In a Web browser, right-click this link and save the putty.exe file:
https://samsclass.info/127/proj/putty.exe
PuTTY opens, as shown below.
In the "Host Name (or IP address)" box, type
ad.samsclass.info
At the bottom, click the Open button.
In the "PuTTY Security Alert" box, click Yes.
A black box opens, and shows a "login as:" prompt, as shown below.
You could log in to a server at this point, but that's not the point of this project. We will alter this program to do other things instead of printing "login as".
Close the Putty window. In the "PuTTY Exit Confirmation" box, click OK.
In the User Account Control box, click Yes.
From the Immunity menu bar, click File, Open. Navigate to putty.exe and open it.
Immunity opens, as shown below. If your screen doesn't look like this, click View, CPU and maximize the CPU window.
Immunity shows you a lot of data, but for now just notice the Assembly Code in the top left pane, and the yellow Paused message in the lower right corner.
When you load a program into Immunity, it starts in a "Paused" state, with the Assembly Code window showing the first instruction.
Click Debug, Run again.
PuTTY opens, and its icon appears on the taskbar at the bottom of the Windows desktop, as outlined in red in the image below.
Click the PuTTY icon to see the PuTTY window, as shown below.
Click in the Putty window. In the "Host Name (or IP address)" box, type
ad.samsclass.info
At the bottom, click the Open button.
The "login as" message appears,
as shown below.
Putty is running, but it's under the control of Immunity, so we can modify its execution.
In Immunity, from the menu bar, click Debug, Restart.
Click Debug, Run.
The top left pane of Immunity shows assembly instructions, starting with PUSH 60, as shown below.
Move the mouse pointer into the top left pane. Right-click. Point to "Search for". Click "All referenced text strings", as shown below.
A "Text strings referenced in putty:.text" window opens, showing all the strings in the program.
Scroll to the top of the window and click on the first line, so it is highlighted.
Right-click in the window, and click "Search for text", as shown below.
In the "Enter text to search for" box, type
login as
as shown below.
Click OK.
Immunity finds the ASCII string "login as", and the instruction that uses it, as shown below. This instruction is at address 00417053.
Right-click again, and click "Search next".
Immunity finds another line of code that uses this string, as shown below. This instruction is at address 0041CB6E.
On your keyboard, press the F2 key. Mac users, press fn+F2. The address turns red, as shown below, to indicate that there's a breakpoint here.
In Immunity, from the menu bar, click Debug, Restart.
A box pops up warning you that "Process 'putty' is active". Click Yes.
In Immunity, from the menu bar, click Debug, Run.
Click Debug, Run again.
PuTTY opens, as shown below.
Click in the Putty window. In the "Host Name (or IP address)" box, type
ad.samsclass.info
At the bottom, click the Open button.
A black window opens, but before the "login as" message appears, the program stops, as shown below.
Notice the "Paused" message in the lower right, and the "Breakpoint at putty.0041CB6E" message in the lower left, as shown below.
The program stopped at instruction 0041CB6E, as shown in the image above.
We'll use this instruction to hijack the program's execution.
Enter that text into the form below to record your success!
In Immunity, from the menu bar, click View, Breakpoints.
A "Breakpoints" window opens, showing the breakpoint.
Right-click the breakpoint and click Remove, as shown below.
Close the "Breakpoints" window.
Maximize the CPU window.
The lower left pane shows the stored "login as" message, in hexadecimal and ASCII text, as shown below.
An "Assemble at 0041CB6E" box appears, as shown below.
This shows the command at this location. It's a PUSH instruction, placing the address 467C7C onto the stack. That address points to the letter "l" in the ASCII string "login as: ", as shown on the right side of the instruction line, outlined in green in the image below.
In the "Assemble at 0041CB6E" box, change the last character to D, as shown below. This will move the pointer from the "l" to the "o" in the string "login as: ".
Click the Assemble button.
Click the Cancel button.
The message on the right now says "ogin as: ", as shown below.
In the "Copy selection to executable file" box, click the "Copy all" button, as shown below.
A window appears containing only the assembly code.
Right-click in this window and click "Save File", as shown below.
Save the file in your Downloads folder as putty2.exe.
Close Immunity.
PuTTY opens, as shown below.
In the "Host Name (or IP address)" box, type
ad.samsclass.info
A black box opens, and shows a "ogin as:"
prompt, as shown below.
In Internet Explorer, go to
https://www.slavasoft.com/hashcalc/
On the left side, click Download, as shown below.
Save the file in your Downloads folder. Open the downloaded file and install the software with the default options.
When HashCalc is installed, it opens. In the Data field, on the right side, click the ... button.
In the Find box, navigate to your Downloads folder and double-click putty2.exe.
In the HashCalc window, at the bottom, click the Calculate button.
The MD5 hash of your file should match the value shown in the image below.
Enter that value into the form below to record your success!
Launch Immunity. In Immunity, open putty2.exe.
Move your mouse into the lower left pane of the CPU window, which is the "hex dump" pane.
Right click, point to "Go to", and click Expression, as shown below.
Enter 41CB6E into the box, as shown below. Click OK.
Immunity shows the PUSH instruction you modified previously, which references a pointer to the ASCII string "ogin as:", as shown below.
Right-click the PUSH instruction and click "Follow in Dump", "Immediate constant", as shown below.
The lower left pane of Immunity shows the text "ogin as: ", as shown below.
In the top left of the Hex Dump pane, point to 6F, hold down the left mouse button, and highlight the entire row of 8 bytes, as shown below.
Right-click the highlighted bytes. Then point to Binary, and click Edit , as shown below.
An "Edit data at 00467C7D" box opens, as shown below.
Click in the ASCII box, press Backspace to move back to the start, and overwrite the message with DARKNESS as shown below.
Click OK.
A new window pops up, with a title beginning with "File", as shown below.
Right-click in the new window and click "Save file".
Save the file in your Downloads folder as putty3.exe
Double-click putty3.exe.
In the "Host Name (or IP address)" box, type
ad.samsclass.info
At the bottom, click the Open button.
A black box opens, and shows a prompt of DARKNESS, as shown below.
Enter that value into the form below to record your success!
Art of Anti Detection 2 – PE Backdoor Manufacturing
https://github.com/EgeBalci/Cminer
https://en.wikipedia.org/wiki/Code_cave
The Beginners Guide to Codecaves
Reversing with immunity debugger