Posts

Showing posts with the label Reverse Engineering

Windows Source Code Leaks & A Story Of Lost Source Code

Image
Disclaimer: The information presented in this blog post is for educational purposes only.

When researching or just tinkering with Windows and Microsoft executables, having the source code is a great advantage. This short article is a collection of links to Windows and Microsoft code.
Leaked Windows Source Code Links to leaked Windows source files:
Windows NT4 https://github.com/ZoloZiak/WinNT4Windows 2000 https://github.com/pustladi/Windows-2000Windows Research Kit https://github.com/Zer0Mem0ry/ntoskrnl Links aggregated from BlueHatIL talk “Fuzzing on the windshield”
Official Microsoft Published Source Code Microsoft has recently become significantly more Open Source oriented, and has even started actively developing Open Source projects and publishing some of its own code.
Links to published Microsoft code:
Microsoft .NET source https://referencesource.microsoft.com/Microsoft’s Github https://github.com/Microsoft Other Resources Other resources to help you with your Windows and Microso…

Guy's 30 Reverse Engineering Tips & Tricks

Image
Good morning lovely people!

During April I challenged myself to tweet 1 reverse engineering tip every day. For your viewing pleasure, here I aggregated all 30 tips.

Be sure to follow me @va_start for my latest tweets and more reverse engineering extravaganza.
Leave a comment on this post or tag me on Twitter - I reply pretty quickly :)

If the tweets aren't displayed properly (for example if there are no pictures), temporarily turn off tracker protection, which blocks loading the required resources from twitter
Tips & Tricks Tip 1 *Reverse Engineering Tip 1/30*
long branch-less functions w/many xors & rols are usually hash functions. IDA view of MD5 func:#BinReversingTipspic.twitter.com/cLSGfxNupK — Guy🏂 (@va_start) April 1, 2020 Tip 2 -Reversing Tip 2/30-
Building on the last tip, after finding a hash function, google its constant to identify the exact hash algorithm. #BinReversingTipspic.twitter.com/MJJIBY9pde — Guy🏂 (@va_start) April 2, 2020 Tip 3 -Reversing Tip 3/30-

Calling Arbitrary Functions In EXEs: Performing Calls to EXE Functions Like DLL Exports

Image
Motivation When reversing or fuzzing an executable, being able to run an arbitrary function with controlled data is extremely helpful. Through iteratively playing with the function's parameters and examining the output, we can better understand the function's logic.
Background A dll (Dynamic Linked Library) with our target function would allow us to conveniently review and test the function as we wish. The only problem is that usually the function we want to examine resides in an exe, not a dll. Converting¹ an exe to a dll is a solvable challenge. After all, both an exe and a dll share the same PE (Portable Executable) file format.  So let's explore, how can we convert¹ an exe to a dll?
Spoiler: there are a few more steps than just changing the extension 😉
¹ "convert to DLL" = fundamentally behave like a DLL.

I'll use this exe created from the following code and target the decode_string function for demonstration purposes throughout this post.

Challenges Th…

Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through

Image
Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through This is Part 2 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes), and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Link to part 1 here. Links to parts 3, and 4 at the end of this post.

This post describes how I found CVE-2019-17424 and successfully exploited the vulnerability in the precompiled, packaged product.
Vulnerability ⚡ Reader’s Exercise 🔎 I found CVE-2019-17424 by manually reviewing the source code of nipper-ng. Provided below is an excerpt from the source code containing only the vulnerable function. You are welcome to take it as an exercise to find the vulnerability in the code below:

Notice: The vulnerability in the code above is identified in the paragraph below. If you want to try to find the vulnerability yourself, o…

Simplest Fibonacci Assembly Code

Image
Tl;Dr There is an insanely cool, simple and elegant way to calculate Fibonacci numbers in assembly using only 2 opcodes!

Full disclosure: this post is inspired by chapter two of the book "xchg rax, rax".
Fibonacci Numbers Just a simple review: Fibonacci Numbers are calculated with the formula below.


So for example to get the 3'rd Fibonacci number, we need to sum the 2nd and 1st Fibonacci numbers.
The Code 👨‍💻👩‍💻 Behold! Below is the most elegant code you will ever see for in assembly


Source available here.
Explanation🧠 The magic happens in the XADD opcode which is an "xchg (exchange)" and "add"  operation in one opcode. It works exactly as you would expect: first exchange the two operands, and then add them saving the result to the first operand. Official Intel documentation here.

Next, the "loop" opcode changes the code flow to jump back and re-execute the xadd opcode multiple times.
Understanding ✔ To completely understand why and ho…