Request rate limiting on the fly, with ALD

Few Days back Logontube crossed 1.3 Billion Websites, which aroused the curiosity of  one of my friends, and he asked me how i was controlling the request rate limiting, for different clients and at the same time preventing crawlers and login page bruters, especially from the bruters i had developed. I Explained him my methodology and shared with him the tool i made back in 2012.

This Post is intended to share with the cyber community what i had shared with him for those who are interested.

Since the inception of logontube, i had tried Lots of ways to implement the same, most of which were part of Reverseip PHP Class. The first implementations were the obvious, database driven where ip request count were auto incremented, but most of the time it either exagerated the request count or got the db corrupted, i even tried changing the db responsible to myisam engine for faster insert, update rates and changed the query to “Insert Delayed” each requests, which too didnt work as good as expected, so after a few more failed try outs i developed the ALD v1.0 – [M.A.D Labs Api-Lite Deployment v1.0]  which i use till now.

The whole idea was to develop a portable, easy, lazy, fast, all-in-one solution, and php was not the language for it, especially when it came to  PHP’s terrible performance in maintaining its multi-dimensional arrays. So i moved on to perl, which i was getting familiar with, those days, and was impressively fast with its hashes. Time had made me hate any database driven programs, so i was looking for other alternatives when i stumbled upon the idea of using the Apache access_log, and .htaccess itself for this purpose. So like all good old stories i sat down and developed it.

Currently ALD has 4 main Features which will be explained briefly below.

1. Path based request Limiting.

2. Redirect request exhausted clients to custom pages or respond with custom Http codes.

3. Block Crawlers and directory bruters (403) or redirect them to custom honeypot scripts. eg:

4. Report Overall Traffic statistics.


The tool only takes max: 30 sec to read, parse and block if necessary from 30k lines in access_log. Tool has to be set as cron job with time interval ranging from 5 min to 3o min based on your  daily traffic, i Get around 18k page requests daily [mostly by search engines], so i had to Set $HOW_MANY_ROWS to 20000, similarly do accordingly to your needs, You should also change the access_log path accordingly to your OS. The tool also has provision to load the rule set from a locally stored config file.

here is a basic example of a rule set.

<!-- [start]comment part

 %config_hash = (

    0 => {    'htaccess_server_trail_path' => '/var/www/html',
            'htaccess_folder' => '/requestfolder', #relative to the public_html part with the trailing slash, in centos  /var/www/html/
            'access_log_request_path' => '/requestfolder',            
            'htaccess_pre_def_content' => "Options +FollowSymLinks\nRewriteEngine On\n\n",#properly escape characters and if possible convert linefeeds.Any New rewrite rules should be used in the post variable.
            'htaccess_post_def_content' => "",#properly escape characters and if possible convert linefeeds.
            'htaccess_monitored_file' => "/index.php",#just the file name
            'htaccess_redirected_file' => 'blocked.html',
            'htaccess_redirected_code' => '', #if the request hs to be responded with corresponding redirect or other http codes. suppose you want to redirect to you just set 'htaccess_redirected_file' to google and this to '302'
            'block_interval' => 24,#in this format yearmonthdayhour so will have to provide it in hours.
            'can_also_be_folder' => 0, # if this is folder it will be applicable to all folders and htaccess_monitored_file wont be monitored
            'is_fake_folder_path' => 0,#if the path itself is a htaccess rewritten non existent directory.
            'default_max_requests' => 200, #default GET/POST rate.
            'block_time_statuscode_match' => '429',
            'document_root_based_honey_pot_path' => '\.\./honey-and-milk/crawler_honeypot.php',# if exists an anti crawler , define its current path relative to its document path.
            'white_list' => { #eg: '' => 600000 #requests which include both GET an POST
                                '' => 500000000,
                                '' => 500000000


To explain simple path based request limiting we will consider  a scenario where you have a “webpath” say /website/api/ with client default quota is 200 and if you want to add two or three exceptions with the no: of requests permitted, and when exceeding the allotted amount will be replied with http status code 429, ‘too many requests’ Header. You will need to follow few steps in the modification.

