#1
|
||||
|
||||
You may want to remove the StrongOD plugin from Olly
Recent paper released by Forcepoint uses StrongOD as an example of the risks around relying on an unsupported plugin (that specifically calls home).
TLDR; They identify a vulnerability in the update file StrongOD looks for on startup and sinkhole the domain that StrongOD used to call home in order to capture the IP addresses of Olly users. hxxps://blogs.forcepoint.com/security-labs/freeman-perils-abandonware
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
|
The Following 9 Users Say Thank You to gabri3l For This Useful Post: | ||
#2
|
|||
|
|||
This is a common problem of automatic updating, if the Sod update site exists! May not have this problem.
Last edited by Sound; 10-06-2016 at 23:01. |
The Following User Says Thank You to Sound For This Useful Post: | ||
tonyweb (10-08-2016) |
#3
|
|||
|
|||
wouldn't it be easier to just modify the plugin or block it with hosts if this is the case, i guess you could exploit this in many ways though.. i.e. malware page, ip logger, trojan..
Last edited by cybercoder; 10-07-2016 at 13:47. |
#4
|
||||
|
||||
Various versions are floating around but yes you can patch the dll to not attempt to update. One of the versions checks:
Code:
.rdata:100436C0 00000028 C http://www.cracklife.com/sod/update.txt |
The Following User Says Thank You to atom0s For This Useful Post: | ||
tonyweb (10-08-2016) |
#5
|
|||
|
|||
Firewall it and problem solved. Usually I block connection of every program in loopback mode if It doesn't require internet to work.
|
The Following User Says Thank You to SMH17 For This Useful Post: | ||
niculaita (10-08-2016) |
#6
|
|||
|
|||
Same here, I always use firewall on learning mode and choose for every application.
Thanks for the info Gabri3l |
#8
|
|||
|
|||
I personally don't use this DLL, but...
Quote:
(IOW, TY!!!) Of course, I had a copy - just in case and checked it: StrongOD v0.4.8.892.rar .text:1000F874 push offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"... .text:1000F88F mov ecx, offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"... .text:1000F8AB mov esi, offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"... .rdata:100436C0 aHttpWww_crackl db 'http://www.cracklife.com/sod/update.txt',0 ; DATA XREF: sub_1000F7B0+C4o Last edited by Stingered; 12-30-2017 at 08:04. Reason: spelling |
The Following User Says Thank You to Stingered For This Useful Post: | ||
niculaita (12-31-2017) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OllyDBG v1.10 plugin -StrongOD v0.4.5 [2011.08.10 v0.4.5.808] | ZeNiX | Community Tools | 61 | 10-03-2013 04:57 |
StrongOD plugin | [NtSC] | General Discussion | 8 | 08-29-2010 11:00 |
nice olly plugin | britedream | General Discussion | 72 | 03-28-2004 04:50 |