Here's why people have been getting inconsistent results when setting the system date forward and looking for the DoS attack to start:
Begining of DDoS date check subroutine: 4A3DB0 PUSH EBP ; callCreateSCOddos 4A3DB1 MOV EBP,ESP 4A3DB3 SUB ESP,10 Get the current system time as a FILETIME struct: 4A3DB6 LEA EAX,DWORD PTR SS:[EBP-8] 4A3DB9 PUSH EAX 4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] Convert the stored DoS start date from SystemTime to FileTime: 4A3DC0 LEA EAX,DWORD PTR SS:[EBP-10] 4A3DC3 PUSH EAX 4A3DC4 MOV EAX,DWORD PTR SS:[EBP+8] 4A3DC7 ADD EAX,214 4A3DCC PUSH EAX ; Feb 1, 2004 4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>] Compare high-order dword dwHighDateTime: 4A3DD3 MOV EAX,DWORD PTR SS:[EBP-4] 4A3DD6 CMP EAX,DWORD PTR SS:[EBP-C] 4A3DD9 JB SHORT <message.skipDoS> Compare low-order dword wLowDateTime: 4A3DDB MOV EAX,DWORD PTR SS:[EBP-8] 4A3DDE CMP EAX,DWORD PTR SS:[EBP-10] 4A3DE1 JB SHORT <message.skipDoS> Start the DoS: 4A3DE3 CALL <message.createSCOddos> ; DoS_Loop 4A3DE8 PUSH 400 4A3DED CALL DWORD PTR DS:[<&KERNEL32.Sleep>] 4A3DF3 JMP SHORT <message.DoS_Loop> 4A3DF5 LEAVE ; skipDos 4A3DF6 RETN >From MSDN: The FILETIME structure is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME; The stored starttime as filetime is: 0xbe9ecb00 0x01c3e8dd Because the dwords are compared independently, the DoS will not start anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter what the dwHighDateTime is. Obviously, this is close to three-quarters of the time. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html