You are browsing the archive for Hexacorn.

Update

April 15, 2012 in Hexacorn

It’s been a while since I wrote anything here. This is due to me being on holidays and moving to a new place right after coming back. I finally settled down in a new apartment and looking forward to play with some new ideas.

So, here is a short update:

  • I fixed a silly bug in HAPI – I mixed up CR & LF characters in the output and it looked awkward to say the least, not to mention potential parsing issues; Thx to Pedro L. for spotting this and notifying me
  • HAPI may occasionally print some strings that look like non-API, e.g. ‘version’; this is not a bug, but a feature ;) it turns out that there is such an API exported by one of the Microsoft DLLs ; since I don’t want to miss any API, I made a trade off and include all of them; still… I use some little heuristics to prevent printing many of them, but some of them will sometimes go through; so, please always verify the output manually; and for the curious – some Microsoft programmers decided to name certain APIs using one, or two characters; I dunno why do you do stuff like this, but there are legitimate system DLLs exporting functions named ‘u’, ‘vo’, etc.
  • Discovered recently that Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5; these files are still handled by DeXRAY since it relies on a XRAYS technique that searches and extracts encrypted executables without needing to know a specific key; but if you parse VBN files yourself, knowing that 0xA5 is being used may help you to save some time

Проверено. у нас мин нет!

March 3, 2012 in Hexacorn

Two days ago Yandex.ru listed hexacorn.com as malicious.

It was the only URL checker that highlighted it as malicious, but being on such list is always a serious concern:

 

I checked the web site, compared with the older backups and I didn’t see anything wrong. I then dropped Yandex.ru guys an email, and looks like they fixed their listing  – testing with VirusTotal shows it is all good now:

Not sure what caused this, but well… it’s all about heuristics and they are sometimes wrong.

Good to see Yandex.ru guys reacted so quickly.

Thanks!

And just in case you are wondering what the title means, this should provide you a context:

 


And no, I am not suggesting there were any mines on Hexacorn. Like everything, context has its scope and err… context :)

Image sources:

http://www.gazeta.lv/photos/5/Mina_4.jpg

http://www.gazeta.lv/photos/5/Mina_3.jpg

http://www.gazeta.lv/photos/5/Mina_8.jpg