📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> kizi's Blog

Created: Saturday, March 29 2008 10:00.16 CDT  
Printer Friendly ...
it's hard for me... orz
Author: kizi # Views: 2744

I'm trying to find vulnerablities by using IDA pro or ImmDbg and so on...
but, 6 months has passed... and nothing found. orz.
at first. I list functions which is like fopen, and trace the use of FD returned.
and investigate functions which is like memmove, memcpy, and memory copy operations.
but, all softwares which i debugged use these securely.
this method is not efficient?

Thre result i found is that,
the world is quite secure than i thought.


Blog Comments
rakish Posted: Sunday, March 30 2008 04:56.09 CDT
maybe you need more experience like me, i have started learning RCE almost 3 months ago, 1 week after start learn assembly language for 80x86 architectures...

if i'm right we need more time in RCE before jump into that world ...

but, anyway, what kind of applications are you analyzing?

kizi Posted: Sunday, March 30 2008 10:06.26 CDT
thanks for your reply.

hmm.... ok. i will keep on learning and training RCE. thanks.

but, you looks like a skilled reverser. have you really started learning since 3months ago? great!

>what kind of applications are you analyzing?
i have tried reversing 2 decompress/extract softwares and 5 ActiveX which is called and used from IE like object tag.

GynvaelColdwind Posted: Sunday, March 30 2008 11:07.20 CDT
kizi: have You tried fuzzing ?:>

MohammadHosein Posted: Sunday, March 30 2008 15:43.15 CDT
yes , its better to start with already reported vulns , even better if they have already been exploited . its something usual with activexs these days , also take a look at Axman . as a suggestion , Acrobat Reader is a perfect target ;)

kizi Posted: Monday, March 31 2008 09:51.59 CDT
thaks for replys. GynvaelColdwind, MohammadHosein.

i've tried Axman to fuzz ActiveXs.
but, nothing found.
I often use fuzzer that i wrote or other free fuzzers.
and I've found some bugs. but,  they are not exploitable.

>its better to start with already reported vulns
hmm.
ok. I will start with already reported vulnerabilities.
and take time more to fuzz.

RabidCicada Posted: Monday, March 31 2008 11:16.40 CDT
Kizi.  I have to say I'm relatively new also, but logic seems to dictate that you need more than just to manually sift through code.

There is simply too much stuff out there.  You need to focus on automating code exploitation finding(what I believe you are trying to do).

You need to effectively build a tool ecosystem around which you can perform efficient work in your field.  You need to have tools that find commonly mis-used code(function calls that are typically mishandled etc).  Then you could use many other tools to trace data paths and code coverage.

It is not a simple thing to get into.  I have not developed such an ecosystem yet.  It takes time and insight delivered by experience to become efficient.

As MohammadHosein said, it is beasier to re-find already discovered exploits (This will help hone your intuition for finding mishandled code).

RE-ing is not for the light of heart, nor for the casual passerby.  You have to be curious, commited, and willing to write your own tools (whether building on others or from the ground up).

I haven't written my own tools yet.  For now I'm content to learn the tools I already have access to and play with code for a game I play (as opposed to look specifically for an internet wide exploit).

cli3nt Posted: Wednesday, April 2 2008 08:14.51 CDT
Maybe before you go in the wild you should practice at some hackmes/crackmes. In example pull the plug project or crackmes.de ;)

PS.
And of course you should be more sticky. What I mean? you should stick to one app/vendor and dig until you find something. Remember: there is something. ALWAYS.

kizi Posted: Wednesday, April 2 2008 08:37.19 CDT
thanks for replys RabidCicada, cli3nt .

thanks!
you made me motivaed.
I'll keep on keeping on.
thousand thanks!!!11123

ishikawa Posted: Wednesday, April 2 2008 09:08.43 CDT
Also maybe you want to see how others discover theirs bugs.
Here you can do it (if you didn't done it already :P):
http://dvlabs.tippingpoint.com/blog/2007/07/24/step-by-step-of-how-tpti-07-013-was-discovered
http://blog.wslabi.com/2007/09/hitb-2007-ctf-daemon-03-writeup.html

kizi Posted: Thursday, April 3 2008 06:14.30 CDT
thanks for reply to ishikawa san.

I've never read it.
thanks!



Add New Comment
Comment:









There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit