RCE Messageboard's Regroupment

Setting symbol names

ptr0x — Tue, 15 May 2012 14:10:25 GMT

Hi there, and thanks for reading my topic.

I'm having some troubles when analyzing some big function.

I just can not find nothing about set the name of some symbols, like local variables, arguments and so on.

It would be very much helpful if I could name local variables.

I found that the OllyDbg read the .PDB file to set and name the symbols, but if I'm analyzing some PE without his PDB, what could I do? I thought that perhaps there was some PDB generator or something like this.

Is there some plugin or some other way to solve this issue?

Thanks very much.

A virtual function is called directly. What's that about?

tlgspk — Thu, 10 May 2012 11:51:24 GMT

Hi. My head is a little thick right now. I can't get my head around that.

It's a win32 executable, unprotected, compiled in MSVC++.

So is it normal that a virtual function is being called directly(probably is then :D)? If so, then why?
Right now, I just can't figure out why.

By "being called" I mean, could be called according to the disassembly.

--------------
OK. So a virtual method was just calling the base class' method it was overriding :p

Hack in the Box Magazine #8 available now

j00ru vx tech blog — Thu, 10 May 2012 03:41:02 GMT

Every one or two quarters, there’s the one day we all wait for – and that’s when the latest issue of the Hack in the Box Magazine is released Thanks to the hard and awesome work of Zarul Shahrin and the entire editorial crew, we are very excited to announce that the eight edition is [...]

http://j00ru.vexillium.org/?p=1076

JOB: Software Security Engineer Wanted

CHC — Wed, 09 May 2012 14:57:23 GMT

Job Description: We're looking for a smart, creative, motivated software engineer to join our company. Our ideal candidate has an interest in computer security, low level software development, and enjoys working on �cutting edge� problems in an R&D focused environment.

Required skills include:
Strong C / C++ programming background
Experience with Windows kernel development
Familiarity with 32 and 64 bit x86 Assembly Language
Good understanding of fundamental Operating Systems & Computer Architecture concepts (processes, threads, virtual memory, interrupts, SMP ect.)
Proficient with kernel debugging and disassembly tools (WinDbg, IDA Pro)
Excellent debugging and problem solving skills
Excellent organizational and technical writing skills
Excellent communication skills
Must be a US citizen to apply

Some prior background in software security, malware analysis, and reverse engineering is also preferred.

Location: Orlando, FL

Company Overview: Clear Hat is a small R&D based computer security company located in Central Florida. We specialize in providing information security solutions. Specific areas of focus include low level vulnerability assessment and the development of technologies to detect and respond to sophisticated, low level malware threats.

Benefits: We offer a casual, downtown office environment within walking distance of nearby shops, restaurants, and entertainment. Because we are small, you will be able to exercise a level of creativity and autonomy not possible at a larger company. At Clear Hat, you will also have the opportunity to work on cutting edge software security technologies and make meaningful contributions that get noticed. Employee benefits include a competitive salary and a comprehensive benefits package ( personal leave, holidays, performance bonuses, dental, vision, medical, life, short and long term disability insurance).

Note: Email resumes to jobs(at)clearhatconsulting.com. Please include a cover letter with your resume that describes how your skills and experience directly relate to the skills that we are looking for.

Find packet receive

Nefarel — Wed, 09 May 2012 09:21:37 GMT

I am trying to find out packet structure of mmorpg game however I was unable to find a place in assembly where the packet data is being received. I have tried setting breakpoint on winsock recv, recvfrom, ReadFile but they are never called.
API monitor also doesn't see anything called when the packet is received by the client(only sees winsock send). How can i find a place where packet is received?

Google VS Oracle - copied content

0x0f1f — Tue, 08 May 2012 14:43:22 GMT

well...

Oracle found what the bad and evil google engineers copied from Java codebase...

Code:

private static void rangeCheck(int arrayLen, int fromIndex, int toIndex) {

    if (fromIndex > toIndex)

        throw new IllegalArgumentException("fromIndex(" + fromIndex +

                   ") > toIndex(" + toIndex+")");

    if (fromIndex < 0)

        throw new ArrayIndexOutOfBoundsException(fromIndex);

    if (toIndex > arrayLen)

        throw new ArrayIndexOutOfBoundsException(toIndex);

}

http://brainbits.ca/googles-infringement-against-oracle-9-lines-of-code/

Lawyers are often idiots, but SO idiots... :o :o

Any guy in Belgium?

0x0f1f — Tue, 08 May 2012 12:35:16 GMT

Hi all,

since I'm moving to Brussels for work on the next month, I was wondering if any woody's aficionados was around there - it's always nice to get someone competent to talk about RCE with.

Send me a PM if you hangs around, so we can have a beer ( I pay it, dont worry :D )

ps: no, this is not the nick I usually use ;)

Unpacking Mac OSX Dock

crassy — Mon, 07 May 2012 15:18:24 GMT

Not really malware, but unpacking... I'm curious how the Mac OSX dock (/System/Library/CoreServices/Dock.app/Contents/MacOS/Dock) is encrypted.

The entry point (from the Mach-O header) is 0x1000af4d0

Disassembling the binary gives me bullshit:

Code:

__text:00000001000AF4B0                 db 49h, 3Bh

__text:00000001000AF4B2 ; ---------------------------------------------------------------------------

__text:00000001000AF4B2

__text:00000001000AF4B2 loc_1000AF4B2:                          ; CODE XREF: __text:startj

__text:00000001000AF4B2                 out     dx, eax

__text:00000001000AF4B3                 xchg    eax, r15d

__text:00000001000AF4B5                 xor     cl, bl

__text:00000001000AF4B7                 db      64h

__text:00000001000AF4B7                 in      eax, 43h        ; Timer 8253-5 (AT: 8254.2).

__text:00000001000AF4BA                 xor     edx, [rdi]

__text:00000001000AF4BC                 and     esp, [rax-28h]

__text:00000001000AF4BF                 push    rcx

__text:00000001000AF4C0                 mov     ecx, 0FAFE72B8h

__text:00000001000AF4C5                 nop

__text:00000001000AF4C6                 pushfq

__text:00000001000AF4C7                 nop

__text:00000001000AF4C8                 std

__text:00000001000AF4C9                 punpckhbw mm2, qword ptr cs:0CE50D06Bh

__text:00000001000AF4D0

__text:00000001000AF4D0                 public start

__text:00000001000AF4D0 start:

__text:00000001000AF4D0                 jbe     short loc_1000AF4B2

__text:00000001000AF4D2                 and     bh, [rbp-7Fh]

__text:00000001000AF4D5                 rcr     byte ptr [rcx+38h], cl

__text:00000001000AF4D5 ; ---------------------------------------------------------------------------

__text:00000001000AF4D8 qword_1000AF4D8 dq 8C3EC142500B0FD6h, 316E8AD7EF8C917Ah, 1F425F5349509045h

When starting the process with GDB and putting a breakpoint at the same address I get a much more sensible disassembly:

Code:

0x1000af4d0:        push   0x0

0x1000af4d2:        mov    rbp,rsp

0x1000af4d5:        and    rsp,0xfffffffffffffff0

0x1000af4d9:        mov    rdi,QWORD PTR [rbp+0x8]

0x1000af4dd:        lea    rsi,[rbp+0x10]

0x1000af4e1:        mov    edx,edi

0x1000af4e3:        add    edx,0x1

0x1000af4e6:        shl    edx,0x3

So probably *something* is writing to the process memory before it gets started... But how is that something started? And why doen't gdb break when I put a write breakpoint at that address?

Anyone can point me in the right direction here?

copyright/RCE in EU

Maximus — Mon, 07 May 2012 10:20:26 GMT

Well,

it is nothing new, yet it is interesting that this principle has been affirmed again, at EU level now:

http://www.bloomberg.com/news/2012-05-02/copyright-can-t-block-software-reverse-engineering-court.html

How are C strings accessed???

rebible — Sun, 06 May 2012 02:48:01 GMT

I am trying to find the offset of some code. I can see the output string tables that the compiler left. How do C compilers normally access the strings.

thanks
robert

Vx Works image ... repacking, anyone interested in helping or taking on the job?

rebible — Fri, 04 May 2012 22:56:32 GMT

I am ideally looking for someone who would be interested in working on reverse engineering a vxworks image.

I am doing something similar to what is described at:
http://www.woodmann.com/forum/archive/index.php/t-11707.html

It is a vxworks binary flash image running on a powerpc. I have a rom dump (binary) I dumped 4mB which seems to be everything (It
works if reloaded, I don't know what the real code size is). the application is about 645kB

I would like to be able to extract the application binary, make modifications, and then re-pack it back into the image.

I have gotten as far as using deezee and extracting the actual running binary. But I haven't gone beyond that.

I have a second rom image (there are two embedded boards), so we can use it to see what is consistent as far as headers and crcs if necessary.

What I would like someone to do in order of importance.

1: give me a way to repack the binary image into the flash. (zip, crc, put back in e.g. 'Rezee').
Possibly integrate Dezee and the new 'Rezee' into a windows app for convenience.

The trick is there is probably a crc stored with the image in the ROM and we will have to find it.

2: help me figure out the addresses of the running image. If end comes to end, I can just put a call to the embedded monitor/debugger as a first step into the program and see where things are when it starts to run.

Additional resources:
I have a copy of a vxworks BSP package for the hardware.(not necessarily the same version)

The target hardware has a real time debugger. Unfortunately, the board configuration is "either the debugger" or "the application flash". The debugger runs out of its flash and I haven't been able to debug and watch it load the application from flash in to memory.

