Aodrulez

The Making of MalCon CTM-2011 Challenge.

2011-12-07T00:01:00.000-08:00

Well, it was declared last year itself after the first malcon that we'll be having our own version of an online challenge for the world to compete over.We called it the CTM. Which stood for 'Capture the Mal' challenge. Nothing much happened after that though. We all got busy with the rest of our work until about 3 months before the event, when we realized that we promised a CTM & had completely forgotten about it. As usual, when it comes to technical stuff @MalCon, am the SPOC.

So, I was left with a mammoth task.Its not that I've never designed a CTF contest before.. infact I do that for all my workshops & training sessions. But this one was different. We do malcon every year not because it earns us something.. or because we get perks for doing it. Infact, we make no money out of it at all. We do it because it was our dream. We've learnt about 90% of what we know by reading 'tuts' n textfiles on the internet, created by generous & highly talented people. We wanted to do our bit too. Malcon is not about spreading malwares. Its about generating proactive research by good people to build secure systems.

Well, so here I was, with no idea at all about how am gonna design this CTM thingy. And then it happened. :) I have this weird 'moment' once in a while where I get bombarded with loads of crazy ideas. Thats how the idea of creating a Virtual-Machine based challenge came to my mind. But there were 2 major problems.

1. I had no experience in creating a VM manually.
2. I wanted it to be simple enough so that even a common man can attempt it.

At first, I had to create a VM myself to prove that its possible. I know that there are thousands of articles on that available but this one had to be simple. The idea was to create a VM architecture that was as simple as possible so that the ones attempting it do not end up getting demoralized. While, the VM-Code or the 'Bootrom' as I call it, can be complex enough to deliver the quality & standards that we at malcon are fanatic about.

The good part was, I have considerable understanding & experience with programming as well as reverse-engineering. I've got past experience with creating some really complex & effective anti-reversing routines too. So, I figured out that this one wont be as tough as I thought it would be, initially. How wrong was I. :D

To begin with, I named my Abstract Processor as 'Aod8'. Then, I tried to design it similar to the intel-processors am comfortable with. Although, I figured out that I dont need more than 15 Instructions in my instruction-set to create a complex CTM, I thought that maybe someone, someday might wanna write some cool program for it & thats the only reason why I endedup having about 40 instructions in all. Once the design part of it was over & I was almost sure that I had the required instructions in there, it was time to code the processor.My first choice was 'PERL'. Its easy to program in, robust with REGEX & more importantly I didnot have to mess with variable types.Ah, I think I forgot to mention that in order to keep the CTM easy to attempt, I designed the processor to work with 'Byte' sized instructions & data. Most people are not comfortable with handling data at 'bit' level.So, that was the reason behind this super simplistic Aod8 Architecture design.

Well, the PERL idea was disastrous. Initially I struggled a little with type conversion. Then again...I never write the entire code at one stretch, ever. :P I write some..then test it thoroughly & then go further. When am trying a new idea or a theory, I am totally impatient to see if it works or not. :) So obviously, the first instructions I implemented in my Aod8 processor were the ones that'll allow me to print a character on the screen.. so that if it works as expected, I can jump up & down & celebrate victory. But but but... the way I've designed it, I can only print one character at a time.That too, if I send the 'output' opcode, it'll fetch the byte at the current location of the stack-pointer on the stack & print it.Now, lets say I want to print 'A' on the screen. For that, I'll have to first push its ascii code onto the stack. :D As you can see, I cannot directly push data onto the stack either.For that, I'll have to move the ascii code to a GPR like 'A' or 'B', then push it onto the stack, then call the 'output' instruction. In essence, the set of instructions to print a char 'A' on the screen in Aod8 Assembly would be:

mov a,65
mov [sp],a
output
halt

[ Well, I've already uploaded all the Tools, source-codes & everything related to my Aod8 project on GitHub & you can find them here: https://github.com/Aodrulez/Aod8 ]

Below is the output on my terminal when I compile this code using my Aod8 Assembler written in PERL just to give you an idea of how the entire thing works.

So yea, that works perfectly! when the bootrom is executed by the Aod8 Emulator/Virtual Machine or Abstract Processor implementation..which ever way you like to call it, it does print 'A' on the screen. \m/ But let me remind you that at that time... I never had an assembler! :) So, to see that output, I had to manually construct a bootrom using a Hex-Editor by inserting opcodes & data in hex. The moment I saw it print 'A' on the screen, I was in trance :D That was it! It proved my theory of a crazy CTM to be practically possible & from that point onwards... it was a mad rush to complete the processor implementation as soon as possible. Well, I wrote it entirely in PERL first. But after constructing bootrom manually, I wasnt getting expected results. Thats when I found out that I made some major 'Type Conversion' errors here & there. This was awefully painful. Either I could spend another day fixing the perl implementation which was starting to get me frustrated or I can switch to c/c++ & wind it up asap. I opted for the second option for two reasons.

1. I know c/c++ very well.
2. It'll prove my theory that the ctm can be played by anyone who can implement the Processor, in any language he likes.

So that was it.I got the processor written top-to-bottom in less than 2hrs. Now, I knew that I've implemented the Design perfectly, it was time to test each & every instruction. Initially I enjoyed the geek-feeling it gave to construct bootroms out of hex-editors manually but pretty soon.. I was having severe head-aches. :D Thats when I decided its time to write an 'Assembler' for this Architecture. In the mean time, I had my PERL implementation too sorted out by comparing the output of my 'c' implementation.

I didnot even realize when this became an obsession. I was working on my office related work all day & working on this CTM all nite! In a few day's time, I had a very crude Assembler than can convert asm code to bootroms, 2 implementations of the Aod8 processor & a slightly tweaked version of the 'c' implementation acting like a debugger/tracer. It was time to learn the basics of programming something that I created. :D Yea, it sure sounds easy but it was not.Just when I started to try serious programming, I realised that in my obsession with keeping the design simple, I had seriously limited the programming possibilities of the architecture. The design was so simplistic that I couldnot even implement self-modifying code. Because, the ROM was as the name suggests, Read-Only. The Aod8 processor was designed to fetch instructions & execute them & the stack was provided solely to store temporary data.It was impossible to modify the code during execution. This meant that everything that was part of the CTM challenge had to be put up in a clearly-visible form inside the bootrom.Anyone with a code tracer would end up dumping all the important data off the bootrom.

Another limitation was the 'byte' implementation. :) The only Flow-control instructions that were used in the CTM were cmp,je,jne,jle,jmp & loop. As you can see, every other jmp instruction requires a parameter.This parameter specifies the location to jump/execute from now on. The catch here though is that, the Aod8 Architecture can only have data upto the size of a 'byte'.The biggest number in a single byte is 255 which meant that theoretically I would have been limited to a bootrom of size 255 bytes as I couldnot access a higher number because of the limitation in the design. Thats when I decided to tweak the design a little bit & partially bypass the limitation yet keeping the design simple. You'll understand what I did if you observe the way I've implemented the 'jmp/loop' instructions. :)

So far, so good.Now that I had some crude tools & thorough understanding of the programming details, it was time to begin creating the CTM. Somewhere near that time a huge tragedy struck. Steve Jobs passed away & we were all in shock. That was when I decided that am going to do my bit for him. Thats the reason you'll see a brief text right in the beginning of the CTM challenge when you boot it. It was my way of thanking him for all that he has done. :) Well, at first, I wanted to have challenges appearing back to back as the Aod8 Architecture was seriously limited but once I had the first level done, it looked so very boring! It was time to push it up a few notches & be artistic! That was when I realised that my Assembler was seriously crude. :D Spent another day adding support for 'Labels' in my Assembler so that I can write code like "jmp label_beginning" instead of "jmp 134".That was one helluva experience in itself.At the end of the day, I had a sophisticated Assembler which made it much much easier to code things.

I needed to start designing the CTM again from scratch. phew! But now am so glad that I did. This time around wanted to create a Linux-like feeling to it. Getting the initial UI until you hit 'run' took about 2 days to code. It was amazing yet I felt something was just not right. I thought that if I put-up an Easter-Egg in the section where the general UI resides, chances are people wont find it out that easily. Thats when I thought, why not create a 'Brainfuck Interpreter' for this architecture? :D It'll be piece of A.R.T. And guess what? it took more time than creating the rest of the CTM itself.

If you want to see the first Easter-Egg, boot the CTM challenge & when it says "Press ENTER to boot AoDOS-Trial from this Bootrom.", type '^' & hit enter. :)

Well, its a full-fledged Brainfuck interpreter written entirely in Aod8 Assembler. You can try most of the brainfuck programs in it. This was when my boss asked me to report the progress I made with the CTM. :D It took me some time to explain what I've done & although he understood the beauty of it, he was worried that maybe not many will be able to solve it. Thats when we decided that we keep it as simple as possible so that most of the people who attempt it, can crack it. I was already done with 3 levels by this time. I had some major plans for level-4 & level-5 when we had this discussion & thats when I decided to completely drop the idea of Level-5.

I also re-wrote level-3 to have a very simple algorithm that can be easily reversed. Level-4 is basically a crackme that I wrote in Brainfuck, being emulated on my Aod8 Brainfuck Interpreter. Again, I re-wrote a simpler version of the Brainfuck crackme so that its do-able. It was not designed for the Uber-Reversers at all. :) It was for noobs & for people who are majorly into programming. Just by looking at the design I can think of funny ways to defeat all the levels. The weakest point of the design being the "Stack". An emulator that dumps stack contents would have ended the game right away! And frankly, we wanted winners. Its amazing that I spent 1 whole month re-writing the CTM to make it simpler!

We had officially 2 winners this time. Aseem & Dhanesh. They did a wonderful job. :) But trust me, I've received more mails with compliments & evident eagerness from people who were just attempting it. For most, the part when they got the Emulator done & when the bootrom displayed the initial message was an achievement in itself! And for each mail that I received, I won once. :)

Now, let me give a brief idea of what the CTM contained. It was about 130kb in size. I managed to squeeze in 4 levels, 2 Easter-Eggs, Entire asm code of the CTM except Level-4, Aod8 Processor implementation in C as well as PERL, a real-virus code, complete 3-pass Assembler for Aod8 & a sample asm file to explain the usage. Now, thats pure Art. :)

But, it took me close to 2 months ( yea, I have a very hectic day-job where I work on ten thousand things at a time. :P ) to complete it, out of which I spent one whole month re-designing it to be simple. I wrote the CTM almost 3 times from scratch. Tested it on windows, linux & even on my iPod to be sure that it works. The Brainfuck Interpreter was a test of my patience & persistence. :D I wrote that right from scratch almost 34 times until I got it right! Infact, I wrote the Aod8 Asm code for it on paper manually about 4 times. I designed each level separately & finally when it was time to combine all of them into one single bootrom, it just wont work! Spent another whole week going through about 1,29,918 lines of code & debugging every single jump & loop instruction until I got it fixed. I guess its not patience after all, am just plain adamant :)

Overall, for me it was a huge learning curve. More than that, it has been a personal milestone in many ways. I've always wanted to give back to the community & this one gave me a platform to reach a wide range of people. I hope that everyone who attempted the MalCon CTM this year had a good time. Special Thanks to Shantanu Gawade for being my Beta-Tester. :)

#Nirvana-Achieved.

Creating your own Abstract Processor

2011-10-18T07:11:00.000-07:00

Creating your own Abstract Processor

View more documents from Aodrulez.

Detailed Analysis of My Brainfuck Crackme

2011-09-01T09:08:00.000-07:00

The Code :

Aodrulez's Brainfuck Crackme V1
# -------------------------------------------------
# (Its very Easy)
>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.>,>,>,>,>,>,<[>-<-]#>[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Lets split it into interesting parts.

As we know, in brainfuck input is taken by the ','
character & output is given by the '.' character.
If you've compiled & tried the crackme..it simply
asks for a "Serial : ". Based on what you enter...it'll
decide if it is correct or not. Great...so lets locate
the part where it accepts our serial. :)

Analysis

In the 4th line of the code, we can see that its takin
6 bytes of input.

>,>,>,>,>,>,

Prior to that.. the code is :

>.>.>.>.>.>.>.>.>.

Which obviously is printing "Serial : " 9 bytes exactly.

Lets see what happens after the input.

<[>-<-]

Remember that the memory pointer is still pointing to the
last character of input.So, a "<" will make it point to the
second last character.Now, after that "[]" represents a while
loop where the varible's memory address to be monitored
is pointed to by the PC register..in this case... the ASCII
value of the second last char.

Lets analyse the while loop.

[>-<-]

> == point to the next memory location. (last char)
- == decrement the value at that location
< == point to the previous mem location (second last char)
- == decrement the value at that location.

The last part inside while loop is important..
which is "<-" because the the while loop will continue as long
as the value at that memory location is not 0.

Phew! so in short.. the crackme takes input & substracts
the ascii code of the last character by the ascii code of the
second last character.

Then what?
Now..lets see...do u like patterns? :) When was the last time
you found matching ones? ;) Lets analyze the first part of
the code..the part where it prints "Serial : "

This here is the code that does that..

>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.

DOnt believe me? No worries..try running it in a Brainfuck
interpreter online..right here :

http://www.iamcal.com/misc/bf_debug/

Am sure the above code prints "Serial : ". Now lets analyse the
above code..

> = increment the memory pointer.
++++++++++ = put 10 at that location.
[] = run this loop ten times.
What the loop does is that it'll put the ascii codes of the
characters you want to print in consecutive memory locations.

>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<

Fine-tuning the values there & pointing to start of the
buffer.

>.>.>.>.>.>.>.>.>.

Print the string.

Now lets look at the last part of the crackme's code... where
it obviously has to print a good-boy string.

Starting from the end of its code...

>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Print the good boy string.

>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<

Fine tuning the strings & pointing to its beginning.

[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]

While loop that puts the ascii code numbers into the
right memory locations.

But wait... something is missing aint it? The memory
location of the variable for the while-loop.

Because prior to this... the only code that exists is
this "#>" & then the part where it substracts the
ascii code values between the last 2 characters..So
what exactly is happening?

">" instruction will again make it point to the last
character.Thus..the number of iterations for the
While loop that prints the good-boy message depends
upon the ascii value of the last character.

If you remember.. usually the correct value for the
while-loop to print is 10.Lets check if our assumption
is right or not.

[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

This was the original code.. lets run it in the online
interpreter & see the output.you do get an output but
its gibberish. Now add this to the begining & see what
happens. >++++++++++ (move to the next mem location &
put a value of 10 there.The first part of the crackme's
code itself when it tries to print "Serial : ")

When you try to run that..you get this string :-

" :) Congratulations. " So thats perfect! The algo
is pretty simple & a valid serial should be :

1. 6 chars long
2. The last character's ascii code should be 10 units more
than the second-last character.

For Ex.
aaaaak
bbbbbl
cccccm
abcdeo
ABCDEO

Thats all. :)

(c) Aodrulez.

Zen & The Art of Cracking. (Part 1)

2011-09-01T01:12:00.000-07:00

Hola Amigos!
This is a tutorial explaining some old school
+orc inspired reversing/cracking techniques.
Today, our target application is a crackme that
i wrote a few days ago in an esoteric language
named 'Brainfuck'.The code of the crackme can
be found here :

http://aodrulez.110mb.com/crackme.txt

But before we begin our reversing tutorial, let
me show you how to compile this code & make
our crackme application.In my previous post, i've
provided the source code of my 'Brainfuck Pseudo
Compiler'.You can compile this crackme using this
compiler.First of all, compile the 'Brainfuck
Pseudo Compiler' as follows :

aodrulez@pwn4g3:~/muse$ gcc bfc.c -o bfc

Here am assuming you've copied the code of my
compiler into a file named 'bfc.c'.Once this is
done, you should have an executable named 'bfc'
which is our brainfuck compiler.Now lets compile
the crackme.Copy the contents of the above link
to a file named 'crackme.txt'.Then issue this
command :

aodrulez@pwn4g3:~/muse$ ./bfc crackme.txt crackme

That should compile our 'crackme' for you.

Cracking the Code

Before we do any reversing & fire any of our tools,
lets study the crackme first.Lets try running it
& see what happens.

aodrulez@pwn4g3:~/muse$ ./crackme
Serial : aaaaaa
� � �� aodrulez@pwn4g3:~/muse$

Now that doesnt look like a valid serial :D .But one
important thing i observed was that it takes exactly
'6' bytes/characters for the serial. Not a byte less,
not a byte more.How did i know that? Try entering
one character & then hit enter & see what happens..
& keep on doin this until you get an output. :)
(remember that even 'enter' or Line-Feed is a char!)

Now, lets think about it... is there a way to find
out the valid serial without even looking at the
algorithm?? ofcourse there is... the magic word for
you is...'bruteforce'.There are times when the algo
involved is so complicated that its very tough to
reverse it & find a valid serial.In such cases..when
you have no other choice left.. you can always try
bruteforce.

The truth though is that its an ugly way of doing
things.Why? Lemme explain. Lets say we have a serial
the length of which is 1 character.How many possible
values can it have?

If its only alphabets : 26
AlphaNumeric : 36
CaseSensitive Alphanumeric : 26+26+10=62

What do these numbers mean? if the password is just
alphabets... case insensitive... the maximum number of
possible right answers is 26.So, i hope its understood
that if i try all of these 26 possible values, am sure
to get the right password.But, if the password is 2
characters in size, the max possible combination becomes
26*26...or 26^2==676!. Pure Permutation.Now thats pure
bruteforce attempt. Alrighty... now how to implement a
custom bruteforce tool for our particular crackme?

As we know already.. the crackme needs an input..
So lets try this command in a linux terminal:

aodrulez@pwn4g3:~/muse$ echo "aaaaaa" | ./crackme

what this'll do is... it'll first echo "aaaaaa" to the
screen but the redirection symbol "|" tells it to
pipe the output to the command specified...in this
case.. to "crackme" executable.This trick..combined
with some programming skills can be turned into a sort
of bruteforce attack.

