📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> ReWolf's Blog

Created: Tuesday, June 7 2011 16:42.46 CDT  
Direct Link, View / Make / Edit Comments
blog moved
Author: ReWolf # Views: 4589

All new posts will be published on my new blog http://blog.rewolf.pl, so pleas update your bookmarks ;)

Created: Saturday, September 18 2010 03:39.00 CDT  
Direct Link, View / Make / Edit Comments
dirtyJOE - Java Overall Editor
Author: ReWolf # Views: 8629

dirtyJOE - Java Overall Editor is a complex editor and viewer for compiled java binaries (.class files). Current version still have some limitations, but hopefully those will be removed within the next releases.

dirtyJOE is free for non-commercial use.

dirtyJOE is entirely written in C++, no third party libraries were used.

Main features:
- Viewer for: constant pool, methods, fields, attributes
- Editor for: constant pool, bytecode

You can download it from http://dirty-joe.com

Created: Thursday, March 4 2010 13:00.59 CST Modified: Thursday, March 4 2010 13:01.58 CST
Direct Link, View / Make / Edit Comments
When memory management goes bad...
Author: ReWolf # Views: 10622

Few months ago I've encountered a strange behavior in cmd.exe when I wanted to list some big collection of files and execute some command on every single file. I used for this task 'for' command similar to this:

for /R c:\ %c in (*.*) do echo %c >> cmd_ptc.log

After few hours of processing I get a very disturbing message:

"Not enough storage is available to process this command."

Actually cmd.exe can eat all memory available for the process. I decided to check why it needs such amount of memory and if it will be possible fix it. Below you can find link to the full article and package with the fixed binaries (from Windows Vista SP2):

http://rewolf.pl/stuff/rewolf_cmd_research.pdf - article
http://rewolf.pl/stuff/rewolf_cmd_research.zip - article and binaries

Happy reading !
ReWolf

Created: Wednesday, April 15 2009 15:10.10 CDT Modified: Wednesday, April 15 2009 15:11.30 CDT
Direct Link, View / Make / Edit Comments
Hacker Challenge 2008
Author: ReWolf # Views: 7058

My reports from Hacker Challenge 2008 are already available online:

(zip archives contains original challenge, cracked binary and report)

Phase 1:
http://rewolf.pl/stuff/rewolf_hc2008_phase1.zip
http://rewolf.pl/stuff/rewolf_hc2008_ph1_report.pdf

Phase 3 (third place in "quality of report" category):
http://rewolf.pl/stuff/rewolf_hc2008_phase3.zip
http://rewolf.pl/stuff/rewolf_hc2008_ph3_report.pdf

http://rewolf.pl

Created: Friday, January 30 2009 08:42.38 CST Modified: Friday, January 30 2009 08:43.40 CST
Direct Link, View / Make / Edit Comments
Old dbghelp and an old exploit...
Author: ReWolf # Views: 10700

    Recently I've came across some "strange" problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I've figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). I've asked google if "she" (or "he", who knows) knows something about this bug, and that was a good choice. I've found a discussion on tuts4you forum:

  http://forum.tuts4you.com/index.php?showtopic=16445

and a link to an exploit on milw0rm:

  http://www.milw0rm.com/exploits/6031

As you can read, it was related to "export name buffer overflow vulnerability". My problem was different, but debugging OllyDbg lead me to the call to SymLoadModule at the same place like in the mentioned exploit. Further debugging revealed that my problem is related to the wrong use of _splitpath function from msvcrt.dll. Calling tree looks like this:


SymLoadModule (exported)
  -> SymLoadModule64 (exported)
       -> SymLoadModuleEx (exported)
            -> InternalLoadModule
                 -> load
                      -> GetDebugData
                           -> FileNameIsPdb
                                -> msvcrt.splitpath


function FileNameIsPdb has a local variable:


  char _str_extension[20];


which is passed to the splitpath, and if our prepared file extension is longer than 20 bytes it overwrites values on the stack, next 8 bytes overwrite some local variables, and finaly next 4 bytes overwrites the return address:


  extension: ".dll1234567890qwertyuiopasdfxxxx"


it is not enough to crash OllyDbg though (for exploiting it should be sufficient), because there is SEH that can deal with this stack corruption. I figured out that overwriting another 26 bytes should crash OllyDbg, so the file extension should look like this:


  "sample.dll1234567890qwertyuiopasdfxxxxlzxcvbnmQWERTYUIOPASDFGHJK"


If someone has not updated dbghelp.dll in the olly directory, we can use this method as a simple anti-debug. We don't need to rename executable to such form, we can dump a sample dll (with malformed extension) on the disk during the execution of the program, and just load it with LoadLibrary function. Development of an exploit could prove to be problematic because of limitations of charset that can be used to craft filename.

This bug cannot be applied to newer versions of dbghelp.dll.

Original paper at: http://rewolf.pl/stuff/rewolf_dbghelp.txt


Archived Entries for ReWolf
Subject # Views Created On
Hacker Challenge 2007 5136     Friday, October 31 2008
Looking for a job... 5249     Sunday, August 12 2007
x86 Virtualizer - source code 23666     Thursday, August 9 2007
DLLPackager v1.0 - source code 8203     Sunday, June 17 2007
x86 Virtualizer - Preview 9101     Friday, May 25 2007
DLLPackager v1.0 4370     Sunday, May 20 2007
HookLib v1.0 2632     Friday, May 11 2007

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit