Internet Explorer can only “Run as administrator”

Last days when I worked with Silverlight and made some example. I destroyed myself my Internet Explorer. It suddenly does not work anymore. When I click on the icon on task bar, IE starts and hangs. After 30 seconds, an error comes to say that IE does not work anymore and turn itself off.

I tried to restore the settings in Internet Option because I though that I made something with it. But it still does not work. It makes really angry because of this silly error. So I decide to install Internet Explorer 8. I think everything will work again. But that is what I think. The truth is more cruel: it does not run. And yesterday with the last hope I installed the final version of IE 8. And my IE still can not run.

So I made a decision to play around with the IE Options. It must be the problem. When playing around with IE Options, I opened IE under “Run as administrator” (I am using Vista 32 bit). And it runs. Wonderful. But I realized that when I start IE normally. It still hangs and crashes.  Which option in IE causes a conflict with priviledge? Why does IE can “Run as administrator”. After playing in Security Tab for a while, I finally found out that the Protected Mode is ON. When I turn it off, IE will run happily.

This is information about Protected Mode from Microsoft

Protected Mode is an important step forward in security for Internet Explorer (IE); it helps protect users from attack by running an IE process with greatly restricted privileges on Windows Vista. While Protected Mode does not protect against all forms of attack, it significantly reduces the ability of an attack to write, alter, or destroy data on the user’s machine or to install malicious code.

It is an interesting mode. But it does not work now at my computer. Anyway I mostly use Firefox. It is ok when I do not have this mode in my IE.

Auto Pet TLBB Tool

As I said in my blog, I played an online game of China which is published in Vietnam. The game is Thien Long Bat Bo. In this game a character can own a lot of pets which will help him to attack mod and therefore reduce time to kill a mod. Each pet has its own skills which can be applied or replaced through a list of pet’s skill. From this set, there is a combination of interesting skills called “Cao Phan Kich”,”Cao Phan Chan” and “Cao Linh Dong”.When a character builds this set to his pet, that pet has abilty to auto-attack a mod when a mod attacked him. Man calls that pet “Pet train solo”. So if a character want to train solo, he’ll use this pet to attack mod. The mods will cause an amount of damage to this pet and he will reponse to this attack automatically. This routine leads to a curtain problem that the pet will lost his blood rapidly when a character attacks so many mods at one time. It always make man crazy with feeding pet, taking resources from mod and pulling mod to pet. And sometimes the pet will die immediately when we lose concerntration. It happens always to me. Because when I train solo, I would like to watch TV as well. :D.

So I decide to write this tool. This tool will help us to feed our pets when the level of pet’s blood remains under 50%. This tool bases on analyzing graphic therefore when this tool runs the windows of game will be always active. For more help please read the instruction of this tool.

Now it’s on BETA version. Use it on your risk.

  • Version: 1.0.0.0
  • Supported Version of TLBB
    • all version
  • Want more functions. Post a comment directly under.

NOTE:

  • If this tool doesn’t work, send error to me. DO NOT blame me if this one doesn’t work. I’m just a newbie.

LINK DOWN: When you want to post this tool to somewhere. Please post url to my site, that keeps update for this tool when you do that. Download Auto Pet TLBB

HISTORY:

  • [1.0.0.0] : BETA Version.

SCREENSHOT
Auto Pet TLBB

Hub and Switch – What are the diffrences?

Last week I read a thread on HVA posting a question what are the differences between a hub and a switch. Although I could answer this question but day after day I found that my answer is not complete so I decide to research deeply to answer this question.

Transfer rate:

  • Hub: all channels share the maximum flow rate.
  • Switch: provides the full throughput to each port in both directions.

Physical equipment:

  • Hub: works as an electrical signal amplifier. A signal which is one of the ports is received, will be amplified at all output ports. That means a hub will simply broadcast a message which he received.
  • Switch: acts as an intelligent package distribution. That means a switch will evaluate the MAC-Address in each packet and send it to the machine registered with tat MAC-Address.

Protocol:

  • Hub: because of using CSMA/CD for Ethernet only one computer can write/access simultaneously the network.
  • Switch: due to its backplane a switch can transmit both packets  at the same times assume that all computers do not want to access same computer.  For examples we have a network with 4 computers connected by switch. Then computer A can send a packet to computer B and at the same time computer C can send a packet to computer D.

Duplex:

  • Hub: Half-Duplex
  • Switch: Full-Duplex

Working Layer:

  • Hub: Layer 1 in OSI Model, that is Physical layer. The Physical Layer comprises the basic hardware transmission technologies of a network. The Physical Layer defines the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. The bit stream may be grouped into code words or symbols and converted to a physical signal that is transmitted over a hardware transmission medium. The Physical Layer provides an electrical, mechanical, and procedural interface to the transmission medium.
  • Switch: Layer 2 in OSI Model, that is Data Link Layer. The Data Link Layer provides the functional and procedural means to transfer data between network entities and might provide the means to detect and possibly correct errors that may occur in the Physical Layer. Examples of data link protocols are Ethernet for local area networks (multi-node), the Point-to-Point Protocol (PPP), HDLC and ADCCP for point-to-point (dual-node) connections.

CodeVeil 3.x breaks my brain – Part II

As I said in my previous blog about unpacking CodeVeil 3.x , I am stuck with finding out which functions of Framework are hook by CodeVeil to encrypt IL. So this morning I waked up early (at 7:30 on Saturday , it may be not early for you but I waked up always late at weekend ) and started the next section on finding a way to unpack CodeVeil 3.x

So first I went to website of Daniel Pistelli and downloaded a script for CFF to compare two sections of two files. This script is for CFF Explorer so man needs CFF Explorer to run it. It receives 2 files as inputs and an argument staying for the position of section which we want to compare. Why do I need this script?  The idea to find out where CodeVeil hooks the functions is pretty simple. Man just needs to compare the code of DLLs file on the memory and on disk. The differences in .text section is the position where CodeVeil hooks. Formerly I usually use WinHex or BinDiff to locate the differences between 2 files. However using these tools is pretty “complicated”. I must manually set which range I would like to compare. That means I must first define the range of .text section before using these tools. The work is more simple with this script. I just enter the position of section and everything goes.

The second tool which I need is LordPE. I would like to use it to dump file from memory to disk. This tool was made by y0da. Because I just reinstalled my virtual machine, I must download this tool again and I find out his website http://y0da.cjb.net/ was dead. Y0da did not reverse for a long time ago. I don’t know what he is doing now. But what he left for us, is really great.

In next step I started my Sample Crackme in .Net packed by CodeVeil 3.x and used LordPE to dump 2 files mscorwks.dll and mscorjit.dll. After dumping these 2 files I run CFF Explorer and loaded this script above and made comparasion twice. One is for mscorwks and one is for mscorjt. For each comparision it will ask for 2 files as input. Let’s choose one is our dumped file and the other is the original file which can be found under this folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 . The value for section is 0.

After comparing I had this result

Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorjit.dll
and
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorjit_dumpe d.dll

Differences found at:

RVA1            RVA2

0001EA98 0001EA98
0001EA99 0001EA99
0001EA9A 0001EA9A
0001EA9B 0001EA9B

Number of differences found: 4

and

Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks.dll
and
Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks.dll
and
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks_dumped.dll

Differences found at:

RVA1              RVA2

00003920  00003920
00003921  00003921
00003922  00003922

00003B43  00003B43
00003B44  00003B44

Number of differences found: 360

As you can see, the mscorjit was hooked at 4 positions. But what makes me suprised is the result of mscorwks. It can not be so much differences. I think I must compare it again. But what I intend to do now is downloading IDA, apply symbol of mscorjt and find out which functions of this dll are hook by CodeVeil.