inside the PE file e.g. AddressOfEntryPoint. Its size is given by a member of FileHeader. The structures of these members are also defined in

Not all these section must be used, but you need to modify the NumberOfSections to add or delete sections from a PE file. The best way to analyze those section is by using PEExplorer or PEID.

EntryPoint is The Relative Virtual Addresses (RVA) of the first instruction that will be executed when the PE loader is ready to run the PE file. If you want to divert the flow of execution right from the start, you need to change the value in this field to a new RVA and the instruction at the new RVA will be executed first. Executable packers usually redirect this value to their decompression stub, after which execution jumps back to the original entry point of the app the OEP. Of further note is the Starforce protection in which the CODE section is not present in the file on disk but is written into virtual memory on execution.

ImageBase is the preferred load address for the PE file. For example, if the value in this field is 400000h, the PE loader will try to load the file into the virtual address space starting at 400000h. The word "preferred" means that the PE loader may not load the file at that address if some other module already occupied that address range. In 99% of cases it is 400000h.

SectionAlignment is the granularity of the alignment of the sections in memory. For example, if the value in this field is 4096 (1000h), each section must start at multiples of 4096 bytes. If the first section is at 401000h and its size is 10 bytes, the next section must be at 402000h even if the address space between 401000h and 402000h will be mostly unused.

FileAlignment is the granularity of the alignment of the sections in the file. For example, if the value in this field is 512 (200h), each section must start at multiples of 512 bytes. If the first section is at file offset 200h and the size is 10 bytes, the next section must be located at file offset 400h: the space between file offsets 522 and 1024 is unused/undefined.

SizeOfImage is the overall size of the PE image in memory. It's the sum of all headers and sections aligned to SectionAlignment.

SizeOfHeaders is the size of all headers + section table. In short, this value is equal to the file size minus the combined size of all sections in the file. You can also use this value as the file offset of the first section in the PE file.

DataDirectory It is the final 128 bytes of OptionalHeader, which in turn is the final member of the PE header IMAGE_NT_HEADERS. DataDirectory is an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file. Each array refers to a predefined item, such as the import table. The structure has 2 members which contain the location and size of the data structure in question: VirtualAddress is the relative virtual address (RVA) of the data structure , and isize contains the size in bytes of the data structure.

Windows PE Header


Friday, March 18, 2011

Download YouTube video

Here's my favorite way to download any YouTube video that I like, such as music video.
  1. Use Google Chrome browser (or FireFox). 
  2. Install the userscirpt, "YouTube Video Download", at
Now, dig from your bookmark for your favorite YouTube video, and you should see the "Download" button below. Enjoy!

Tuesday, March 15, 2011

Internet Explorer 9 is coming to town

Internet Explorer 9 is available for download now. Just wondering why installing a IE9 required me to restart my computer?

This is what I get after I restart my PC.


Monday, March 07, 2011

Free Computer Forensic Tools

This is a handy list for forensic and IR work. Any update of the list will be announced on

Currently the list is divided into the following categories:

  • Disk Tools
  • Email Analysis
  • General
  • File & Data Analysis
  • Data Analysis Suite
  • File Viewers
  • Internet History Analysis
  • Registry Analysis
  • Web Application Analysis
The full list can be obtains at

Introduction to Java Examination

There is an article posted by Corey Harrell, (Almost) Cooked Up Some Java. It introduces the steps he took to examine the java. This article includes:

  • Understand the Java cache folder.
  • Examine the IDX file.
  • Examine the JAR file.
  • Extract Java source from the JAR file.
  • Examine the Java source code.

Friday, March 04, 2011

Arduino Tutorial

OK, I admit this. I'm only manage to complete up to "Lesson 2". But there are all together 7 lessons in this great tutorial at

And there more more other stuffs there for any beginner who wish to learn Arduino or electronics.

Wednesday, February 23, 2011

Secure Erase

This summarize the article from Craig Wright. He is a Director with Information Defense in Australia.

In the article, Erasing drives should be quick and easy, he shows us a way to perform secure erase. Also he stated a few FUD on data recovering like:

  • X-Ray machines and scanners will erase a drive;
  • SEM or AFM (electron microscopy will do) could be used to recover data;
  • Government or NSA can read your wiped drives;
The simplest manner to wipe hard disk is using the the firmware Secure Erase command on an ATA, SATA, PATA, etc drives. A full erase using SE takes 30 min to 1 hour to complete. Basically it is quick. It is non-recoverable. It saves all the BS. It removes the need for the FUD that still surrounds us.

Here's the steps to wipe a drive using hdparm utility:

  1. Login as root.
  2. Ensure the drive isn't security frozen (result shows "not frozen"): hdparm -I /dev/sda
  3. Issue command by set user password, Security =Maximum (Master Password = Blank): hdparm --user-master u --security-set-pass Eins /dev/sda
  4. Issue command to confirm the process with the the word "enabled" in the output: hdparm -I /dev/sda
  5. Issue the AT SE command: hdparm --user-master u --security-erase Eins /dev/sda
  6. Issue command to ensure output verification return "not enabled": hdparm -I /dev/sda