Anyone that might have read my blog for a long time might remember this post about how I do GTD (Getting To Done) on my machine(s). Well, I decided it’s been quite a while since I’ve talked about that, so I’ll go through some of my workflow, tools and quirks.

If you read my blog soley for security content, you can skip this post Personally I like to read other people’s workflows/setup to see if there is an interesting way I can fit useful tools into my own setup. Anyhow, on with the details

I have 3 machines that I primarily use. My main machine is a MacBook Pro with an attached Dell LCD monitor running OSX (what else?), the second machine is a Dell Optiplex tower running Ubuntu 8.04. The third machine is a Dell 610 laptop that dual-boots Hex and Windows. Here’s a picture of my default setup on the machines:

OSX

Ubuntu

Hex

Most of my work is done on the MacBook (my personal machine, not supplied by work), I use the Ubuntu machine for tasks that span multiple days, so I can leave a screen term logged in and attach/detach whenever I need to take my laptop home. The Hex machine is mainly used for security purposes, packet analysis, nsm-console development testing, etc.

I like to keep a pretty clean desktop, clutter really tends to irritate me. I try as hard as I can to separate everything that would be on the desktop into either a “papers”, “media”, “code” or “misc” folder. In the previous post about GTD, I mentioned that we use the Mantis ticketing system to keep track of administration tickets. We still use Mantis, just recently upgraded, you can check out a shot here:

If my firefox looks a little strange, it’s because I use the vimperator extension to give firefox Vim-like keybindings and layout. It helps someone who spends a large amount of time in a vim editor to transition quickly between text editing and web-browsing. Speaking of text editing, I absolutely love MacVim and really recommend it to anyone using OSX who likes Vim:

I’ve also transitioned from Mutt to Thunderbird, mostly because Mutt’s 2-way IMAP settings are not so great if you have to check mail between multiple computers. I use the pre-release muttator extension to give Thunderbird mutt-like keybindings:

I use the standard GTD folder naming, which mostly consists of “Inbox”, “Archive” and “Do” folders. (I hope the idea behind each folder is obvious). I still use Gmail for personal email, but can’t access it from inside the work network over POP3 or IMAP due to firewall restrictions, so I use the web client.

Instead of using iCal for meetings, like I was doing, I moved to using Google Calendar, which is aided by the notifier for events, so I don’t have to set up reminders for meetings. It also lets me share my wife’s calendar and see what she’s up to As well as google calendar, I also use gReader to browse my 222 RSS subscriptions, nothing else comes close as far as I’m concerned (yay more vim-like keybindings).

I do still use a moleskine, but lately I’ve transitioned to the next larger notebook (5′ x 7′), so that I can write out larger notes and more information (writting assembly notation in a tiny notebook gets annoying). I make use of the same sort of TODO list as in my last post ( – for an incomplete task, + for a completed task ). I take it to all meetings I go to and doodle in it sometimes I still use the smaller book for lists and small notes.

One of the things I’ve found is that despite having a widescreen 2nd monitor, the ‘wide’ part doesn’t really help any for what I do, so I flipped the monitor up to make it vertical, which is really helpful for using IDA, since I can see more instructions at once, here’s the malware I’ve working on at the moment:

Since I normally have at least 1 VM running, as well as mail, 1 or 2 browsers, X11, Adium, MacVim and any other number of things, I cut down on RAM usage by using cmus (hurray more vim keybindings) for a music playing instead of iTunes (which is such a memory hog for simple things). I also use irssi instead of a graphical client for IRC since it’s a little lighter weight:

I rigged Quicksilver up to the cmus-remote command-line utility so I can have system-wide keybindings for player control, pretty much the other thing I use iTunes for anymore is heavy music folder management (I do like that feature). I spend a great deal of time at the command-line, if you’re interested in configuration files, you can find my zshrc, screenrc, vimrc, gvimrc and nsmcrc at dotfiles.org.

Finally, here’s an overview of my basic whole-desktop setup:

My GTD process has kind of evolved into a stripped down version of the multiple-step instructions from some of the more famous practitioners (receive email, process until inbox has 0 messages, perform actions). I make up a large amount of time by unifying my tools around a certain look and feel (Vim-keybindings for everything), allowing my brain not to have to shift gears for different tasks. By keeping a strict set of rules on which application goes where (as in for virtual spaces), I always know where I can find what I am looking for (application wise). In my opinion, this adds to my efficiency more than any particular tool could have.

Well, that’s about it, hopefully you found something interesting in this post. If you have a neat tool or helpful suggestion, leave a comment below (especially if it has Vim keybindings )

This is going to be a long post, but hey, at least it’ll have lots of pictures!

Alright, in this tutorial I’m going to attempt to explain how to find the OEP (Original Entry Point) of a binary executable that has been packed with the Upack/WinUpack packer. I just recently learned this myself, so please excuse any errors this tutorial might have. In this tutorial, the following tools are used:

• PEiD
• IDA-Disassembler (I used the freeware version, 4.9)
• LordPE
• ImpRec
• Windows

Sadly, I haven’t figured out how to get this working the same way in Ollydbg yet, but perhaps for a later tutorial. Alright, let’s dive right in. In this example, I’ll be using the “calc.exe” application (Windows calculator) that I packed with WinUpack. The first thing to do is load the file into PEiD to try and determine what kind of packer was used on the file:

You can see in the red square above that this file was packed with WinUpack 0.39 final, which is good because that’s what this tutorial is about

The next thing to do is load the executable into IDA-pro, IDA will complain about the file, but for the most part these complaints can be ignored, just click “ok” and “yes” until you see something similar to below:

Here, you can see the start of the file, the line we’re most interested in is (in this file), the line at 0100101F, which is a "push dword ptr [esi+34h]” instruction. Select this line and hit F2 to toggle a breakpoint on this line. The line should highlight red just like the picture below:

Now, press F9 to run the file until it encounters the breakpoint. When IDA does encounter it, the display will change to the following style, take note of the IDA-view ESP box highlighted in red below, that’s what’s going to be important coming up:

Right click on the ESP address (in this case 0007FFC0) and set a breakpoint, we want to set a hardware breakpoint or size 4 on this address, see the picture below for what I mean:

After setting it, the line will highlight red like this:

When the breakpoint has been set, continue running the file by hitting ‘F9′ again. When IDA hits the breakpoint, you’ll see the following two windows:

Notice the red box, this is our new OEP: 01012475. Write this number down somewhere (or remember it). Now that we know our OEP, we need to dump the file and fix the imports, the first step to dump the file is to open up LordPE and select the running calc.exe process, as seen below:

Right-click on the file and click on “dump full”, as you see here (I saved my file as calc-dump.exe):

Here you can see a comparison of the sizes of the packed and unpacked files:

Let’s run the file and see what we get, oops, looks like we get the error below:

This means the import table is all messed up, we’ll have to fix it. In order to do that, fire up ImpRec and point it at the active calc.exe process, in the OEP box, enter the OEP we found earlier (just the offset, which in this case is 12475):

Then, click on “IAT Autosearch”, you should see a message like this:

Click on “Get Imports” and the window should be filled with a list of imports found in the file, like this:

In order to fix the dump, click on “Fix Dump” and select the file you dumped earlier (in my case it was calc-dump.exe), ImpRec will fix the dump and save a new file, if it works correctly, you should see these messages in the log:

Let’s compare these size of all 3 of these files:

And now, try and run the file:

Hurray! It worked! From here you can do everything you need with the file, since it is no longer packed. I hope this helps someone, it certainly helped me understand unpacking a little bit better. Now I can get to unpacking that malware I captured earlier…