So here am providing a very ugly bruteforce-algorithm
that i just wrote...its ugly..not optimized....but sure
as hell works.Here we go :-

Bruteforce COde version 1.0

Try compiling this code & put the executable in the
same directory as 'crackme'.Then execute it & observe
the crude output you get. What this code does is..
it'll craft a 6-character long string with all possible
combinations.Now if you lookup an ASCII table, the
ascii codes from 97-122 is the range for 'a'-'z'.
So, this script is a lower-case-6-character-pattern
generator..whose output is piped to our crackme as
input.Simple & sweet. Try running the above code & observe
the output.. somewhere down the line...you'll see
":) Congratulations" & the corresponding string is
a valid serial. :)

This is a lil better version of the same bruteforce
script as far as output is concerned.

Bruteforce C0de version 1.1

That'll generate you some valid serials. Now remember
that i still hav'nt looked at the code of the crackme
& have no idea how the actual algorithm works.I just
got lucky because a valid serial can be formed by just
entering 6 lowercase alphabets.. if this would'nt have
worked...i would have tried uppercase..alphanumeric..
special characters etc as combination.No matter what..
am sure to get atleast one valid serial because thats
the fundamental idea behind bruteforce.

Hope you learnt something new out of this really long
n boring tutorial.Happy hacking!

Just in case the above Crackme code's link is not
working, here it is :

# Aodrulez's Brainfuck Crackme V1
# -------------------------------------------------
# (Its very Easy)
>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.>,>,>,>,>,>,<[>-<-]#>[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Brainfuck Pseudo Compiler

2011-08-28T12:53:00.000-07:00

Hola!

Being down with fever has its own fun. Was bored wid my mundane stuff

& there was no way i could go out.Thats when i heard about 'Brainfuck'.

Found it interesting & hence ended up writing a Pseudo compiler for it.

Am calling it a pseudo compiler because this will only parse pure

Brainfuck code to equivalent fully working 'c' code & then it uses gcc to

compile it into an executable.It does no syntax checking as of now & expects

the Brainfuck code to be perfect. Tried & tested..the code is fully functional.

It might be vulnerable to buffer overflow attacks here n there..but right

now am too lazy to fix it. :)

Installing PDP11 SIMH Simulator on IOS device

2011-07-02T03:03:00.000-07:00

Hi there!

Its been a long time since I've made a blog post &

well its about time i guess ;)

Installing PDP11 SIMH Simulator on IOS device

----------------------------------------------------------------------

This should work on iPhone,iPod as well as iPad.

I've got it working on iPod Touch 4G running

IOS 4.3.3 (Latest as of now).

Btw, there are 2 ways of doing this. If you own

a Mac & have the IOS SDK you can do it right on

your computer. Since am a Linux guy & find it

completely weird to own a Mac just to program

for a teeny-weeny iDevice, i installed the entire

toolchain on my iPod Touch itself. Bwahaha!

Install Toolchain on your Jailbroken iDevice

---------------------------------------------------------------

(Credits : 'MichaelHaseth' from iFans.com .

Tnx a ton Michael!)

Install 'fake-libgcc' from Cydia.
Install 'GNU C Compiler' from Cydia.
Copy the attached libraries to '/usr/lib/' of your iDevice.
Install 'iPhone 2.0 Toolchain' from Cydia.

Thats all!

Just ssh to your iDevice & type 'gcc' & you are

good to go. You can use the Mobile-Terminal too.

Note: I've gotten normal c programs to compile

& run just fine. use

#gcc source.c -o app

#./app

Installing SIMH PDP11 Simulator

-----------------------------------------------

Unpack & copy the attached header files to '/usr/lib' of your iDevice.
Unpack the attached simh.zip on your computer & transfer it to a folder on your iDevice. For ex. /tmp
'cd' to that folder & type 'make' at the prompt.
It'll take a few seconds to build & once its done, inside the 'BIN' folder, you'll find the pdp11 executable.
Just copy the required unix OS images to the folder & you've got a working pdp11 unix computer on your iDevice.

Note :

I've modified the SIMH makefile & tweaked a few things here & there.
Am not uploading the unix images cuz of the copyright biaches.
Just lookup on any SIMH tutorial & you are good to go.

Attachments :

-------------------

1. gcc_headers.zip

2. headers

3. SIMH-Modified

Linux x86 /bin/sh Null-Free Polymorphic Shellcode - 46 bytes

2011-03-05T10:23:00.000-08:00

Windows XP Pro Sp2 English "Message-Box" Shellcode.

2009-11-12T03:32:00.000-08:00

Size : 16 Bytes, Null-Free.

Author : Aodrulez.

Email : f3arm3d3ar@gmail.com

Shellcode = "\xB9\x38\xDD\x82\x7C\x33\xC0\xBB"

"\xD8\x0A\x86\x7C\x51\x50\xFF\xd3";

+----------------+

| Description: |

+----------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I've used a Function called "FatalAppExit" from

kernel32.dll.The Benefits are Three-Fold!

1] Displays a MessageBox.

2] Terminates the Process.

3] Its there in Kernel32.dll itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+--------------+

| Asm Code: |

+--------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

shellcode:

mov ecx,7c82dd38h ;"Admin" string in mem

xor eax,eax

mov ebx,7c860ad8h ;Addr of "FatalAppExit()"

push ecx ;function from Kernel32

push eax

call ebx ;App does a Clean Exit.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+-------------------+

| Shellcodetest.c |

+-------------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

char code[] = "\xB9\x38\xDD\x82\x7C\x33\xC0\xBB"

"\xD8\x0A\x86\x7C\x51\x50\xFF\xd3";

int main(int argc, char **argv)

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+----------------------+

| Greetz Fly Out To |

+----------------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1] Amforked() : My Mentor.

2] The Blue Genius : My Boss.

3] www.orchidseven.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Windows XP Pro Sp2 English "Wordpad" Shellcode.

2009-11-06T07:41:00.000-08:00

Size : 12 Bytes.

Author : Aodrulez.

