PDU Format Extraction

Peace be upon you,

How are you guys? I hope that all of you is Ok, today I am going to show you peace of code that I really like, this code actually doing a very nice thing, which is extracting the characters from the SMS, what I mean here if you have any knowledge about SMS, you will now that it sent in 7 bits format called "PDU" Protocol Data Unit, the extraction of this data is not tough, but I just demonstrating the beauty of the bit wise operation and how it minimize the code size, here is the first peace of code, it suppose to extract the PDU data and make it readable ASCII characters data.

/*

Function Name : PDUChunk
Author : Ahmed Essam
Date : 17 - 05 - 2008
Purpose : Convert 7 bytes of PDU data to 8 bytes of Char data

History Revision
17-05-2008 Created AEssam

*/
char* PDUChunk(char* Source)
{

// it is just constant to the block size
int nBase = 8 ;
// Allocate 9 bytes because of the nature of null terminated sting
char *cpResult = new char[9];
// Clean the allocated memory
memset(cpResult,0,9);

// in each loop we keep part of the byte for the next byte, this the variable
// which will hold the rest of the opreation to the next character
unsigned char cRest = 0;
// in Each loop the mask changes, because the shifting that happen from using 7 bits from 8 bits
char cMask = 128;
for(int nLoop=0;nLoop<=nBase;nLoop++)
{

// shifting the current set of bits to the appropriate location,
// and put the rest the we keep from last byte at the end of the current bits set
cpResult[nLoop] = ((Source[nLoop] & ~cMask)<< (nLoop%nBase)) (cRest>>(nBase-(nLoop%nBase)));
// keep the unused set of bits to the next opreation
cRest = Source[nLoop] & cMask;
// update the mask for the next usage

cMask = cMask >> 1;

}
return

cpResult;

}

---

/*

Function Name : PDUChunk
Author : Ahmed Essam
Date : 17 - 05 - 2008
Purpose : Convert PDU data to of Char data
History Revision
17-05-2008 Created AEssam

*/
char* FromPDU2Char(char* Source,int len)
{

// Loops counter to end the loop by the end of the data retrieval
int nLoops = 0;
// This to calculate the CHAR length, after extracting it from PDU
// This is faster to avoid using floating point, if we are using floating point it will be (len/7) * 8)
int nTotalLen = (((len*10)/7) * 8)/10;
// Allocate memory for the end char array
char *cpResult = new char[nTotalLen];
// Clean the memory up
memset(cpResult,0,nTotalLen);
do
{

// Extract the Char from the PDU
char *cpChunk = PDUChunk(Source + nLoops);
// Safe concatenation for the end result
strcat_s(cpResult,nTotalLen,cpChunk);
// Delte the return char array
delete []cpChunk;
// Add the chunck size to the loop counter

nLoops+=7;

}
// Examining the loops count against the length of the PDU data
while (nLoops<len);
// Return the result string
return

cpResult;

}

---

Here is the code that consume that code

---

char cpSourceMSG[] = "\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83\xc1\x60\x30\x18\x0c\x06\x83";

// Extract the characters from the pSourceMSG
char * cpExtractedMSG = FromPDU2Char(cpSourceMSG,sizeof(cpSourceMSG));

---

this message suppose to be a SMS full of "A", which means 160 character of A, the function up there is not 100% safe but it is working OK for now,

in the function "PDUChunk", you will notice there is line full of bit wise operations

that is the line I am talking about

cpResult[nLoop] = ((Source[nLoop] & ~cMask)<< (nLoop%nBase)) (cRest>>(nBase-(nLoop%nBase)));

this line should do all the targeted purpose, it suppose to get the latest shifting value and apply it on the current value of PDU, then do ORING with the remain value from the last operation, I know that you may not understand what I am talking about, here is link that explains that issue in details
http://www.dreamfabric.com/sms/hello.html

anyways, the coming part is nice, the coming part is we are going to extract the Unicode SMS, actually it doesn't need any effort, it just little endian and we are going to make it big endian

---

char cpUnicodeMSG[] = "\x06\x33\x06\x2a\x06\x2a\x06\x35\x06\x44\x00\x20\x06\x28\x06\x43\x06\x45\x00\x20\x06\x45\x06\x48\x06\x28\x06\x4a\x06\x46\x06\x4a\x06\x44\x00\x20\x06\x44\x06\x25\x06\x33\x06\x2a\x06\x43\x06\x45\x06\x27\x06\x44\x00\x20\x06\x28\x06\x4a\x06\x27\x06\x46\x06\x27\x06\x2a\x06\x43\x06\x45\x00\x20\x06\x48\x06\x41\x06\x42\x06\x27\x06\x4b\x00\x20\x06\x44\x06\x2a\x06\x39\x06\x44\x06\x4a\x06\x45\x06\x27\x06\x2a\x00\x20\x06\x2c\x06\x47\x06\x27\x06\x32\x00\x20\x06\x27\x06\x44\x06\x25\x06\x2a\x06\x35\x06\x27\x06\x44\x06\x27\x06\x2a";
char *cpFlippedArray = new char[sizeof(cpUnicodeMSG)];
for(int n=0;n<sizeof(cpUnicodeMSG)/2;n++)
{

cpFlippedArray[n*2] = cpUnicodeMSG[(n*2)+1] ;
cpFlippedArray[(n*2)+1] = cpUnicodeMSG[n*2] ;

}
TCHAR *wsUnicodeString = (TCHAR*)cpFlippedArray ;

---

it suppose that you will have the result string the wsUnicodeString, after that you are free to do what ever you want to with this string.

Most of you will say, that you see the string in normal Wide Character if you are developing something for MAPI, like MAPI Rule, actually the idea here is little low level, I got this data from the RIL, Radio Interface Layer, I did small application that sniff GSM, and keep everything, this how I got this RAW data, here it is all about the memory and data format in the memory, it is really nice to play with the bit wise stuff :D, I hope that you like the post.

At the end I hope that this post was useful and helpful.

Thanks for your time.

BR
Ahmed Essam

---

Discover the new Windows Vista Learn more!

MIT, Waiting for all of us

Peace be upon you
I hope that you are all OK, today I am going to recommend (as usual :D), let us begin with summary to save your time, MIT has opened there materials Video Audio and text for all people so you can watch the courses that is in the institute for free just visit there web site
http://ocw.mit.edu
So let us begin the cool part, it is something like conversation between me and someone :D.
Short cuts : Me -> M, Someone who I am talking to -> S

M: Do u know that MIT has open there course materials for free?
S: Wait a second what is MIT?
M: it is "Massachusetts Institute of Technology", it is in USA, Cambridge, Massachusetts, it has strong emphasis on scientific and technological
S: so what are you telling me?
M: simply this HUGE decent educational place has done a very nice thing which is, opening there courses materials for people for free, in many formats Audio, Video and Text.
S: it is good, but what does it mean any way?
M: for guy like me, I seek so hard to starting master in Egypt and I couldn't do that for many "Educational lows" problems with me, so I start looking for something to study and learn online, I found many places that provide online master degree but I though that it is useless, I remember when "Mohamed Hegazy- My colleague in Imaginet (MobiDiv)" told me once that MIT has open there materials for all people, so I start checking it out, and I found it more than amazing.
S: you know it seems cool, but I still don't feel that is "it is not that important".
M: look the issue here is our career always want more and more from us in the area of keeping up with technology, I think if we could follow what this courses provide we would have very good progress in our career.
S: I think, you are right but not all people will like to go on with that.
M: I agree with you, but sometimes we need to do some stuff in teams, that's what I am thinking about, imagine that we arrange some kind of group to provide "Free knowledge" that is based on MIT courses, it could be amazing to provide such thing in Arabian community, specially when the educational standards in Egypt are very low, the community will do DEEP impact, the students may join us, to get better understanding for things.
S: you know it is a great idea, but I am not going to join, I am already loaded.
M: look, you can just listen when we have sessions about what we have studied, what do u think?
S: OK, that's seem to be fine, I will start with listening then may be I become one of the team :)
M: I hope all the Egyptian community join us :)
S: OK, can I go for my work, :) I am sorry I am little tough about it.
M: of course, I have work too, it was a very nice time that I have spent with you :), Bye
S: me too pleased talking to you, bye, keep me up to date ;)

