Saturday, April 21, 2018

Excel数组公式

在说明 Excel数组公式 的概念之前, 我们先来看看一个实际问题

我们想对上面选择区域进行求和,发现求和结果竟然是0, 这显然不对;
调查到不对的原因是选择区域是文本,对这些区域用右键菜单转换成数值格式,发现左上角还是箭头,说明转化不成功;
网上有一些教程说可以用别的方式批量转文本为数值,比如用数据菜单中的分列功能, 我没有尝试,现在用Excel数组公式来解决这个问题:
1. 选中用来存sum的结果的单元格;
2. 生成公式模版如下
3. 在公式编辑栏中改公式为
=SUM(VALUE(起始单元格:N138))
4. 按CTRL+SHIFT+ENTER结束, 注意这会告诉EXCEL这是有数组为参数的公式(按完快捷键它会显示为下面的形式:
=SUM(VALUE(N123:N138))

Thursday, April 19, 2018

config apache: allow PHP code in HTML files

Assuming the system is Ubuntu. Ubuntu doesn't use httpd.conf as standard, instead global configuration stuff for apache is found in /etc/apache2/apache2.conf . Open the file using a text editor, go to the end of the file and add the following line: AddType application/x-httpd-php .html restart the service

Thursday, April 12, 2018

SublimeSSH

This tutorial will teach you how to set up Sublime Text to edit files in ssh server.

Config Sublime

1. Open Sublime Text and hit “ctrl + `”. This will show console. Copy and paste the Python code from packagecontrol.io or as following

import urllib.request,os,hashlib; h = '6f4c264a24d933ce70df5dedcf1dcaee' + 'ebe013ee18cced0ef93d5f746d80ef60'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by) 
into the console terminal and hit enter.

2. Hit “ctrl + shift + p” to bring up the package manager. Search for "Install Package" and select it.

3. Check we are in installing package context and search and hit for rsub (a client to connect to the proxy app at ssh server). on succ, will print:
[rsub] Server running on localhost:52698
If already installed rsub, everytime Sublime starts, this message showed.

Installing ssh client

I suggest installing Xshell ( select English when decide language ).

Following is a saved login config:

Login to and config ssh server

Install rsub:

sudo wget -O /usr/local/bin/rsub https://raw.github.com/aurora/rmate/master/rmate
sudo chmod a+x /usr/local/bin/rsub
 

Test

Consider you are in /var/www/html of your ssh server and want send file jsdo.html to Sublime:

sudo rsub jsdo.html

Use Sublime to edit this file and save, at ssh server, you will see the file changed after saved from Sublime.

Enjoy!

SSH Tunnel

There are two ways to create an SSH tunnel, local and remote port forwarding (there's also dynamic forwarding, but we won't cover that here).

local port forwarding

forwarding to remote server

Imagine you’re on a private network which doesn’t allow connections to a specific server. Let’s say you’re at work and imgur.com is being blocked. To get around this we can create a tunnel through ssh server which isn’t on our network and thus can access Imgur.

$ ssh -L 9000:imgur.com:80 user@example.com //local port is targeting at imgur.com's port 80 with help of ssh server user@example.com .

Now open your browser and go to http://localhost:9000 , nobody is going to see what sites you’re visiting, they’ll only see an SSH connection to your server.

forwarding to ssh server

ssh -L 9000:localhost:5432 user@example.com

For here, the tunnel is localhost:9000 and ssh_server:5432; for easy maintain, local port and ssh port can be the same. the ssh_server can accept multiple connections at same port.

Remote port forwarding

Say that you’re developing a Rails application on your local machine, and you’d like to show it to a friend. Unfortunately your ISP didn’t provide you with a public IP address, so it’s not possible to connect to your machine directly from the internet.

Sometimes this can be solved by configuring NAT (Network Address Translation) on your router, but this doesn’t always work, and it requires you to change the configuration on your router, which isn’t always desirable. This solution also doesn’t work when you don’t have admin access on your network.

To fix this problem you need to have another computer, it can be any server on the internet or your company We’ll tell SSH to make a tunnel that opens up a new port on the server, and connects it to a port on your machine:

$ ssh -R 9000:localhost:3000 user@example.com
The syntax here is very similar to local port forwarding, with a single change of -L for -R. First you need to specify the port on which th remote server will listen, which in this case is 9000, and next follows localhost for your local machine, and the local port, which in this case is 3000.

There is one more thing you need to do to enable this. SSH doesn’t by default allow remote hosts to forwarded ports. To enable this open /etc/ssh/sshd_config and add the following line somewhere in that config file.
GatewayPorts yes
Make sure you add it only once!
$ sudo vim /etc/ssh/sshd_config
And restart SSH
$ sudo service ssh restart

For more info, refer to https://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html

Sunday, April 8, 2018

schwab

schwab

ESPP

A ESPP invest period is often 6 months, each month an amount is invested.

When the company buys the shares for you, you do not owe any taxes. You are exercising your rights under the ESPP. You have bought some stock. So far so good.

When you sell the stock, the discount that you received when you bought the stock is generally considered additional compensation to you, so you have to pay taxes on it as regular income.

If you hold the stock for less than a year before you sell it, any gains will be considered compensation and taxed as such. If you hold the shares for more than one year, any profit will be taxed at the usually lower capital gains rate.

For me, espp shares are often sold Feb or Aug after the 15th day.

Stock options

http://eac.schwab.com -> Accounts -> History -> Equity Awards website -> My Equity Awards -> History and Statements -> Date Range = All:

sell 205 ESPP shares

  • Subscription: Date = 08/15/2017; FMV = $36.81
  • Purchase: Date = 02/14/2014; FMV = 48.38; Price = MIN(Subscription FMV,Purchase FMV) * 0.85 = 31.2885
  • Sale: Date = 02/20/2018; Price = $48.95
  • capital gain = (48.38 - 31.2885) * 205 = 3503.76 USD = 3503.76 * 1.2562 cad = 4401.42 cad
  • Taxes are deducted by two pay rolls's ESP-ER(02/28/2018 and 03/15/2018), each time with gain 2200.71
  • My personal fed-tax rate is 26%, my personal prov-tax rate is 14.7%: 2200.71 * 0.407 = 895.69.
  • As Sale Price, 48.95, is not equal with 48.38, so should further report tax gain when file tax.

sell 196 OPTIONs

  • Award Names : 00002066 00003118
  • Shares: 26 170
  • Award Price: $3.735 $8.43
  • Sale Price: $24.191
  • Sale Date: 07/23/2014
  • Award Date: 01/28/2009; 02/10/2010
  • Exercise Cost = 3.735 * 26 + 8.43 * 170 = 97.11 + 1433.1 = 1530.21
  • Taxes: 894.34
  • Gross Proceeds: 196 * 24.191 - possible commissions and fees = 4741.436 - 9.046 = 4,732.39
  • assume capital gain = 4,732.39 - 1530.21 = 3202.18, taxable gains = 3202.18 * 1/2 = 1601.09
  • //taxable gains is 50% if span years.
  • then tax rate = 894.34 / 1601.09 = 55.9%
  • Net Proceeds = 2,307.84 = Gross Proceeds - Taxes - Exercise Cost = 4,732.39 - 1530.21 - 894.34

RSU

An example of an RSU grant is the easiest way to understand the concept. Let's say Sue works for ABC Corp and was awarded 300 RSUs on May 1, 2011.

50 award will vest every 6 months. Sue's first batch of 50 units of restricted stock vested on November 1, 2011. ABC was trading at $10 and Sue's employer sold 23 shares(46%) and remitted the withholding tax to CRA. Sue's second batch of 50 units of restricted stock vested on May 1, 2012. ABC was trading at $12 and Sue's employer again sold 23 shares and remitted the withholding tax to CRA. In both cases, her employer included $500 and $600 in employment income and $230 and $276 in income tax deducted in Sue's T4 for 2011 and 2012 respectively(so sue pay income tax for $270 and $324, for year 2011 and 2012).

On May 15, 2012, ABC hit $15 and Sue sold the 54 shares of ABC Corp that she holds. Sue's adjusted cost base is $11 (27 shares acquired at $10 and 27 shares acquired at $12). Since she sold for $15, her capital gains are $216, which she would declare when filing her 2012 tax return in Schedule 3, if no deduction from paychecks | payrolls.

RSU is too complex for tax, later never consider RSU.

Tuesday, March 27, 2018

An example of MBR

//sectors_per_track = 56


[511-512](1fe~1ff): 55 AA
[447-510] 1BE - 1FD : partition table
partition 1(0x0):
 .bt0 = 0x80 =  Active
/* .bt1 = disk_hdr_idx = 01
 .bt2&0x3f = sector_id = 01
 ((.bt2&0xc0) >> 6) + (.bt3 << 2) = cylinder_idx = 0
 .bt4: file system id( NTFS = 0x07 )
 .dw8: sector_addr = 0x38// byte_addr = 0x7000

partition 2(0x1):
 .bt0 = 0 = not Active/*
 disk_hdr_idx = 0
 sector_id = 1
 cylinder_idx = 1023*/
 file system id = 0f = extend partition
 .dw8: 42911400 // byte_addr = 42911400 * 512 = 0x51D8D5000 ,
 //extend partition can have its own partition table, it's 0x51D8D51be here
 //here we only have one logic partition inside, it's D:
 D.Active = false
 D.byte_addr = 0x7000
 //byte_addr is relative, the abs byte_addr is 0x51D8Dc000, at this addr we can find the (logic) partition's boot record

Tuesday, March 13, 2018

evaluation of VMAttack IDA plugin

evaluation of VMAttack IDA plugin

My evaluation for this plugin is: it's too young but promising.

I firstly introduce the plugin, then evaluate it from two aspects: Automated and Manual Analysis.

Introduction

VMAttack is an IDA plugin which generates and analyses trace log of PE. If trace is not validly produced, the plugin is useless.

Trace generation is automatic and upon completion it will produce a success notification in IDAs output window.

Traversed paths will be colored in a shade of blue, where a darker shade represents a higher number of traversals. We can get a global distribution of traced code with a glance.

Initially it shows system and customer calls and args, this is useful when the PE has explicit function boundaries and give gross view. VMAttack can STEP over system funcs while extract args, which save sapce for trace.

As the best way to understand this plugin is to practice it, so I also collected ALL the tools and writed installer( install.bat ) for praticing.

The demo samps include the obfuscated binary and source binary of an add function:

addvm_3AE2BABAA4920BEF3E466F34B0075FFB.exe
addvm_B4E34E39CFDD13E65D070E9FB9717620.vmp.exe

They are available at https://github.com/anatolikalysch/VMAttack/tree/master/Example/addvmp . In the team discuss, I send an email titled as 'decode vmprotect is possible?', that email tell constuction of that vmp sample detailed, debug it with my mimic program, then practice VMAttack after perform install.bat. by this way it's easy to understand this plugin, in this way, we can better evaluate it.

Automated Analysis

Automated Analysis extract useful informations from the trace log automatically or semi-automatically. It includes Input / Output Analysis, Clustering Analysis, Grading Snalysis, Dynamic Trace Optimization, Static deobfuscate.

Input / Output Analysis

The input/output analysis could provide leads as to how the input arguments of the VM function are used and whether there is a connection between function input and function output.

evaluation: for realworld samples, connection between function input and output can be exposed, but not obviously, not very clear.

Clustering Analysis

If a group of insts executed more than one time, they may be taken as cluster. For example, if Cluster Heuristic Threshold set as 3, then if an address is encountered more than twice, it's taken as start of a cluster.

evaluation:Clustering is a good feature, it can folder and reduce trace by a lot, especially Greedy Clustering option is set. VMAttack can quickly remove unnecessary clusters. It can also rollback wrongly removed clusters. If basic block detection was not deactivated in the settings, the clusters themselves are additionally subdivided into basic blocks.The basic block description is a good summary, further more, instructions whose computations are simply overridden are not displayed, which is good feature of in-block deobfuscation.

Grading Analysis

Each inst, block of insts, cluster of insts has different importance. The grade of an inst is affected by Memory usage Importance, Clustering Importance, Input/Output Importance, and so on.

At the end of the grading analysis the now graded trace will be presented in the grading viewer. The trace can now be filtered either by double clicking a grade or via context menu where the user will be prompted to input the grade threshold to display.

evaluation:Clustering Analysis is useful. For example, if you decide Input/Output Analysis is very very important, then inst having largest grade should be the inst do the add op on two adders.

Dynamic Trace Optimization

Dynamic Trace Optimizations which make the trace easier to read.

evaluation:Foldering constants, Folding not used operand are good feature of deobfuscations.

Static deobfuscate

The static deobfuscate function tries to statically determine the instructions that will be executed by the byte code in the provided virtual machine function. The semi-automatic version of this analysis tries to determine all necessary values(later will introduce the values) automatically.

evaluation:refer to the Manual Analysis version of Static deobfuscate for the evaluation.




Manual Analysis

most Manual Analysis features are depending on following VM Context model:

  • Code Start - the byte code start, vm_insts, exactly vm_insts_start
  • Code End - the byte code end, vm_insts_end
  • VM Addr - the start address of the virtual machine function(Protect Func, for short, pf);
  • Base Addr - the base address of the jump table(the dispatch table, or , insts_engine), for vmp:
    .vmp0:00404339 8A 06                                         mov     al, [esi]
    .vmp0:0040433B 0F B6 C0                                      movzx   eax, al         ; op code
    .vmp0:0040433E 83 C6 01                                      add     esi, 1
    .vmp0:00404341 FF 24 85 9C 43 40 00                          jmp     dword ptr ds:inst_engines[eax*4]
    

There are three ways to decide VM Context:

  • by the Settings menu entry
  • by Manual_Analysis->VM_Context's 'find statically' or 'find dynamically' entry.

Following are so called Manual Analysis features:

  • Find VM Function(Protect Func, pf) Input Parameter, the plugin will print "BABE5 , OFFSET WORD_40489A , AFFE1 “, BABE5 and AFFE1 are passed from Protected Func(pdf), WORD_40489A are vm_insts.
    evaluation: useful
  • Find VM Function Output Parameter, for the demo sample addvmp:
    .text:0040102E                              ; .text:00401000
    .text:0040102E                              ; .text:00401000 55             push    ebp
    .text:0040102E                              ; .text:00401001 89 E5          mov     ebp, esp
    .text:0040102E                              ; .text:00401003 8B 55 08       mov     edx, [ebp+arg_0]
    .text:0040102E                              ; .text:00401006 8B 45 0C       mov     eax, [ebp+arg_4]
    .text:0040102E                              ; .text:00401009 01 D0          add     eax, edx
    .text:0040102E                              ; .text:0040100B 5D             pop     ebp
    .text:0040102E                              ; .text:0040100C C3             retn
    edi:0
    eax:16ABC6 //affected
    ebp:28FF88
    esp:28FF60
    edx:AFFE1 //affected
    ebx:7EFDE000
    esi:0
    ecx:76728E8A
    

    evaluation: very useful
  • Find Virtual Reg to Reg mapping, for the demo sample addvmp:
    .vmp0:0040432C 89 E5                                         mov     ebp, esp        ; vms_top
    .vmp0:0040432E 81 EC C0 00 00 00                             sub     esp, 0C0h       ; vmd , vm data, virtual registers
    
    edi:28FF3C
    eax:28FF58
    ebp:28FF4C
    edx:28FF50
    ebx:28FF44
    esi:28FF48
    ecx:28FF54
    

    evaluation: not checked, I will not trust this feature
  • Follow Virtual Register: This provides a manual interface to the register tracking functionality.
    evaluation: not useful, will not use this feature
  • The address count reads in a trace and returns in IDAs output window the ratio: (Address (disasm): frequency of occurrence)
    evaluation: not useful; except when used as counter of condition breakpoint

Except for previous features, the plugin provide an "Deobfuscate from..." menu, it seems it try to deobfuscate vm byte code, but I believe this feature is not realized.