Email : f3arm3d3ar@gmail.com

Milw0rm : www.milw0rm.com/author/1620

Shellcode = "\x68\x97\x4C\x80\x7C\xB8"

"\x4D\x11\x86\x7C\xFF\xD0";

+-------------------+

| Shellcodetest.c |

+-------------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

char code[] = "\x68\x97\x4C\x80\x7C\xB8"

"\x4D\x11\x86\x7C\xFF\xD0";

int main(int argc, char **argv)

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+----------------------+

| Greetz Fly Out To |

+----------------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1] Amforked() : My Mentor.

2] The Blue Genius : My Boss.

3] Todd & Packetstormsecurity.org Staff :Tnx a Ton fellas!

3] www.orchidseven.com

4] www.isacm.org.in

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+---------------+

| References : |

+---------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1] http://packetstormsecurity.org/filedesc/wordpad-shellcode.txt.html

2] http://www.shell-storm.org/shellcode/files/shellcode-513.php

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Winget 3.0 Download Manager(Build 112) Local DOS Exploit PoC.

2008-11-12T11:04:00.000-08:00

Developer: www.Indentix.com

Tested On: Windows Xp Pro Sp2.

By: Aodrulez.

This download manager crashes completely when the attached

specially crafted files' contents are copied to System clipboard.

To do this task,I've coded a simple app in Pure Masm32.

Usage:Start Winget, minimize its window & then run the

application.Make sure that Wingetpoc.txt lies in the same folder as

my exploit PoC app.You can also open the file & do a ctrl-A & then

ctrl-c n see Winget crash!

PoC:

http://www.snapdrive.net/files/571814/wingetkiller.rar

Greetz fly out to:

1]LiquidWorm : For being so nice.....n guiding me.. :)

2]str0ke : For goin thru all my silly e-mails.

3]Amforked() : My mentor.

4]OSRT :- This is dedicated to all the members!

------------------------------------------------------------------

By: Aodrulez,

www.OrchidSeven.com,

aodrulez.blogspot.com.

Email: f3arm3d3ar@gmail.com

Google Chrome Text-Input based Tab freezing Exploit.

2008-11-12T10:40:00.001-08:00

By: Aodrulez.

Google Chrome Version:0.2.149.30

Tested on: Windows Xp Pro Sp2

Google Chrome's tab starts to act totally weird &

freezes when you try to open an html file as shown below.

Here, the actual problem is triggered by an Input box..

to which a large String is fed.Try feeding a still larger

string & the tab will be totally useless.Tested & working almost

similarly on Opera 9.51,Win32 Platform.

Try removing this line:

"document.form1.the_box.value = x;"

And all the above stated browsers run fine.

PoC:

-----------------------------------------------------------------------------------------------

Aodrulez's Google Chrome Text-Input based Tab freezing Exploit.

Winget 3.0 Download Manager(Build 112) Remote DOS Exploit PoC.

2008-11-12T10:32:00.000-08:00

Developer: www.Indentix.com

Tested On: Windows Xp Pro Sp2 & Google Chrome browser 0.2.149.30.

By: Aodrulez.

This download manager crashes completely when the attached

specially crafted files' contents are copied to System clipboard.

So, if you craft a special HTML file as shown below, the link that

it generates completely kills Winget 3.0 remotely.

Usage:Start Winget, minimize its window & then open the html

file in a browser(fully tested on Google chrome) & then follow

onscreen intructions.This html file downloads a specially crafted

text file & renders its contents as a link.

Greetz fly out to:

1]LiquidWorm : For being so nice.....n guiding me.. :)

2]str0ke : For goin thru all my silly e-mails.

3]Amforked() : My mentor.

4]OSRT :- This is dedicated to all the members!

------------------------------------------------------------------

By: Aodrulez,

www.OrchidSeven.com,

aodrulez.blogspot.com.

Email: f3arm3d3ar@gmail.com

The Exploit:

-----------------------------------------------------------------------------

Aodrulez's Winget 3.0 Download Manager(Build 112) Remote DOS Exploit PoC.

Greetz Fly Out to: LiquidWorm,str0ke & Amforked().

Google Chrome "input type=file" Based Memory Corruption PoC.

2008-11-12T10:30:00.000-08:00

Tested on Version : 0.3.154.9

By :Aodrulez.

Google Chrome completely crashes due

to "Access Violation" exception if the user

right-clicks any file in the "Open File"

dialog that pops-up, twice within same tab

or other tabs.If you select any

file once, right-click it, & select any option...

then either click "Open" or "Cancel"...& try to

do the same again, Memory corruption occurs

causing all the tabs & the entire Browser to Crash.

How to test this PoC:

1] Click the first "Choose File", select

any folder or file, right-click n select

"properties".Then cancel the "Open" dialog

box.

2] Click the second "Choose File", select

any folder or file,& simply right-click

to see Google Chrome Crash due to

"Access Violation".

------------------------------------------------------------------

Greetz fly out to:

1]LiquidWorm : For being so nice.....n guiding me.. :-)

2]str0ke : For goin thru all my silly e-mails.

3]Amforked() : My Mentor.

------------------------------------------------------------------

By: Aodrulez,

www.OrchidSeven.com,

aodrulez.blogspot.com.

Email: f3arm3d3ar@gmail.com

PoC :

------------------------------------------------------------------

Anti-Software_Cracking Techniques.

2008-11-11T13:54:00.000-08:00

Author:Aodrulez.

Email: f3arm3d3ar@gmail.com

Well..we all know there are thousands of such text

files floating on the Internet.Am not adding sumthin to

the already present chaos.This paper focuses primarily

on approaches that you might find novel or useful in

implementing "Anti-Cracking Protection" in your apps.

Techniques:

1]A Registration-Routine Technique:

Simply bored of seeing the same tricks being used &

abused, I thought of trying a novel approach.What if we tried

this:

Usual Registration Routines:

1]Accept Username/Serial from user/file.

2]Use some math-operators & either....

a] Calculate the serial directly from Username

& then compare with user-input serial.(Dumb)

b] Calculate a Hash from the username as well as serial

using different algo ofcourse & then compare them.

3]Either carry on with the registered status.

4]or Display...a message saying.."Not Registered!"

My way:

1] Accept the username/serial from user/file.