At the end, I hope that you got something useful to help you managing your life, thanks for your time :)

BR
Ahmed Essam

Smart Sniffing on Windows Mobile

Peace be upon you

how are you Guys? sorry for the long absence, today I am getting a very "Evil" thing, actually I will not use it in evil, I will just demonstrate how this thing works and how it can be harmful, What I am talking about is something I named "Smart Sniffing",

What does "Smart Sniffing" means?
It means when the "Hacker" or "Intruder" sniff s/he will not sniff everything, why s/he would do that, for many reason, in our case, the Intruder will need to have just a few pieces of information, not all of it, let us have more details, our sample will be on windows mobile.

First of all you will need to have some tools to start in this operation,

1. WinPCap for Windows CE.
2. Windows mobile device to start your development and tests.
   
3. Hotmail account.

Let us see what we have now, WinPcap is a free library that is use to capture network packets, well now you have all what is going in and out, for Windows CE version it is little tough but it is not impossible, then you will start watching what is going on, packets going out and packets coming in, now after you have accomplish your first step, let us move to the next step.

You will start looking in the packets for anything related to the password and user name, in the requests that go out from the device to certain server, there is Post requests, that what you are going to rip, if this trick didn't work for many reason on of them, the site uses some kind of SSL (Secure Socket Layer) so you can do something better than ripping the User name and password, you can rip the Session ID, there is too many ways to get what you want, after you have done with this step, the intruder notification step comes.

After you have done extracting the data you want from the packets and it is ready to be used by the Intruder, it will be sent simply and smooth by many ways, it can be sent through SMS, why I said that because may be the user uses some kind of "Firewall" and it will be easily to detect the what the application trying to send,of course the user will know that mobile sent SMS from the bill but the issue here is that the intruder get the piece of information as fast as possible, you can try to dig more and send what you want in sneaky way, like forcing the Internet Explorer to send it as encoded Query String.

What I have just said may seem to be evil but it is just Proof of concept that what ever "Smart Guys"say about mobile and its security, you have to be careful for the application you install on your device, also you have to be careful and try to notice everything on your screen, because there is always eye on you, may be you can't see it but be sure that this eye exist,all you have to do just be careful and try to keep your data as much as you can.

I have seen that before that some kind of Trojan was installed in X company PCs, the Trojan was working like virus, it wasn't detected by the anti-virus, the Trojan was so simple it was just graping the file names and send it to some e-mail Address, of course the Administrator was useless he didn't do anything to protect his company, anyways, don't rely that someone will protect you from any kind of attacks, also rememebr you may ask the wrong person for help so you have to do "Security" related things by your self.

Message to Developers, as you can see nothing is protected by default you have to protect your client as much as you can, it is your client, it is the reason of you raising, so try to keep your client safe, even after your death your work should be protected as much as possible, so you have to read about Encryption, Secure Systems, have certificate, learn the penetration test requirement and do it your self, read about secure code, ... etc
this topic is endless, all you have to do is just sake and be honest because such thing is really need very deep honesty, I am saying that because some how I am client and I hope to be protected.

I forgot to put some links :)
writing secure code
Secure Socket Layer
MSDN Writing Secure Code
WinPcap for Windows CE


I am sorry for the long post, may be I am over reacting but in the matter of fact and as I can see everything a round us is threated and we should be careful, that's all what I meant by this post, I put the idea, it is very simple but it can be used, also similar ideas used to have PC before and for sure there is people working on it now, as long as there is evil we should take care of our selves,

Thanks for your time.

BR
Ahmed Essam