  1. Start a new hash with key as the succeeding array element say [eg: 1 => { } ] , in the %config_hash.
  2. change  ’htaccess_server_trail_path‘,  ‘htaccess_folder‘ and  ‘htaccess_monitored_file‘ [in our case the latter is empty] respectively.
  3. change ‘default_max_requests‘ to 200, and add your ips you want with its corresponding  maximum no: of requests. [as show above]
  4. Leave ‘document_root_based_honey_pot_path‘ to blank [ie 'document_root_based_honey_pot_path' => ''].
  5. change  ‘block_time_statuscode_match‘ to 429 and  ’htaccess_redirected_code‘ to 429.
    As here when the access_log file is read any request to the following path between current_time – 24 hours -> current_time with  ‘block_time_statuscode_match‘ code is not taken into consideration , and when the htaccess is rewritten based on the ‘htaccess_redirected_code’  the client will be redirected to the following local path or link (eg:
  6. set ‘is_fake_folder_path‘ to 0 as your “webpath” is an existing directory and not a url rewritten path.
  7. set ‘can_also_be_folder’ to 1 unless your implementation is only meant for a file .
    Eg: in a case where your implementation is only for /website/api/test.php you should set ‘can_also_be_folder‘  to 0 else to 1
  8. set ‘htaccess_redirected_file‘ = ” as in this case you are not redirecting it to any local file instead just replying with a 429
  9. ‘access_log_request_path’ should be as same as ‘htaccess_folder’ + ‘htaccess_monitored_file’  unless the url is rewritten previously.
  10. Currently the clients are only blocked for 24 hours if you want to decrease or increase it, set ‘block_interval‘ accordingly in terms of hours.

Currently the tool blocks and redirects any ip which has more than 10 requests on non existent directories/files, to a 403 page or to a honeypot script, which practically save the page from loginpanel bruters, like the S.O.E.S i made. To deal with the security-scanner crawlers the user can add multiple links to non existent files in the root page which are Commented out.


<!-- [start]evasion part -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script> -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script> -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script> -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script> -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script> -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script>  -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script>  -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script>  -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script>  -->
<!-- <script type="text/javascript" charset="utf-8" src=""></script>  -->
<!-- [end]evasion part -->

Now suppose You want to redirect those links to a honeypot script as the one stated above. all you have to do is to set the local honeypot_script path to ‘document_root_based_honey_pot_path’ variable. It can also detect scanners based on their useragents and block them respectively.

Now coming to the Reporting part, ADL also prepares a detailed report on the daily traffic, to run it in Report mode execute the script with the -r parameter eg: perl -r [Below is the report generated by ADL for, where no: requests followed by ip/url/useragent,]

M.A.D Labs Api-Lite Deployment v1.0     (2014-08-21 11:22:58 AM)


205 /reverseip/index.php?output=html&
203 /website/
181 /website/
170 /
152 /styles.css
150 /reverseip/index.php?output=html&url=
147 /website/
139 *
131 /reverseip/
124 /website/
122 /reverseip/index.php?output=html&&
113 /website/
107 /website/

TOP 20 IPs


TOP 20 User agents

8181 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/ Safari/532.0
6310 Mozilla/5.0 (compatible; YandexBot/3.0; +
655 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
563 Mozilla/5.0 (compatible; MJ12bot/v1.4.5;
283 -
216 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22
216 Mozilla/5.0 (compatible; XoviBot/2.0; +
189 Mozilla/5.0 (compatible; Googlebot/2.1; +
169 Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.52 Chrome/28.0.1500.52 Safari/537.36
139 Apache/2.2.23 (CentOS) (internal dummy connection)
114 Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.16
102 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
86 Mozilla/5.0 (compatible; bingbot/2.0; +
71 CakePHP
68 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
65 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/ – James BOT – WebCrawler
62 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )
61 Mozilla/5.0 (compatible; Baiduspider/2.0; +
56 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705)
56 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

IP Addresses for Top 3 User Agents

[2] Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/ Safari/532.0

[2] Mozilla/5.0 (compatible; YandexBot/3.0; +

[339] Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Script Completed in 0.50 minutes

I Have attached the link to download ADL along with the honeypot_script and install instructions for perl modules.Feel free to drop in your comments..


Fix Guide to PSINFile.sys BSOD or ethernet disappearence from ipconfig

The main reason why i am writing this post is because it might be of help to somebody somewhere who is experiencing similar problems, that being said let me continue.

Last day a friend of mine approached me with his HP Elitebook which just wont boot.To be exact the main problem was that as soon as it (normal) booted into Win7 , he was welcomed with a BSOD (Blue Screen Of Death) mentioning some PSINFile.sys was corrupt/missing. So i booted into “SafeMode with CommadPrompt” and ran explorer from cmd , executed the msconfig (msconfig.msc) and unchecked all startup items and services as a preliminary approach.

But the problem still persisted as soon as it restarted, so i ran “sfc /scannow” (system file checker) to check whether any actual system/driver file was actually corrupt, but to my bad luck that too came out clean. Now it was necessary to understand the root cause of the BSOD so i asked my friend , he said that he had apparently tried to uninstall a panda internet security antivirus which had been installed by default. That answer came as a relief to me as it was obvious that it was no important system file and i could meddle with it.

So i rebooted back into safemode and checked services.msc for any service even remotely associated with PSINFile.sys, but didnt find any.So out of suspicion i powered up regedit and searched in it which actually did come up in the service section, i dint want to manually remove it from the registry so i did it from command line with the below command.

sc delete psinfile

That did the magic! now the laptop booted properly. Now since the Laptop was saturated with adwares and malwares i did a basic disinfection and cleaning and i was about to return it when i happened to notice that it wasn’t connecting to the wireless network.At beginning i thought it might be a usual wifi connectivity glitch, but on analyzing i could see neither the wifi not the LAN was establishing a connection. To further observe the matter i decided to check it out through ipconfig. But to my surprise none of it was showing in the ipconfig /all command.
but when running netsh interface show all query both the ethernet adapter and wifi adapter was listed , it was also listed in the Network And Sharing Centre too. It was for the first time i am seeing such a bug so tried disabling both the network adpaters then uninstalling it from device manager and reinstalling the drivers with the ones obtained from drivermax website as the network troubleshoot in Win7 was saying it was the problem with the device driver, which apparently didnt work too.

Now i was pretty sure it was the problem from the routing side and not even remotely related to the ethernet adapter. I changed my strategy a little and powered up services.msc and checked whether any essential Networking Services was turned off,

  • COM+ Event System
  • Computer Browser
  • DHCP Client
  • DNS Client
  • Network Connections
  • Network Location Awareness
  • Remote Procedure Call (RPC)
  • Server
  • TCP/IP Netbios helper
  • WLAN AutoConfig
  • Workstation

But they all were runnning. So my next suspicion was whether some ipv6 tunneling was responsible for this as in the ipconfig /all all  i could see was the teredo tunnelling pseudo adapter. I disabled it by the following command.

netsh interface teredo set state disabled

and also doing the same from device manager-> network adapters

and rebooted the laptop, but the problem still persisted. Bythis time my head was like in fire. and all i had left in my arsenal (which i had to do it at the beginning itself, my bad) was reset tcp/ip, ipv4 and ipv6. but one thing still seemed troubling me was why in the earth would the interface not be shown in ipconfig but does in the network connections, and such a scenario only happens when there is tunneling involved. So before my last resort i once more checked throughly by right clicking the ethernet adapter and properties, and there lying was a tunneling adapter of a previous installed program (Anchor free Hotspot shield) which confirmed my suspicion that the antivirus uninstall bricked the network settings, so i uninstalled it and reset tcp/ip, ipv4,ipv6 by the following commands.

(All these commands should be executed in a console with administrator privileges)

netsh int ip reset

netsh winsock reset catalog

netsh int ipv4 reset

netsh int ipv6 reset

After executing these commands i gave it a reboot and Voila !! the network came back to life again. Now my brother asked me why going through all this trouble, why couldn’t i just format and reinstall it like everyone else.  And my answer was, i could have if the laptop had a working DVD drive or i had a free pen-drive. But since neither was possible and i was a curious person i did go through all this trouble.

A simple javascript Hyperterminal made out of MSCOMM supplement

Few days back one of my friends enquired me about the possibility of accessing client side serial ports via javascript. Well it was impossible the direct way but there are many client side serial port plugins available for all browsers (eg:seriality) , even a chrome App could get  direct read/write access to the serial ports. thats when it struck me  that the same could be implemented on an IE App (hta) with very less effort by using ActiveX.

The first name which pops to the mind of a programmer for a simple serial communication object would be MSCOMM, and honestly its been a while since i used it as i always prefered martin gibson’s commMG library as it was more functional than any native object, but to achieve our aim we need an object and MSCOMM has all sorts of problems  like it licensing etc..

Thats when i stumbled upon another object (netcommOCX) which have all the properties , events and methods exactly like MSCOMM.By using it i made a simple javascript hyperterminal , which i hope will be usefull to other amateur programmers like me.

NOTE: For those who want to test the serial port functionality it would be better to install and use this COMPORT emulator(null modem emulator)
i have uploaded the sourcecode with the .hta application.Feel free to drop in your comments..

Download Link:

All credits of this project goes to ashutosh singh  who inspired me for this out-of-the-box project.

Defeating Captcha by image reconstruction !

Hi Friends,
its been a month since my last blog post so today i will be blogging about a Captcha project i did recently which unfortunately ended up as a waste of time as the target went offline the very day the project was completed..

The project was to dump all publicly available User info from libertyreserve as they had a service with which users could get info of other users by just entering in the Target users Account no: (eg: U1234567). But it couldnt be automated as it was protected with captchas, i did a quick research on it and found out those captchas were not of any third party captcha provider. i also found out few other things about libertyreserve captcha ,
1. their turing no: had no relation with the captcha produced.
2. the same turing no: can be used again and again.
3. captcha had an expiry time of 15 minutes .


both harvested captchas.

so that part was ready, but still there was another problem. Those images had to be correctly decrypted with an OCR. Well as you all know Tesseract is one of the freely available OCR in the internet. So i decided to decrypt these images with it, but still encountered problems as those captcha images were filled in with junk colours or line so as to prevent automation and they had no good pixel depth, so i had to redress those images before parsing with tesseract.

one of the obfuscation methods of libertyreserve captchas were that they filled the image area with craters to confuse the OCR it into a new alphabet(not much of an obfuscation though) .so my first step was  to close those gaps with the mean colour in the surrounding pixels. as liberty reserve captchas were bicoloured (ie white as baground and image in red) it was  quite easy for me as i had to just find the amount of Red in it..

so the architecture was ready, all i had to do was now to:
read all the  pixels in the 200*75 image 1 by one,
get the rgb colour of it.
calculate the amount of red in it.if found less than 224 considered as a red colour
find the distance between the last red and last white and if found to be greater than 3 pixels fill up that area.

Make a function to do the above mentioned things both vertically and horizontally..

Autoit doesnt have a native function to get the pixel of a coordinate of an image, so i had to rely on a library named FastFind compiled in C++. The benchmark of my function was 2.7 seconds including the the time Tesseract took to interpret it.
below is an example of a captcha before and after redressing..

Captcha before redressing

Captcha after redressing

Captcha after redressing

Once redressed the pixel depth of the image is automatically increased, so we dont need to convert it into ” tiff “” before parsing with Tesseract, you can try it out manually with this command

tesseract.exe 0393.jpeg output -psm 7 digits

well as for other captcha templates, using image magick would be better as it can save your coding time and fills our limitations. I am currently developing a custom OCR which can be taught by even a kid,i will be blogging about it once i am done with it. i have uploded both the source and the libraries used in this project. Feel free to drop in your comments..

Download Link:

All credits of this project goes to my brother LNXROOT and Abhilyall .

SOES – [Shell On Every Server]

Its been a while since i made bruting scripts, After two years i am releasing today another perl script to the hacking community
i cant take credit for all the programs i make, as its someone else who inspires me with the idea for the program.

And 99% of the hacking tools i have made was my brother (LNXROOT) idea..
So enough of the blabbering , Just as wordpress& joomla bruter was a revolution to the hacking community i release SOES – [Shell On Every Server]
SOES comes from the very lineage of my previous bruters..
But what makes SOES unique is that its a bruter with an intelligence or an induced intelligence..
we aspiring hackers have seen many bruters / scripts which brute Cpanels

yes and its no big deal…. as once we shell a server one of the first things hackers do is to upload the cpanel bruting php scripts which extracts usernames from etc/passwd or etc/mail or /home directory and brutes users for default passwords such as 1233456 or admin or password etc.. but what if you want to brute an unknown server’s cpanel.??

its practically impossible or so was people thinking about it..but with SOES we can find the usernames of any website residing on any shared server with the success rate of 70% and brute the Shit out of it!! :)
And moreover its powered with logontube’s api, one of the best reverseip services by the hacking community which gives the best and accurate results.

Note: the tool is a bit slow as i havent incorporated threads in it..

i Hope that would do for the day, As all my projects SOES is also an opensource feel free to modify it to your needs other than the Coded By headers..

Download link:

The Bible (v1.0)





Go to developers testimony

“Cluster Shadows”

From the developer’s desk

A rich store of salvation, wisdom and knowledge…..the fear of  the lord is the key to this treasure“…These are the words that God foretold through his beloved prophet Isaiah.
The new international version of the bible(NIV) is an abridged version which was developed by the cryptic and hieroglyphic scholars who translated the scripts from Aramaic,Greek and Hebrew.
The prologue of God’s chosen race and their journey through the deserted lands surrounded by enemies and hardships …from exile to the promised land. This saga of the exodus relates to our day to day life.
‘Creation, Life and beauty..undone by death and wrong doing…Regained by God’s surprising victory’…Through the books of Genesis to Revelation God Almighty unfolds his plan for saving the human race from the clutches of sin..Right down the lane from the Old testament to the visions of St. John where he prophecies the End of Days..
…The songs of Salvation are proclaimed…”Seek and you shall find“..Through my pursuit for the truth I augmented this software to share my reflections on the Holy Bible.

The Offline Bible is a contemporary approach,… advanced tool devised to enhance our research on the scriptures. Being a common man I have incorporated all possible ways to assist you on your path to enlightenment.
The feeds in this program are exactly as they appear in the NIV version of the Holy Bible and the sources are encrypted against manipulation.
I kindheartedly welcome you to heed the sanctifying words of God Almighty. One of the pioneering feature I have added on is that the program gets along with all known Operating systems..consuming less than 5% of your Hard disk space and its quite portable.
You can carry it along on your flash drives, smart storage cards or your PDA.

Passage Look up: You have the privilege to read the Holy scriptures along with the markers that helps you to bring up the particular chapters or books by typing in the suitable keywords. For instance the Book of Malachi
Mal 2:1-10 brings up Malachi chapter 2 versus from 1 through 10. The passage will be displayed instantly on the screen with highlighted verses. You can zoom in on the view and customize the fonts for better reading conditions.

Keyword Search:
Supposedly you have a vague memory of a passage or an instance but unable to figure out from which book it is taken from,There’s a striking keyword in that passage that keeps the memory fresh you just turned lucky…
Just run a random search for that keyword…and this feature will enlist the entire bible for passages containing that word…and the results will be brought to your gaze in a matter of seconds with all possible hits.

Bookmarks an ease of access tool helps you to bring up the last passage you were reflecting on. The Add on feature in this part of the Offline Bible is the link between a keyword and a passage. Probably you are preparing notes on the inception of mankind,
detailed in the Book of Genesis. So the keyword “creation” can be used to bring up the passage Genesis 2 verses 1-12. I employed this tool to create a decisive study…bookmark+ brings the combined effect of NOTES AND BOOKMARKS which can aid in research and ease access to most visited chapters.
This in turn can make your scripture reading fruitful and blessed.

This version lacks in some areas which I overlooked Perhaps the Index would have been wonderful…And the on screen narrator(A.k.a passage to speech processor) would aid my fellow brethren with eye defects.
I would rectify these faults in my next version. Besides this is an open-source program,..and I gladly welcome you to restructure this project or add other biblical databases to the program like the catholic good news version or the King James version.


Your feedback enable me to grasp more please feel free to drop down your word for me.
 May the grace of the Lord almighty find you and enlighten you my dear brothers and sisters.


Developers Testimony

Well… this project is one of the most time consuming projects i have ever made…

Whole idea about this project came when i was into bible study and as a lazy person i am, i found it hard to browse through the bible for each passage..

The articles were so long and the passage references were in hundreds.. it would have taken me years to read the articles by referring the passages from the bible. So i created a small program which harvests the links of the respective passages to the corresponding biblegateway links. it was awesome, and i could finish half of the articles in about a month.

but it was completely useless when there was no internet connectivity as biblegateway’s bible was an online service and they provided no download links for the bible… so it was my mother who inspired me to make a program , an offline and portable bible… she filled my mind with the ideas of features she needed for the application…

What more does a developer need?

I was wired in and coding…it may surprise you but it took me 31 days to code it..

the first and formost part was the architecture and the source

Architecture, how the program should was made in a day.. next was the source…as we all know there are no publicly available bible databases for download.. so my options were narrowed down to
But the hardest part was that they had no specific algorithm or structure for their displayed style source…although it was a hard nut, with the previous experiences i had in deobfuscation and most of all By my GOD’s help i could find a pattern in their source, so i quickly made a perl script which sends GET requests in loops for all the chapters of all the books in the bible to biblegateway..there by extracting all the source..
And with the help of my algorithm i made i deobfuscated them boook by book ,chapter by chapter and verse by verse and added it to an sqlite database.

Now this whole process cost me 11 days ,as i said before they had no specific pattern in their style obfuscation so i had to remake the algorithm again and again..
and rest of the days was taken for me to code its GUI…
As it takes only creative people to code GUI’s in a day :D :D

I have uploaded the sourcecodes of the application and the scripts i used for extraction and deobfuscation along with the binaries on

you can freely redevelop the application or add other bible db’s to it like the KJV version ..
Provided give credits to the guy who took the time and pain to code it from 0% to 100%

And as i wrap up Project Zion , All the credits for this project goes to my mother Lilly Varghese.


DyNaMiC PrOxY_1.0

Hi friends,
This was an old project i was into few months ago which had to be suspended in between due to incompatibility in 64 bit systems…

The idea for this project was conceived by LNXROOT, and the moment he shared it with me i understood it  was an awesome idea, as there was no proxy application till now which fetched proxies in realtime and change the system proxy in user defined time intervals.
The idea was foolproof. But it had to be coded, the best online webproxy with the largest number of proxies was
But there was a lot of hurdles to overcome before completing the project, one of it was with the deobfuscation of the proxies from, as explained in the last post i had to develop a custom style interpreter to deobfuscate the proxies from the page source.
The next hurdle was changing the system proxy, as you all know its easy to change the system proxy via registry but changing it in realtime was not possible as once changed through registry the browser had to reloaded / internet settings had to be refreshed.My first approach was to run inetcpl.cpl and get the frame handle lateron enabling the system proxy, but it didnt work out as i planned ,so at last i found a way to accomplish it by using the windows api(wininet.dll)

i have uploaded both the source and binaries.. ENJOY!!
and do let me know if there are any bugs.

Please do Share and comment if you like the application..
Download link

All Credits goes to my brother LNXROOT

Deobfuscating HideMyAss Proxies

Few Days back i did a Dynamic Proxy Project for my brother LNXROOT, although it was a simple project it has not been released due to some compatibility issues on 64 bit computers.So the Proxy application retrieved fresh online proxies from in real time and changes the system prosy settings in user defined intervals..

sounds easy ..right?

but  it wasnt so easy to code it as HideMyAss obfuscates its proxies via style obfuscation, and the real challenge was to create a partial css interpreter.And eventually i was able to code it although i had experienced some troubles with its regex. And have to say Autoit Forums is very helpfull to a novoice like me. Fluttershy from Autoit forums lateron also came up with a small and fast UDF for hidemyass ,anyways i have uploaded my source of the deobfuscator and a small application which works via my function to extract hidemyass proxies for those who doesnt know Autoit and not into coding.

here is the download link:

this release pack includes the binaries and the source.

Now apart from coding i have something to share, we often forget/Fail to remember the people who stood beside us helped and supported us before we became the one we are right now..If i have ignored any of such People knowingly or unknowingly i am really sorry.. it just keep happening because i spent 15 hours a day on a computer.

All Thanks Goes to my brother Ankur Tiwari who was always there at my side ready to help me in whatever way possible!!

Uac a total Joke!

Few days back i developed a simple program to bypass UAC prompts, now you may ask why should we bypass uac when we can configure it or even disable it.. well there are many reasons to it,
my reason to develop the program was to execute with elevated privilages on the host pc without the knowledge of its user.

In Windows7 although the user belongs to the admnistrator localgroup,a process can only be run with system privilages if its verified by the UAC(provided uac is turned on). My first approach was to Run Task with elevated privilages from the task manager as there is provision for it,

ie to run the task with administrative privilages after clicking the button “Show Processes from all users”.

 I was successful to a limit in automating it, ie till clicking the button by first getting the handle to the taskmanager window and lateron control clicking it on the button control.

No program can simulate the above , and these actions can only be done by a Genuine user. 

what i didnt know was that UAC was designed to be NOT – Automated. As soon as we clicked the button taskmanager restarts , which cant be attached/or get a handle to..
At first i thought it to be a bug in the send function in autoit..but later on understood the reason .

I didnt want to run a local root exploit every now and then to run a program with system privilages as it was not cool and i didnt want to rape a coputer again and i was searching for another way when i stumbled upon accent’s IOFunction,(All Credits go to him) derived from InpOut32 which is a windows DLL and Driver to give direct access to hardware ports (for example the parallel and serial port from user level programs. It is originally developed by the people at Logix4U for Windows 9x and 32bit variations of NT (NT/2000/XP/2003 etc.).

Well this was huge, i mean when UAC (process name: consent.exe) is invoked, No process irrespective of its inherited privilages could get a handle or even atleast send keys expecting uac window was in focus. So with inpout32 i could get direct access ie equivalent to sending keys from the keyboard. Even though this was a big breakthrough i couldn’t solve the riddle because to install a driver in windows versions prior to vista it has to be registered or at-least copied into the %system% directory (doesn’t work all the time) , which apparently needed Admin privileges.

It is when by chance i came to notice that the Folder action confirmation form was not protected by UAC.

But still there was no way programmatically we could invoke this form, ie a basic copy function from an exe just fails if it hasnt enough privileges. Now since Windows considers all human actions, which include shortcuts as Genuine user operations. i could copy inpout32 into the clipboard and then by mimicking a Ctrl+V, i could literally fool windows into copying/installing those DLL’s into the system directory.

With that done, the next part was infact to actually bypass uac,
For that all i had to do was to check whether the process consent.exe was actually running and send keys via the IOFunction
“0×38″ ; ALT-Down
“0×15″ ; Y
“0xB8″ ; ALT-UP (0×38+0×80)

thereby Bypassing UAC and executing any desired program with Elevated privileges.
I Reported it to Microsoft Security Response Center a month after the finding and they responded
This behavior is By Design– that is, Windows allows users to install 3rd party drivers, which by necessity have privileges that user-mode applications do not.We do not consider UAC a security boundary.
I have attached Both Source code(in Autoit) and the Binaries of the POC which works on Windows Ultimate 32bit system with its Source code.
I havent tested it on 64 bit Windows Ultimate and i believe it should work.

UPDATE: Tested it on windows8 and it works like a charm !

here is the download link :


Thanks to my brother LNXROOT   who has always been at my side supporting and inspiring me :)  

Logontube now provides the reverseip service..!!

Finally after a long time logontube is Up and running.Thanks to all my friends who have supported me throughout my every project.logontube now provides a reverseip service for free..!! :)
Unlike other online reverseip services which are only based on google. logontube uses all the available search engines to maximise the results and the results are verified so that there are no false positives.!
Each time a reverse-ip search on a unique ip is done all the results are stored in the website’s reverse ip database.
the Database is available for Public download free of cost every first of the month…or anyone who urgently need them (hackers/students/webmasters..etc) can mail me at or

Moreover logontube also offers free access to its reverse ip API , so that anyone who wants to incorporate the reverseip service into their tools can use the API in the following way

a GET request to

the results will be returned in plain text.
for any queries or suggestions mail me at