Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-06-2016, 02:15
gabri3l's Avatar
gabri3l gabri3l is offline
Parity Error 0x0FF2131D
 
Join Date: Aug 2003
Location: Eastern Shore
Posts: 118
Rept. Given: 0
Rept. Rcvd 5 Times in 1 Post
Thanks Given: 8
Thanks Rcvd at 21 Times in 10 Posts
gabri3l Reputation: 5
You may want to remove the StrongOD plugin from Olly

Recent paper released by Forcepoint uses StrongOD as an example of the risks around relying on an unsupported plugin (that specifically calls home).

TLDR; They identify a vulnerability in the update file StrongOD looks for on startup and sinkhole the domain that StrongOD used to call home in order to capture the IP addresses of Olly users.

hxxps://blogs.forcepoint.com/security-labs/freeman-perils-abandonware
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
Reply With Quote
The Following 9 Users Say Thank You to gabri3l For This Useful Post:
mr.exodia (10-06-2016), niculaita (12-31-2017), p4r4d0x (12-30-2017), sh3dow (01-26-2022), Stingered (12-30-2017), tonyweb (10-08-2016), wassim_ (12-30-2017), XorRanger (10-06-2016), Z-Rantom (10-12-2016)
  #2  
Old 10-06-2016, 22:54
Sound Sound is offline
Family
 
Join Date: Apr 2016
Location: TaiWan
Posts: 106
Rept. Given: 8
Rept. Rcvd 52 Times in 22 Posts
Thanks Given: 39
Thanks Rcvd at 421 Times in 97 Posts
Sound Reputation: 52
This is a common problem of automatic updating, if the Sod update site exists! May not have this problem.

Last edited by Sound; 10-06-2016 at 23:01.
Reply With Quote
The Following User Says Thank You to Sound For This Useful Post:
tonyweb (10-08-2016)
  #3  
Old 10-07-2016, 13:36
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 114
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 22
Thanks Rcvd at 46 Times in 31 Posts
cybercoder Reputation: 11
wouldn't it be easier to just modify the plugin or block it with hosts if this is the case, i guess you could exploit this in many ways though.. i.e. malware page, ip logger, trojan..

Last edited by cybercoder; 10-07-2016 at 13:47.
Reply With Quote
  #4  
Old 10-07-2016, 13:48
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 396
Rept. Given: 26
Rept. Rcvd 126 Times in 63 Posts
Thanks Given: 54
Thanks Rcvd at 730 Times in 279 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Various versions are floating around but yes you can patch the dll to not attempt to update. One of the versions checks:
Code:
.rdata:100436C0 00000028 C http://www.cracklife.com/sod/update.txt
For the current update version. You could block the call entirely or change the url.
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
tonyweb (10-08-2016)
  #5  
Old 10-08-2016, 08:44
SMH17 SMH17 is offline
Friend
 
Join Date: Jul 2016
Location: Elysium
Posts: 34
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 12
Thanks Rcvd at 11 Times in 9 Posts
SMH17 Reputation: 0
Firewall it and problem solved. Usually I block connection of every program in loopback mode if It doesn't require internet to work.
Reply With Quote
The Following User Says Thank You to SMH17 For This Useful Post:
niculaita (10-08-2016)
  #6  
Old 10-08-2016, 18:59
tusk tusk is offline
Friend
 
Join Date: Jun 2016
Posts: 36
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 8
Thanks Rcvd at 18 Times in 12 Posts
tusk Reputation: 0
Same here, I always use firewall on learning mode and choose for every application.
Thanks for the info Gabri3l
Reply With Quote
  #7  
Old 10-11-2016, 14:04
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
I remember that you can uncheck the autoupdate option.
SODUP.jpg
Reply With Quote
The Following 2 Users Say Thank You to ZeNiX For This Useful Post:
Apuromafo (10-12-2016), tonyweb (10-11-2016)
  #8  
Old 12-30-2017, 08:02
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 256
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 296
Thanks Rcvd at 179 Times in 89 Posts
Stingered Reputation: 2
I personally don't use this DLL, but...

Quote:
Originally Posted by gabri3l View Post
Recent paper released by Forcepoint uses StrongOD as an example of the risks around relying on an unsupported plugin (that specifically calls home).

TLDR; They identify a vulnerability in the update file StrongOD looks for on startup and sinkhole the domain that StrongOD used to call home in order to capture the IP addresses of Olly users.

hxxps://blogs.forcepoint.com/security-labs/freeman-perils-abandonware
...now you have forced my to stop being lazy and check all my plugins!

(IOW, TY!!!)

Of course, I had a copy - just in case and checked it: StrongOD v0.4.8.892.rar

.text:1000F874 push offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"...

.text:1000F88F mov ecx, offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"...

.text:1000F8AB mov esi, offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"...

.rdata:100436C0 aHttpWww_crackl db 'http://www.cracklife.com/sod/update.txt',0 ; DATA XREF: sub_1000F7B0+C4o

Last edited by Stingered; 12-30-2017 at 08:04. Reason: spelling
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
niculaita (12-31-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OllyDBG v1.10 plugin -StrongOD v0.4.5 [2011.08.10 v0.4.5.808] ZeNiX Community Tools 61 10-03-2013 04:57
StrongOD plugin [NtSC] General Discussion 8 08-29-2010 11:00
nice olly plugin britedream General Discussion 72 03-28-2004 04:50


All times are GMT +8. The time now is 18:38.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )