JAI

yes i see that , i think your solution is a little better than mine ........thank you High five clearly ......maybe i should have multi posted but im new let me off 1 time

i dont even work for woodgate anymore ...........and u know whats worse ladies n gents ? thats a Mysql memory dump most GOOD web designers like me (jai ashwell ) would know this tut tut tut

// #include <stdio.h> #include <stdint.h> #include <malloc.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <time.h> #include <sys/types.h> #include <sys/mman.h> #include <sys/utsname.h> static char part1[] = { 0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c, 0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba, 0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00, 0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a, 0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c, 0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00, 0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00, 0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41, 0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42, 0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89, 0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89, 0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31, 0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06, 0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34, 0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6, 0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88, 0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89, 0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8, 0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41, }; // code to dump the decrypted memory: static const char dump_mem[] = { 0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40 0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32] 0x31, 0xdb, // xor ebx, ebx 0x43, // inc ebx (stdout) 0x31, 0xc0, // xor eax, eax 0xb0, 0x04, // add al, 0x4 - sys_write 0xcd, 0x80, // int 0x80 0x31, 0xdb, // xor ebx,ebx 0x43, // inc ebx 0x31, 0xd2, // xor edx,edx 0x42, // inc edx 0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa 0x8d, 0x0c, 0x24, // lea ecx,[esp] 0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4 0xcd, 0x80, // int 0x80 - sys_write 0x31, 0xdb, // xor ebx,ebx 0x31, 0xc0, // xor eax,eax 0x40, // inc eax 0xcd, 0x80, // int 0x80 - sys_exit }; uint32_t patch_mem(char *ptr, size_t size) { uint32_t i; for (i = 0; i < size; i++) { if (*(uint16_t *)&ptr == 0x80cd) { *(uint16_t *)&ptr = 0x45eb; return 0; } } return 1; } uint32_t check_arch(void) { struct utsname kernel_info; uname(&kernel_info); return strcmp(kernel_info.machine, "i686") ? 1 : 0; } int main(int argc, char **argv) { void *mem; if (check_arch()) { printf("[-] this program must run on a 32-bit architecture\n"); return 1; } printf("[*] allocating page aligned memory\n"); mem = memalign(4096, 4096); if (!mem) { printf("[-] error: %s\n", strerror(errno)); return 1; } memset(mem, 0, 4096); printf("[*] setting page permissions\n"); if (mprotect(mem, 4096, PROT_READ | PROT_WRITE | PROT_EXEC)) { printf("[-] error: %s\n", strerror(errno)); return 1; } printf("[*] copying payload\n"); memcpy(mem, part1, sizeof(part1)); memcpy(mem + sizeof(part1), part2, sizeof(part2)); memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem)); printf("[*] adding dump_mem payload\n"); if (patch_mem(mem, sizeof(part1))) { printf("[-] failed to patch memory\n"); return 0; } printf("[*] executing payload..\n\n"); ((int(*)(void))mem)(); return 0; } giving you the answer Pr0t3ct!on#cyber_security@12*12.2011+ Jai Ashwell Resident coder at w...