Reverse Engineering Articles
Share an interesting blog, news page or other RE related site...
350 topics in this forum
-
- 0 replies
- 5.3k views
This presentation will cover the Black Arts of making Cracks, KeyGens, Malware, and more. The information in this presentation will allow a .NET programmer to do unspeakable things .NET applications. I will cover the life cycle of developing such attacks and over coming common countermeasures to stop such attacks. New tools to assist in the attacks will be supplied. This presentation will focus on C# but applies to any application based on the .NET framework. http://www.youtube.com/watch?v=HKIR3yLGfHY
-
IDA Pro CodeView Parsing Bug
by waliedassar- 0 replies
- 5.7k views
In this post i will share with you another bug that i have found in IDA. This one is different from the previous one in that: 1) It is in code responsible for parsing CodeView debug info. 2) It crashes the current IDA instance with a minidump. While trying to figure out how IDA reads various debug info, i found that old CodeView formats are also supported by IDA (Also, the demo version). So, i decided to give it a shot and try to find anything useful inside. Understanding the CodeView format was also kept in mind. Code responsible for reading various debug info lies within dbg.ldw, a dynamic link library that resides in the "loaders" directory. Since the CodeView for…
-
IDA Pro COFF Debug Info Parsing Bug
by waliedassar- 2 replies
- 5.8k views
In this post i will share something that may be considered as a bug in IDA. The bug is as follows: If we manipulate the value of the "NumberOfSymbols" field in the "IMAGE_COFF_SYMBOLS_HEADER" structure, we can force IDA to abort processing the whole PE and quickly terminate. When manipulating this field, just make sure to set a compatible value for the "SizeOfData" field in the "IMAGE_DEBUG_DIRECTORY" structure and also have a compatible file size by appending null bytes to the file end. When calculating the required memory size for symbol entries using the spoofed value, IDA detects an overflow. After clicking the ok button in the image above, IDA quickly termin…
-
- 0 replies
- 4.3k views
Hello all, slides and tools (binaries+source code) of the talk we gave at RECon with @fdfalcon are availabe. Enjoy!.
-
- 0 replies
- 6.7k views
"With the development of the mobile devices and particularly the iPhones with all the applications that are available for this platform, it is interesting to have ways of knowing what they are really doing. For example some people might be afraid that the e-banking application they are using could leak sensitive information. This presentation will introduce the iPhone architecture and the methods to reverse engineer iOS applications." Video: www.youtube.com/watch?v=DEviJnsLfg0Slides https://www.hacking-lab.com/nina/show/77
-
FAR CALL Anti-Debug (Inline Intel)
by JMC31337- 7 replies
- 7.2k views
anyone care to add insight? and help me perfect far call return in a protected memory model OS?? placed as many anti-debug and red pill anti vmaware tricks i've come across rogue bytes impossible disassembly (thats what the books call some opcodes) #include <windows.h> //link with -masm=intel asm(".intel_syntax noprefix");static long csx;asm("_farcall:"); asm("rdtsc");// (says how long has it been since LAST BOOT store value in eax) asm("xor ecx,ecx"); // (clear that register to 0) asm("add ecx,eax");// (place the value of eax into ecx [eax is the time] asm("rdtsc"); //(run it again) asm("sub eax,ecx");// (since the new timer value is in eax we subtract the …
-
OllyDbg NumberOfSections Crash
by waliedassar- 1 reply
- 6k views
In this post i will be discussing another bug that i found in OllyDbg. The idea came to my mind while debugging link.exe shipped with Microsoft Visual Studio 2008. Debugging link.exe, i was amazed to see that the maximum number of sections that a PE file can hold is 0xFEFF sections (as assumed by link.exe) not 96 (0x60, hex). In the beginning, i thought that i have an old PE/COFF documentation or that it is a mistake since the documentation says "the Windows loader limits the number of sections to 96". By creating a PE file with 97 sections, i found out that the 96-section limit applies to Windows XP but not to Windows 7, 64-bit. I quickly asked myself "How will…
-
OllyDbg Resource Table Parsing Integer Overflow
by waliedassar- 2 replies
- 5.4k views
In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily. In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7. Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the "GlobalAlloc" function. Finally the "_Readmemory" function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below. But wait, there is a minor issue that i need to shed some light on. The "_Readmemory" function, as its name implies, is a wrapper of th…
-
Anti-Dumping
by waliedassar- 1 reply
- 5.4k views
Part 1: />http://waleedassar.blogspot.com/2012/01/anti-dumping.html Part 2: />http://waleedassar.blogspot.com/2012/03/anti-dumping-part-2.html Waliedassar
-
“Secure Password Managers” and “Military-Grade Encryption”
by Teddy Rogers- 0 replies
- 6.8k views
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? />http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf Ted.