2] Use some algo on both the Username & serial

and based on that, generate "opcodes".

3] Inject these opcodes into the registration routine.

4] If the "opcodes" generated match, then & only then

will the app get registered..else it will crash!!

5] Use SEH so that in case of a crash, the app can be

terminated elegantly.

So Algorithm-Wise this looks like this:

-----------------------------------------------------------------

@app_startup:

1]Implement SEH.

@registration_routine:

1]Accept username/password from the user/file.

2]Use some algo that generates "opcodes" from

the user input data.

3]Inject these opcodes into the successful_registration

routine.

@successful_registration:

(most of the instrucions here are like this:)

push 0

push offset good-boy-text

push offset good-boy-caption

push 0

lea eax,MessageBoxA

db 090h }-------this should be "FF" to make the MessageBoxA

db 0d0h } function work

"call eax" instruction--> FFD0 "byte-sequence"

Depending upon the user input & the algo used,

the 0x90 byte should be changedto/injected-with

0xFF for the app to get registered.

Else, if the user/input is not correct, the further

routine will look malformed & the app will crash.

@SEH_routine:

1] Just when the app crashes, the SEH will be called &

you can make a graceful exit or maybe handle it &

resume execution :) .

----------------------------------------------------------------------

Benefits of this approach:

1] You can simply make the whole Registration routine look

Bogus & generate it on the fly from user-input.

2] Unless the user enters the right Serial/sequence, the registration

routine will always look bogus.So not much can be made from

Disassembly of the routine.

3] The only way to crack this kind of a protection would be to

know the "opcodes" fairly well & know how code execution takes place.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2]Anti-patching.

Well, most (almost all) of the debuggers

of today rely on "0xcc" or rather "int3" for setting up

normal breakpoints.How this thing works is like this:

The moment you place a BreakPoint sumwhere, that

particular OpCode gets replaced by a "0xcc" byte.Now lets

simplify this method's idea.Its like..the actual opcode is

replaced by 0xcc, then the debugger monitors the app's

execution to spot int3 being executed.. if its hit, then

the debugger halts execution at that point & replaces the

0xcc byte with the actual Previous Byte (opcode).

How to defeat it? One way would be to implement a

CRC check.Or you might go on the same idea,develop a small

algo that simply calculates a magic value by going through

your code during runtime & checks it with the actual value

it should have if your app is intact.This approach of writing

your own algorithm is recommended because the standard CRC

library functions if implemented in your app, can be easily

detected by the current tools available.

Second way? Yep another good way would be to write the

important parts of your apps' code dynamically to the required

locations like used in many Virii.Example?...here we go:

A simple app with Username/Serial type registration routine:

-----------------------------------------------------------------

app_startup:

Immediately when your app starts,

1]Do a simple crc-type check on the registration

routine.

2]If intact, copy the actual registration routine

byte-wise-encrypted into the encrypted_code section

of the apps' memory.

3]Simultaneously Nullify or 'NOP' the actual

registration routine.

registration_routine:

1]Decrypte code from encrypted_code into the actual_code

section of your app.

2]Call this newly written routine for the

validation of registration details.

actual_code:

1]Actual registration routine goes here.

encrypted_code:

1]Its more like a buffer to store the encrypted

registration routine.

------------------------------------------------------------------

Benefits of using this technique:

1] The actual registraion routine is always re-written

before being executed.This kills the 0xcc byte placed

by the debugger to cause a break in execution(breakpoint).

2] You can always use a CRC-type of check to verify the

integrity of your registration-routine, so if patched

by "newbie-crackers",you could tackle this by maybe

over-writing from a bakup-copy of your registration

routine from the app's memory or a Dll.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3]Applying Modified Shell-Code Trick.

ShellCodes are nothing but executable machine code to which

if EIP points to..will do something worthwhile :-)..like maybe

spawn a Windows Calc.Shellcodes are many a times crafted for a

particular version of an OS..because of the Library function calls

that have to be made.But with much less pain, similar technique

can be used to cause some more Code-Reversing trouble.Okies... that

was a pathetic introduction to Shellcodes..but its another huge topic

in itself..& this paper only mentions certain aspects of it which

we can use as Anti-Cracking techniques.So what can we use from them?

Lets see another algo:

-----------------------------------------------------------------

@startup:

1]Find the exact version of the OS currently your app is

running on.Lets assume your registration routine uses

MessageBoxA function in it.so in that case,recover the

address of that function from a table already present in

your app...which looks sumwhat like this:

Windows 2000 : MessageBoxA ==0x7AAAAAA;

Windows Xp Sp1: MessageBoxA ==0x7BBBBBB;

Windows Xp Sp2: MessageBoxA ==0x7CCCCCC;

Or else....do sumthin like this:

lea eax,MessageBoxA

mov [api_Addr],eax ----> "api_Addr" is a variable to

hold its address.This eliminates

the need for maintaining a table.

2] Call @Registration_routine(part 1)

@Registration_routine(part 1):

1]Actual registration routine lies in the

"@encrypted_registration_routine(part 2)"

section of your apps' memory.

2]So first you decrypt it right there.

3]Now the Win32 API function calls will

look obsolete..because the addresses differ.

4]Inject the API's Correct memory address from the api_Addr

variable so that its fixed.

5]Call @encrypted_registration_routine(part 2) routine.

@encrypted_registration_routine(part 2):

1]This section contains already encrypted machine code.

2]For example....the actual (un-encrypted) code could look

sumthing like this:

push 0

push offset Text

push offset Caption

push MB_OK

call 0xAAAAAAAA <---- This is the address we have to fix

when called from the previous function

after decryption.

---------------------------------------------------------------------

Benefits of this technique:

1] You don't need to have the actual code...then encrypt it...& then

decrypt it...as in the 2nd technique described in this Paper.

2] If disassembled this code will look fairly weird.

3] Even here, the Breakpoints can be killed as described previously.

Ofcourse these techniques are not Fool-Proof but if

implemented correctly & efficiently can prevent your app

from being cracked by the "Newbie & maybe even Intermediate"

type of a software cracker.One very important thing you must know is:

"Every Piece of code ever written to this day, can be either Reversed or

Patched."