I have a real time debugger disassembler output of the start of the code.
I know where the boot code is located in flash e.g. and I have initial memory maps for the board.

thanks,
robert

IDA FLIRT sigs from MSVC2010 static libraries failing w/ "not a coff" error

Mardok — Fri, 04 May 2012 08:50:31 GMT

Hi guys,

I'm trying to wrap my head around a large project for which I have no source. I know that the executable was statically linked against Lua, zlib, libpng, and a large host of other software. I have no real experience with IDA, but I can see how using the FLAIR/FLIRT tools could be useful here. I started my attempt at generating sigs by compiling a static zlib library and extracting a pattern using the pcf executable packaged with the 6.1 FLAIR release. This fails with the following error:

Code:

C:\>pcf -d zlib.lib

COFF parser. Copyright (c) 1997-2011 Hex-Rays. Version 1.21

Pattern length: 32

Minimal pattern defined bytes: 4

Warning [zlib.lib] (Release Library\zutil.obj): please note, not a coff module at 0x9fa

MODULE Release Library\zutil.obj

Fatal [zlib.lib] (Release Library\zutil.obj): not a coff module

press enter to exit.

Please forgive my if this question has been answered before, or it's common knowledge, but how can I get this to work? I've searched all over the internet, and I have either been unable to find the answer or possibly unable to understand it.

Thanks in advance from a long-time lurker and first-time poster!

import table problem

hpr0xx — Tue, 01 May 2012 07:18:38 GMT

hi.i was punished by kayaker.and know i understand.

this file has been cracked and runs without any problem with crack of 2 dlls next to the exe file.but exe file is packed with crunch/pe hiuristic-->bitarts
i run olly script on it find eop then dumpe and the file size grow from 2 to 12 mg. but windows says windows cant start this program but packed exe file run truly.
im surprised what is wrong with this file.

http://www.4shared.com/zip/kQAxttAG/Software.html

can u help me please?

Reversing SHR EAX,1F

captcpsc — Tue, 01 May 2012 01:37:12 GMT

OK maybe this was too hard, or stupid or something, got several views but no help so moderator feel free to delete?
------

I'm trying to figure out what some lines of assembly language would look like in a higher level language such as C but also understand the WHY the compiler optimizer would code it like this verses something more direct.

Code:

IMUL ECX <- EDX:EAX = EAX * ECX

SAR EDX, 5 <- EDX / 32

MOV EAX, EDX 

SHR EAX, 1F <--- 1F being 31 doesn't this always just clear out the register?

ADD EAX, EDX <- so basically 0 + EDX

CDQ <- wipes out EDX extends EAX so EDX:EAX?

I'm finding one of the best ways to figure this stuff out is to put the code to a test? Take values and plug them in and see what happens?

SO I try to take the extremes
EAX = 7FFFFFFF
ECX = 7FFFFFFF

3FFFFFFF00000001

3FFFFFFF S
EDX:EAX = 3FFFFFFF00000001
EDX = 3FFFFFFF / 20(32 Decimal)

SAR, 5 = 1FFFFFF

SHR EAX, 1F (so 0)
ADD EAX, EDX
EAX = 1FFFFFF
CDQ -- EDX = 00000000 EAX = 01FFFFFF

however negative makes it a bit tricky.... worst case the SHR seems to leave a 1 in EAX
SO
EAX = 80000000
ECX = 7FFFFFFF

EDX:EAX = EDX:C0000000 EAX:80000000
SAR EDX, 5 - EDX:FE000000
MOV EAX, EDX
SHR EAX, 1F EAX = 1

EAX = FE000001

CDQ creates
EDX:EAX = FFFFFFFF:FE000001

So it's not any kinda absolute function or anything? I hope someone has worked this one out before or can figure it out.

Help with cracking 64 bit version of cracked 32 bit application

mr_tex — Mon, 30 Apr 2012 08:30:03 GMT

I need help with cracking the 64 bit version of an already cracked 32 bit application.

I'm a complete newb, trying to learn how to crack.

I successfully cracked a 32 bit application by opening Cheat Engine while process was running, enumerating the DLL's, finding the one that had 'lib' in the name, and changing the assembly code to turn on all the greyed out functions one by one in the software, bypassing the registering aspect (still shows unregistered, but works as a full program). Then, once I figured out what I needed to change in cheat engine, I made it permanent by hex editing the dll itself (which is messy I guess.. but I'm a newb).

I'm super happy about this because it took me weeks to do, but I just realized this program is computer intensive and the 64-bit version would be much better to have.

Well, the ASM code in cheat engine looks totally different for the 64 bit version, and my old method of 'inc eax' to change the greyed out menu items to 'enabled' doesn't work anymore.. I'm like wtf..

So how can this be approached?
Maybe I can just '64bit-ize' the 32 bit dll? Or is that wishful thinking?