-
OllyDbg Section Name Crash
by waliedassar- 0 replies
- 10.3k views
Perhaps abit old but it is still interesting. Setting the section name to "%*s%*s%s" and the "SizeOfCode" field to zero crashes OllyDbg v1.10, even with OllyAdvanced 1.27. A demo can be found here. Have fun Waliedassar
-
Collection Of OllyDbg Bugs And Exploits
by waliedassar- 6 replies
- 7.9k views
Here are some of the publicly disclosed OllyDbg bugs and exploits. />http://code.google.com/p/ollybugs/downloads/list I will keep updating it as long as bugs and exploits are being disclosed. For further information: />http://waleedassar.blogspot.com/
-
OllyDbg v2.01 And TLS Callbacks
by waliedassar- 5 replies
- 8.3k views
One of the new interesting features introduced in version 2.0 of OllyDbg is the ability to pause on TLS callbacks. Actually, i discussed some flaws of this feature in a previous post, but in this post i will show you a minor bug (not so minor) that i found while playing with OllyDbg, like i sometimes do. OllyDbg v2.0 assumes that the "Size" field in the TLS data directory is mandatory, but it is actually not. To make things clearer, i will dump the ntdll.dll code responsible for parsing the TLS info. As you can see in the image above, the "RtlImageDirectoryEntryToData" function is called to get the absolute address of the "IMAGE_TLS_DIRECTORY32" structure. Its fourth …
-
Anti-Attaching Tricks
by waliedassar- 1 reply
- 4.5k views
Here are some of the anti-attaching tricks and their demos. http://waleedassar.b...techniques.html http://waleedassar.b...hniques_11.html http://waleedassar.b...hniques_13.html http://waleedassar.b...hniques_15.html http://waleedassar.b...hniques_18.html http://waleedassar.b...hniques_15.html N.B. I tried to make those demos the smallest possible for sake of simplicity. Any comments or ideas are very welcome.
-
Basics of Executable Code Obfuscation...
by Teddy Rogers- 0 replies
- 18.5k views
Basics of Executable Code Obfuscation />http://syprog.blogspot.com.au/2012/02/basics-of-executable-code-obfuscation.html Ted.
-
Unpacking with Windbg...
by Teddy Rogers- 1 reply
- 5.8k views
Unpacking with Windbg />http://practicalmalwareanalysis.com/2012/02/27/unpacking-with-windbg/ Ted.
-
Cryptosystems Showing Signs of 'Wear and Tear'...
by Teddy Rogers- 0 replies
- 4.1k views
Cryptosystems Showing Signs of 'Wear and Tear' />https://threatpost.com/en_us/blogs/cryptosystems-showing-signs-wear-and-tear-022812 Ted.
-
OllyDbg v1.10 And Hardware Breakpoints
by waliedassar- 2 replies
- 12k views
While playing with OllyDbg v1.10, i came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints. At 0x4D8D70, there is an array of four structures of type, t_hardbpoint. Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated. On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 throug…
-
Reverse Engineering Firmware: Linksys WAG120N
by CodeExplorer- 3 replies
- 6.1k views
Reverse Engineering Firmware: Linksys WAG120N />http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
-
(RE) Mozilla FireFox
by JMC31337- 10 replies
- 7.4k views
Tested on FireFox v. 8 First thing is grab OllyDbg and do a search for intermodular calls in my case i see 00401D6B CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>7C813133 kernel32.IsDebuggerPresent upon heading to that address i see CPU Disasm 00401CAF CC INT3 00401CB0 /> \55 PUSH EBP 00401CB1 |. 8BEC MOV EBP,ESP 00401CB3 |. 81EC 28030000 SUB ESP,328 00401CB9 |. A3 38424000 MOV DWORD PTR DS:[404238],EAX 00401CBE |. 890D 34424000 MOV DWORD PTR DS:[404234],ECX 00401CC4 |. 8915 30424000 MOV DWORD PTR DS:[404230],EDX 00401CCA |. 891D 2C424000 MOV DWORD PTR DS:[40422C],EBX 00401CD0 |. 8935 28424000 MOV DWORD PTR DS:[404228],ESI 00401CD6 |. …
-
OllyDbg Fake ImageName Bug
by waliedassar- 1 reply
- 4.5k views
I have recently found a weird behavior in OllyDbg, which can further be used as an anti-debugging / anti-attaching trick. The problem occurs when enumerating the running processes if the "Select a process to attach" dialog box is opened. The psapi "EnumProcesses" function is called to get the list of process identifiers (PIDs). For each PID, the psapi "EnumProcessModules" and "GetModuleFileNameExA" functions are called to extract the image base and full name of the main executable. As i have shown in previous posts, the values in PEB.LoaderData can easily be manipulated. In this case i will manipulate only the full name of the main executable to be of an existing but m…
-
- 0 replies
- 5.4k views
0.4% of Public Keys Used for SSL Web Site Security Compromised />https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs/>http://eprint.iacr.org/2012/064.pdf Ted.
-
An OllyDbg Bug Disables Software Breakpoints
by waliedassar- 2 replies
- 5.7k views
I have found a new bug in OllyDbg v1.10. The bug is triggered when the BaseAddress value is changed in the LDR_MODULE structure for the main executable. Any subsequent DLL loading forces Olly to call the psapi "EnumProcessModules" function in order to update the module list, and since the psapi "EnumProcessModules" function traverses and reads from the LDR_MODULE linked list, the new (fake) base address will definitely be returned. A simple application was written to test this bug. See the image below. Here is how the source code above looks in olly. If some breakpoints are set after the troublesome code and OllyDbg is left to run, an error message shows up once we…
-
.net Memory Security By Coderipper
by CodeExplorer- 1 reply
- 6.6k views
.NET memory security Loking under some encryption/decryption tutorial I've noticed that they use MemoryStream.ToArray(); MemoryStream.ToArray() is bad since will create a new byte array under memory – insted just use an UnmanagedMemoryStream and UnmanagedMemoryStream.GetBuffer()! But the contents of the UnmanagedMemoryStream buffer (you get him using GetBuffer()) will be still there even if I close the memory stream, set him to 0 and call System.GC.Collect() What is going on ? 1. The memory is released : According to Microsof the object is destroyed when all its references are explicitly set to null or it goes out of scope. 2. The contents is still there and probabily wo…
-
SSD Forensics...
by Teddy Rogers- 0 replies
- 6.3k views
An interesting read up on SSD forensics... />http://resources.infosecinstitute.com/ssd-forensics/ Ted.