You can only try to make it harder or simply Boring to do so... :P

Hope this Paper was useful..... :)

A very Simple PoC of these techniques might be obtained from here:

http://www.crackmes.de/users/aodrulez/aodrulez_crackme_v1.0/

---------------------------------------------------------------------

Greetz fly out to:

1]Amforked() :My Mentor.

2]LiquidWorm & Jeremy Brown :For being so nice to a noob like me.

3]www.OrchidSeven.com :For givin me this beautiful opportunity.

A Nice Protection Scheme.

2008-05-16T22:19:00.000-07:00

Detailed Analysis of a recent Commercial Keylogger App are as follows:
1] Uses a Driver (*.sys) for all its keylogging activity.
2] Driver is setup as a Service.
3] Setup.exe of the keylogger generates random names for its core components which are
installed.
4] Setup as well as the installed components verify if the application has been registered
by accepting a “key” and using a very tedious Key validation routine.
5] The only limitation of the trial version are some nags and limited Time-period for
the usage of the app after which u need to register it, to use it.

The actual protection scheme used:
1] Setup.exe actually generates a random name for the temporary file created.
2] Then it extracts a DLL, which contains the actual installation routine.
3] The main function of this DLL is to:
a] Generate a random name.
b] Use this random name as the prefix of the components which are to be
installed.
c] Then install the Driver which is also assigned the random name as a Service
on the host system.
4] But the important thing to note is that the driver which is installed has no
“function” to check if the application’s trial period is over or not.
5] If you have not registered the app, you have a trial period of 15 Days in which
the application is fully functional except for the nags that show-up.

Now, onto the ways to crack this protection scheme:
1] One way of doing it could be to find out the registration routine and reverse it.
2] Another way is to patch it.

Well, the serial Validation routine looked really tedious so I decided to “Patch my way to Glory.”

Points to remember while attempting this technique:
1] Either patch the setup.exe to always spit out files with the same names so
that we could make a “Patch” for the app after we successfully crack it.
2] Or else crack the components which have been installed on the system.

Now the problem with the first Point is that the actual routine which generates random
names and installs components is in the DLL that is itself extracted from the Setup.exe.
So, it won’t be a great idea to try to patch the Setup and make it spit a patched version of
the DLL that works according to our wishes.

So I quickly moved onto cracking the components that were installed on my system.
Well…the best thing about this Keylogger as far as cracking it is concerned is, it shows
all its core components’s names if you select a Menu Option. So a huge task of hunting down those files is reduced. Now, as previously mentioned, the only limitations of the
Unregistered version are Nags and 15 Days of trial period.
Well, a little snooping around helped me to pin-point the component which was responsible for determining if the trial period was over or not and also to generate the nags if it was still unregistered.
(Note: One weakness of this scheme is that only this component was responsible to determine if the application was registered or not and to show the Nags. Even others could have been assigned the same task.)

Not only that, the application and all its components are written in C++ and the programmers didn’t even bother to pack or protect them. Maybe it has to do something with the fact that during each installation the components probably even had different CRC … can’t say for sure though.

Well…the executable probably uses Global Variables to determine its Registered
Status .But still, modifying them wasn’t needed either .Here is the disassembly of the section which determines if the application is Registered or not:

004016E6 . 8D45 E4 LEA EAX,[LOCAL.7]
004016E9 . 50 PUSH EAX ; /Arg2 = 00000000
004016EA . 8B4D F4 MOV ECX,[LOCAL.3] ; kernel32.7C8399F3
004016ED . 51 PUSH ECX ; Arg1 = 0012FFB0
004016EE . E8 CD110000 CALL savezl_e.004028C0 ; ß-Actual routine!!
004016F3 . 83C4 08 ADD ESP,8
004016F6 . 8945 E0 MOV [LOCAL.8],EAX ; EAX==Result !!
004016F9 . 837D E0 00 CMP [LOCAL.8],0
004016FD . 0F84 80000000 JE savezl_e.00401783
00401703 . 837D E4 00 CMP [LOCAL.7],0
00401707 . 74 7A JE SHORT savezl_e.00401783
00401709 . 837D E8 00 CMP [LOCAL.6],0
0040170D . 75 06 JNZ SHORT savezl_e.00401715
0040170F . 837D EC 00 CMP [LOCAL.5],0
00401713 . 7E 6E JLE SHORT savezl_e.00401783
00401715 > 837D E8 00 CMP [LOCAL.6],0
00401719 . 74 21 JE SHORT savezl_e.0040173C
0040171B . 8D55 E4 LEA EDX,[LOCAL.7]
0040171E . 52 PUSH EDX ; /lParam = ntdll.KiFastSystemCallRet
0040171F . 68 ED174000 PUSH savezl_e.004017ED ; DlgProc = savezl_e.004017ED
00401724 . 6A 00 PUSH 0 ; hOwner = NULL
00401726 . 6A 6A PUSH 6A ; pTemplate = 6A
00401728 . 6A 00 PUSH 0 ; /pModule = NULL
0040172A . FF15 ECB04100 CALL NEAR DWORD PTR DS:[<&KERNEL32>; \GetModuleHandleA
00401730 . 50 PUSH EAX ; hInst = NULL
00401731 . FF15 F4B14100 CALL NEAR DWORD PTR DS:[<&USER32.D>; \DialogBoxParamA
00401737 . 8945 FC MOV [LOCAL.1],EAX
0040173A . EB 1F JMP SHORT savezl_e.0040175B
0040173C > 8D45 E4 LEA EAX,[LOCAL.7]
0040173F . 50 PUSH EAX ; /lParam = NULL
00401740 . 68 121A4000 PUSH savezl_e.00401A12 ; DlgProc = savezl_e.00401A12
00401745 . 6A 00 PUSH 0 ; hOwner = NULL
00401747 . 6A 65 PUSH 65 ; pTemplate = 65
00401749 . 6A 00 PUSH 0 ; /pModule = NULL
0040174B . FF15 ECB04100 CALL NEAR DWORD PTR DS:[<&KERNEL32>; \GetModuleHandleA
00401751 . 50 PUSH EAX ; hInst = NULL
00401752 . FF15 F4B14100 CALL NEAR DWORD PTR DS:[<&USER32.D>; \DialogBoxParamA
00401758 . 8945 FC MOV [LOCAL.1],EAX
0040175B > 837D FC FF CMP [LOCAL.1],-1

As you can clearly see…the code which is highlighted in Red, is the part that checks if the application is registered or not. Just modify the JE savezl_e.00401783 to
Jmp savezl_e.00401783 and you’ll see that the application runs Merrily for as long as you want and even all the Nags are eliminated!Just a small patch to kill such a beautiful registration routine. Okay, now the general method to crack it would be to install the Keylogger on your system. Now a normal Patch wont work in this case because we cannot predict the Random name generated by the SETUP. So, we’ll make a generic patcher that’ll patch the code JE savezl_e.00401783 to Jmp savezl_e.00401783 and wont check the CRC of the executable because it was observed to fail when it checks for that .Oh yes, the component which needs to be patched is very easy to identify too…just go to your “Root\windows\System32\” folder and search for “*l.exe” that is, all executable files with the last character as “l” and this particular executable has a Transparent Icon. You’ll also find that its running in your computer’s memory because its loaded during startup, so simply use the EndTask option of Task Manager, patch the executable and restart your computer. You’ll see that all nags are gone and also the time limit is gone. You can try changing the system time and still the Keylogger works perfectly fine.

(c) Aodrulez.

"V" For Vendetta!

2008-05-15T22:37:00.000-07:00

Did sumthin i never believed i could even in my wildest Dreams! Mask-man i was.... talkin in disguise....that strongly reminds me of a movie "V" for Vendetta. Yup...I felt wat it felt to be "V".
But there was a difference....."V" fought to change the Governments' Attitude...to do people good.... I was just being selfish I guess. Dunno...how many more times will i wear the same Mask...cuz its a temptation...wish i won't ever do that again.Felt her in a good mood fer the first time in 4-5 years....Talked like we never knew each-other.... Didnt have to explain my past mistakes... felt like i did the biggest mistake of my life....screwing-up our relationship 4 yrs back.
But Great Men say...."He who never made a mistake, never made a discovery." .I did...n i made a discovery or two....the problem is the contradicting nature of the discoveries.Dunno which one to follow....Helpless?....nope....Hopeless...haha...yeah...thats the truth....the relationship is a hopeless one now....n i ain't doing the same mistakes again.Told her....not to look out fer my identity....not worth it....cuz grass alwayz looks greener on the other side....don't walk across n spoil the view. ...So...fer now....."V" in me is goin fer hibernation...until...she wakes him up.
"V" did what Aodrulez could'nt do.... n Thanks a ton fer that!

"I" ...is it just an Alphabet?

2008-02-18T23:25:00.000-08:00

Millions of people livin on this planet we call earth... yet...how many do we
know by the name?..we r like frogs in a well ..but the question is...how big is
this well??....we earthlings r in a sort of well too...attached to earth...bound by
the laws of physics...cuz we know they r true...they are practical laws..they
do Work!...and unfortunately...we havent yet found a frame in which they fail...
So..we Believe and dont dare to question them anymore....sad... I feel like
am tied... cuz of the thoughts of some Great people... but... what are human thoughts
anyway??? who really cares about them apart from us earthlings??.. why do we
seem to like the idea of being important in this Big-Bang soup...??..why do we
even think??.. maybe cuz that is sumthin we were made to do..by years of evolution..
we think...... n so we are!
We often hear children wishin they could have wings & fly...how often do
we hear the grown-ups say the same??... dats cuz we know we cant do it..on earth..
due to the laws of nature...heck.. y?..... cant we even dream without being constrained
by these laws??... I wanna have a better view of myself...from some another frame...
were nobody is bound by any strings....where we dont feel like puppets who go back to
the same box from where they came... I wanna Break-Free.....like get out of my own
skin....and fly...at a speed which is a multiple of the speed of light...i wanna see my life..
in slow motion...i wanna Rewind to the past n make a lot of rectifications..i wanna
Fast-forward to future...and see whats in store fer me...i wanna be able to live
my life my way.... I wanna Feel Like GOD! ............. I do.

My Rules!

2008-02-15T23:50:00.000-08:00

1]Keep updating the Rules to suit situations and my mood.
2]Never under-estimate anyone....not even a fly.
3]Never change yourself to attract or impress anyone.
4]Opinions are just that..."OPINIONS"....in the end...do what you
feel is right.
5]Being Single is not sumthin to be ashamed of.
6]Self-Respect is more important than anything else...never lose it.
7]Be the Best in atleast one thing in Life.
8]Give Respect..Take Respect.
9]Never get into Fights...cuz it ruins your Image...but if
the Bad Guy insists..Break his Jaw.
10]Live My Life...."My Way!!!"

Aodrulez: I've Arrived!

2008-02-13T09:55:00.000-08:00

Sounds like a Hollywood Movie Script of the late 1980's....I endup doing all sorts of Blunders
in my life...all through my childhood n teenage days...when i look back now...all I see is a Mr.Nobody, you know..the kind of life where u exist in silence..Dead-Silence in my case, was trying to be the good guy all life..living in some kind of a wonderland, lacking contact with the real world..drifting away from the worldly ways of Life..Screwed up the few relationships that I've ever had, big time..and thats when i realised...my life sucks! I felt like a creature in a cocoon..
I desperately wanted to break free....n "Live My Life, My Way!"...
I knew that this was an Alien world to be in..with lots of un-tresspassed paths...n I wanted to get lost somewhere...and this seemed to be the perfect Time.I really needed to forget my past...forget my mistakes... forget my ex's... forget my back-stabbing friends..forget the very truth that I was alive till yet or that I merely existed...I wanted to start anew!
I tried to be occupied all the time....in something or the other..tryin to learn new things..new skills...n what can i say....I've come a long way.
Feels better now...as a human Being..as a Son...as a Friend...as a Brother...but still I have a long long way to go...and I aint givin-up..cuz I aint a quitter anymore!