Repairing A Flat Iron ( Thermal Fuse Fun! )
My fiance mentioned this morning that her imitation "Chi" was borked' after less then a year of use.
For those of you who aren't in the know ( aka male ), the Chi is a highly regarded flat-iron that many women claim are known to be reliable.
Where's that scientific data when you need it eh?
When I bought the generic flat iron for my fiance, I did so because I couldn't justify the expense of a CHI. ( It just figures that I drive a Honda S2000 ). Anyways, I was able to repair the flat iron and I have detailed how to perform the repair below.
WARNING / DISCLAIMER: If you don't know what a soldering gun is or better yet don't have one, steer clear of performing this repair. Bottom line is I am not responsible what-so-ever for your actions. By continuing beyond this point you agree to the above terms.
Great, so I see you agree. Let's get to it.
The problem at hand with most flat irons "breaking" is that once the thermal fuse goes (ie. Excessive heat from being left on all day / overnight / etc), the circuit is open, the ceramic plates will not heat and you will have a broken flat iron.
Tools:
Wire Crimps or a Soldering Iron & Electrical Solder
Phillips screwdriver
Thermal Cutoff Fuse (depends on Iron. See details below)
Volt Meter
Troubleshooting
To begin, we need to confirm that the issue is the thermal cutoff fuse. The thermal cutoff fuse is a little electrical component fuse that will open the circuit when a certain temperature is exceeded.
This is what it looks like:
looks pretty innocuous right?
Taking apart the imitation CHI is fairly simple and straight forward. As you get it apart you'll find that the ceramic plate has a plastic backing that slips on and in the space between the thermal fuse is housed. In the picture below, you can see the thermal fuse inside a protective (plastic??) housing with thermal paste pressed against the back plate. In the picture below, I have taken of the plastic backing and exposed the thermal fuse.
To test the fuse, I set my volt meter for continuity and tested the thermal fuse. As you can see below, no continuity.
From here you need to identify what the flat irons thermal fuse specifications are by reading the part number and googling it. In my case, the thermal fuse was available at the local Radio Shack.
I soldered it it and was good to go. My thermal fuse was SEFUSE SF226E rated for 227°C, 10A and 250V~.
IMPORTANT!!!
My soldering gun is battery powered and is just below what the fuse is rated however I would recommend using crimps instead as an extremely hot soldering iron will destroy the fuse before your wife / girlfriend / mother get's a chance to use it.
UPDATE: Over at JoeDotCom.Com there is a great write up on fixing a switch of a flat iron.
Tell me what you think?
AutoIT – Automate Your Workplace!
I am a HUGE fan of AutoIt.
I have used AutoIt to automate joining a computer to wireless networks as well as data entry from excel to 3rd party program's because of how rapidly you can program and how little you need to know prior.
Recently, I discovered a hex editor ("Hex Editor Neo") that supports a "patterning" feature which allows you to enter a hex code with a description of what it is and a coloring scheme which it will then apply to all occurrences in your current open executable. In my case, I wanted to load a color patterning scheme for all IL opcode instances for easier identification. I was able to find a list and move that data into excel.
Then, I recorded a macro with AutoIT and imported those opcodes into Hex Editor Neo.
Tell me what you think?
.HACK, .NET, .NET Reflector
As someone who is developing an application using the .NET framework, I didn't put much thought into code obfuscation. My priority is to accomplish a specific task; A functional product.
Now I am not going to lie, I never much looked into the inner workings of .NET since I was never intrigued by it. For the most part, I had a general idea.
Today, I researched a bit on how it worked and in this post focused more on how it broke down.
Downloading the SDK for .NET proved to provided some rather valuable tools for exploring the technology. I don't have much time so I will speak specifically of IL DASM ( MSIL Disassembler) which when opening an un-packed .NET executable, will take apart the assemblies for that application. Before I get ahead of myself, let me focus on clarifying something first. MSIL stands for Microsoft Intermediate Language ( formerly as I read Wikipedia this is now referred to as CIL or Common Intermediate Language) which is a set of CPU-independent instructions that can be converted to native code. If you are a developer you probably know this, I am a novice and did not.
What this means to me or you is that it's a simple task to de-compile to source code from an executable.
( Pictured above is a commercial application written in .NET that couldn't even put up a fight. Trademarks and name specific's have been blocked for intellectual property reasons. )
I'd expand on IL DASM more but there is a tool much better suited for the job and it's called .NET Reflector.
.NET Reflector is more user friendly and it does something a little extra special. .NET Reflector allows you to convert from CIL Language to Visual Basic, C#, Visual Basic, Delphi, MC++ and Chrome live and on the fly.
You can see this behavior exhibited in the video below:
As you can see, we have great flexibility to take apart a .NET application and view source code with less effort than reverse engineering an application with a debugger and translating machine code. Additionally, with the Reflexil addon we can even change some aspects of the application.
It's really opened my eyes that source code is so easy to create from a .NET application and the problem hinges solely on the medium in which it's compiled, .NET.
Tell me what you think?
A False Sense of Security: An Explanation Of Terms
When posting the conclusion of my antivirus study, I glazed over some core concepts and definitions of terms I was using because I wanted to complete the post.
This post is for those of you who's heads were spinning in that post.
Executable
An executable is a program. A program is a collections or group of functions that accomplish specific tasks as designed. For instances, internet explorer is a program that allows you to browse the web.
Executable Compression (UPX for example)
Executable compression is similar to a self-extracting Winzip archive except in terms of an application itself. Primarily, it's use is to shrink file size.
EXE Packing
Packing is the process of taking an executable and making it's code un-decipherable but still executable by an operation system. This process can be done a few ways and is generally accomplished with the use of a 3rd party program such as Aspack, Armadillo or any other industry standard. These commercial packing programs are used by game developers, software engineers and other industry professionals to thwart hackers from cracking thier applications and releasing them on P2P networks. Unfortunately, anything that can be done to an executable can be un-done as there is always a finite point of entry and people who are exceptionally good at reverse engineering.
Manually Packing Executable
Manually packing an executable is something more advanced. This is the process by which one develops a custom encryption routine and applies that routine to an executable (like we did in my previous post following instructions from google.)
Morphine
Morphine is an aptly named executable developed to cloak nefarious application from AV. In it's hayday Morphine would trounce AntiVirus solutions with no problem. It's use coupled with UPX would leave the most common virus or trojan executable undetected by AntiVirus and additionally, it still serves to this date to mask packed malware from AntiVirus solutions.
Batch Script
Batch scripting is built right into windows. It allows for automation of operations a user would normally have to follow through with manually. In my previous post, I used a batch script to automate running NetCat through a UPX packer and then through Morphine. I specified the input and output path in variables at the top of our script, then prompted for the imagebase address from LordPE and set a variable from that input so Morphine could do it's work on our executable.
LordPE
LordPE is yet something else I glazed over. LordPE is a tool when working with executables that allows for absolute control and easy execution of advanced operations. The sum of which is more complex and convoluted to describe in a single post. Perhaps some other day?
Tell me what you think?
A False Sense of Security : AntiVirus Part III
Previously, we touched on the concept that AV is not infallible as you would be lead to believe by advertisers. This post is the continuation of that study.
PART III
continued from here
To begin, I decided to compress NetCat with UPX. The syntax and flags used were as follows:
"upx C:\NetCat\nc.exe --best --ultra-brute --compress-icons=3 --strip-relocs=1"
Now that it has been compressed, let's take a look at the virgin executable's virus total scan first to find out what AV's detected it.
From the results, we see that these 21 different AntiVirus solutions were the only ones to detect our UNPACKED executable. Technically, NetCat is not a virus or malware but the potential for it to be used as such exists; as a result of this it should be flagged by all and an optional detection in their configurations.
Now that it's been packed, I decided to see if our simple one time packing of the executable would be sufficient to hide from any of our antivirus solutions, so I uploaded it to Virus Total expecting to have 21 total detections once more.
Out of our list of AV's, only 15 detected NetCat as it was before and 1 just flagged that it was packed not even detecting the real threat.
But were not done yet are we? Dig in, it's only going to get messier from here.
I decided to write a batch file that would process the executable sequentially through UPX compression and something I haven't touched on until right now called "Morphine".
The actual code for the batch was:
@ECHO OFF
REM: Variables
REM:************************
SET INPUT=C:\HackTools\NetCat\nc.exe
SET OUTPUT=C:\Users\Admin\Desktop\nc.exe@echo.
@echo ******************************************
@echo * Compressing Executable with UPX *
@echo ******************************************
@echo.C:\HackTools\Packers\upx\upx --best --ultra-brute --compress-icons=3 --strip-relocs=1 %INPUT% -o %OUTPUT%
@echo.
@echo ******************************************
@echo *** Opening LordPE to Obtain Imagebase ***
@echo ******************************************
@echo.start "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" "C:\HackTools\exetools\LordPE\LordPE.exe"
@ECHO Path of executable is %OUTPUT%
@echo.
@echo.
@echo.:imagebase
set IMAGEBASE=
set /P IMAGEBASE=Type input: %=%
if "%IMAGEBASE%"=="" goto input
echo Your input was: %IMAGEBASE%Pause
@echo.
@echo.
@echo.
@echo ******************************************
@echo * Morphine is crypting the executable *
@echo ******************************************
@echo.
@echo.
@echo.C:\HackTools\Packers\Morphine\morphine.exe -b:%IMAGEBASE% -o:%OUTPUT% %OUTPUT%
PAUSE
Morphine which has been around for quite some time in the underground blackhat hacker circles, is used to make executables "KAV undetectable". I downloaded a dated version of Morphine in hopes that a 2004 release of the tool would have been reverse engineered by AV companies and easily unpacked to reveal the executable being masked. KAV (which is short for Kaspersky Antivirus) is apparently used as the benchmark of detection when it comes to masking malware by the underground of virus and remote access trojan writers. Floating in IRC (Internet Relay Chat) chatrooms and researching for this post in google, I find numerous posts referencing Kaspersky as the antivirus to beat and as such my expectations of it's performance are naturally higher than that of the others.
It was time to process our executable.
As you can see from the video above, I run our batch script which compresses our executable then packs our executable with Morphine. Then I upload it to Virus Total and take a look at the results.
As you can see, the majority of antivirus solutions are only detecting that the file has been packed and some even identify the packer. Few detect the true identity of our executable, which is NetCat.
This is a double edged sword.
On one hand we are being flagged which is good, but on the other hand if we cannot identify the true identity of an executable and are subverted by packing, then we may subject to its true intentions. Additionally, we have false positives of different viruses by some av's.
We have seen that Morphine is for the most part detected now and unfortunately only a handful of Antivirus solutions even identify our masked executable as NetCat. But we must keep in mind we did not have a 100% detection ratio and additionally we used a tool that was dated. To me it is un-acceptable for any Antivirus to not detect Morphine after this much elapsed time. Just think to yourself, what happens when we use the most current releases?
Since I am not part of the underground group of people who specialize in these activities, I frankly don't know where to go to get the latest release. I am sure with some crafty googling I could find it but I don't need to at this point. If a tool that is 5-6 years old can still mask an executable, it's not a stretch to assume the most current release slips under the radar as well, which brings me to the last and final stage in this demonstration.
From the research I had done, I found that many virus and trojan writers wrote their OWN packing/encrypting routines to mask their malware leaving Morphine out of the equation altogether. This is a HUGE problem for AV and you. If your AV doesn't have a signature to compare with there will be no detection.
Packing It Myself
I decided to finish this post by attempting to pack an executable myself based on information gleaned from google and google I did. I searched google with this search string "exe packing" and clicked the first result with skepticism.
In 30 seconds or less, I had enough information from google to not only write my own encrypting routine but mask NetCat from 31 out of 39 AntiVirus solutions!!!!!!!!!
Following the instructions from google result http://davidiorg.blogspot.com/2008/06/exe-packing-hard-way.html, I was able to evade 31 out of 39 antivirus solutions.
NOTE: For personal reasons, I decided not to post a step by step guide on how to do this out of fear of retribution, being labeled by either blackhat hacker, industry professionals or having my site defaced. Besides that, David has a pretty clear explanation on his site that someone who has intermediate knowledge of the topic could easily understand and execute.
The results of packing netcat are chilling.
As you can see, with little effort and google, I was able to successfully bypass all but 8 AntiVirus solutions. Few of those solutions which were mainstream and advertised even had a detection let alone identified NetCat.
Conclusion and Q & A
When I started this post, I decidedly set out to expose that of which I already knew to be true. I didn't expect however that a google would give me enough information to pack netcat and evade that many av solutions with little know-how or effort especially since the information posted was done so in 2008. Antivirus solutions need to reinvent the wheel and get with the times if they are to survive in the wild wild west ages of the internet.
What antivirus is the best for me to use?
In my opinion there are a couple different solutions available that I would recommend. I personally use AntiVir XP which is free for non-commercial use. Kaspersky from what I have seen in hacking forums researching, shows the highest level of visibility in that it's very good at thwarting coders; which is why it appears to be the standard to beat. However, the results of manually packing the executable did not look favorably on Kaspersky so I really don't know what to think about KAV. Additionally, KAV may have intentionally not detected netcat as netcat can be used for good or bad. Sophos also appears to have high visibility and NOD32 is allegedly the best hueristical scanner available however NOD32 failed to catch NetCat... Intentional?
My company uses XXX Anti Virus and we've never had any issues. How is your study relevant?
One word: Rootkits. The idea that if your not showing symptoms you can't be infected is a fallacy that many believe. Blackhat hackers aren't you average novice banging away at their keyboard 2:30 in the morning, rather they silently continue to monitor and steal information without you ever knowing any different. This is more dangerous than a conventional threat because a virus or trojan will rear it's ugly head eventually and you will take the nessesary precautions to protect your credit/identity/credentials/etc. A rootkit is similar to a trojan except it's a completely silent killer that modifies it's host operations system. It does this in such a manner that it's exceptionally hard to find or detect and often the best policy is to completely wipe the system.
What else can I do to protect myself?
Read. Read as much as you can about how viruses and malware work. Become familiar with common methods and common viruses. Monitor or subscribe to hacker publications.
A Glossary of Terms!
Tell me what you think of my results.
Recent Posts
- Repairing A Flat Iron ( Thermal Fuse Fun! )
- AutoIT – Automate Your Workplace!
- .HACK, .NET, .NET Reflector
Archives
Related Sites
Follow Us!
