📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> dennis's Blog

Created: Saturday, July 24 2010 06:23.54 CDT Modified: Saturday, July 31 2010 05:41.04 CDT
Direct Link, View / Make / Edit Comments
Dr. Gadget IDAPython plugin
Author: dennis # Views: 26699

Hi,

I wanted to share with you this little IDAPython plugin which helps in writing and analyzing return oriented payload. It uses IDA's custom viewers in order to display an array of DWORDs called 'items', where an item can be either a pointer to a gadget or a simple 'value'.
There are several keyboard shortcuts to access functionality that otherwise also is accessible via the context menu:

ESC   - closes the plugin
ENTER - jumps to item address in disassembly
O     - toggles item type (offset, value)
D     - deletes an item
I     - inserts an item
E     - edits an item's value

Functionality that is accessible via context menu only:

Load payload     - loads a payload from disk
Save payload     - saves a payload to disk

Auto analysis I  - tries to determine each item's type (offset, value)
Reset            - resets each item's type
Show disassembly - opens a disassembly subwindow


Below screenshots show the plugin's interface. The IDB is a disassembly
of 'BIB.dll' (MD5: 2ec16a4cdb828a31a432513a82cbafdf). _rop.bin is some
exploit's payload in binary form (more info:
http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/)









The plugin can be used either on a static disassembly or during an IDA debugging session.

The plugin is available here: http://www.openrce.org/repositories/users/dennis/drgadget.py
_rop.bin is available here: http://www.openrce.org/repositories/users/dennis/rop.bin

edit:
just uploaded v0.2 which adds Elias Bachaalany's "find instruction/opcode" script from
http://hexblog.com/2009/09/assembling_and_finding_instruc.html

Created: Thursday, January 10 2008 11:58.42 CST Modified: Thursday, January 10 2008 12:11.10 CST
Direct Link, View / Make / Edit Comments
note to self
Author: dennis # Views: 5162

when patching drivers such as tcpip.sys by hand, do not forget to update the image checksum before rebooting ;-)

Created: Friday, June 29 2007 09:43.02 CDT Modified: Friday, June 29 2007 09:46.41 CDT
Direct Link, View / Make / Edit Comments
How to launch an executable...
Author: dennis # Views: 12504

...without creating it on disk. Ever wondered how to do that?
So did I. So I've taken apart an interesting executable crypter that
I found the other day. Not one of those crypters adding code/sections
to an existing PE file but one of those crypters that embed the "target"
executable as a resource into its loader code.

The technique is simple, yet interesting (for _various_ purposes).

1. launch a copy of the loader process in suspended mode.
2. get the context structure of the copy of the loader process.
3. retrieve the imagebase of the process by parsing its PEB structure (ebx at process start!).
4. free all the data belonging to the process by calling ZwUnmapViewOfSection and passing it the imagebase.
5. get the SizeOfImage value of the embedded executable from its PE header.
6. allocate a new block of memory starting at the imagebase with the size of the SizeOfImage value.
7. copy all the headers (pe header, section header etc.) to the allocated block of memory.
8. copy each section of the embedded executable to the allocated block of memory, setting their memory protection according to their section characteristics.
9. the imagebase in the PEB of the process has to patched to equal the address of the allocated block of memory
10. set eax of the process to point to the entrypoint of the process
11. resume the process, if all went well.

For a better understanding, have a look at the disassembly.

Created: Wednesday, June 13 2007 05:49.53 CDT Modified: Wednesday, June 13 2007 06:14.09 CDT
Direct Link, View / Make / Edit Comments
can you read binary code? ;-)
Author: dennis # Views: 6257

I love this comic. Actually it's pretty old, but today I wondered if that binary code is anything meaningful ;-)

Created: Thursday, May 31 2007 14:35.07 CDT Modified: Thursday, May 31 2007 14:41.06 CDT
Direct Link, View / Make / Edit Comments
Adding code to ROM(image)s
Author: dennis # Views: 4930

For anyone who is/was interested in trainers/adding code,
I've put source code of trainers for some NES games into my repository. They explain how to add code to an existing ROM image, how to patch memory on the M6502 and how to win if you suck at games ;-)

If you're too lazy to assemble the source code yourself, you can use the included IPS files to patch your own ROM image.

Be sure to check out this as well.


Archived Entries for dennis
Subject # Views Created On
Canaries and format strings 2993     Sunday, May 27 2007
VSCP IDA Pro plugin 1672     Friday, May 25 2007
IDABone 1632     Wednesday, May 23 2007
InsColor 2306     Thursday, March 29 2007
gotoSEH 2308     Tuesday, February 20 2007

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit