OpenRCE: Blog

Dr. Gadget IDAPython plugin

Sat, 24 Jul 2010 06:23:54 -0500

Hi,

I wanted to share with you this little IDAPython plugin which helps in writing and analyzing return oriented payload. It uses IDA's custom viewers in order to display an array of DWORDs called 'items', where an item can be either a pointer to a gadget or a simple 'value'.
There are several keyboard shortcuts to access functionality that otherwise also is accessible via the context menu:

ESC   - closes the plugin
ENTER - jumps to item address in disassembly
O     - toggles item type (offset, value)
D     - deletes an item
I     - inserts an item
E     - edits an item's value

Functionality that is accessible via context menu only:

Load payload     - loads a payload from disk
Save payload     - saves a payload to disk

Auto analysis I  - tries to determine each item's type (offset, value)
Reset            - resets each item's type
Show disassembly - opens a disassembly subwindow

Below screenshots show the plugin's interface. The IDB is a disassembly
of 'BIB.dll' (MD5: 2ec16a4cdb828a31a432513a82cbafdf). _rop.bin is some
exploit's payload in binary form (more info:
http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/)

The plugin can be used either on a static disassembly or during an IDA debugging session.

The plugin is available here: http://www.openrce.org/repositories/users/dennis/drgadget.py
_rop.bin is available here: http://www.openrce.org/repositories/users/dennis/rop.bin

edit:
just uploaded v0.2 which adds Elias Bachaalany's "find instruction/opcode" script from
http://hexblog.com/2009/09/assembling_and_finding_instruc.html

note to self

Thu, 10 Jan 2008 11:58:42 -0600

when patching drivers such as tcpip.sys by hand, do not forget to update the image checksum before rebooting ;-)

How to launch an executable...

Fri, 29 Jun 2007 09:43:02 -0500

...without creating it on disk. Ever wondered how to do that?
So did I. So I've taken apart an interesting executable crypter that
I found the other day. Not one of those crypters adding code/sections
to an existing PE file but one of those crypters that embed the "target"
executable as a resource into its loader code.

The technique is simple, yet interesting (for _various_ purposes).

1. launch a copy of the loader process in suspended mode.
2. get the context structure of the copy of the loader process.
3. retrieve the imagebase of the process by parsing its PEB structure (ebx at process start!).
4. free all the data belonging to the process by calling ZwUnmapViewOfSection and passing it the imagebase.
5. get the SizeOfImage value of the embedded executable from its PE header.
6. allocate a new block of memory starting at the imagebase with the size of the SizeOfImage value.
7. copy all the headers (pe header, section header etc.) to the allocated block of memory.
8. copy each section of the embedded executable to the allocated block of memory, setting their memory protection according to their section characteristics.
9. the imagebase in the PEB of the process has to patched to equal the address of the allocated block of memory
10. set eax of the process to point to the entrypoint of the process
11. resume the process, if all went well.

For a better understanding, have a look at the disassembly.

can you read binary code? ;-)

Wed, 13 Jun 2007 05:49:53 -0500

I love this comic. Actually it's pretty old, but today I wondered if that binary code is anything meaningful ;-)

Adding code to ROM(image)s

Thu, 31 May 2007 14:35:07 -0500

For anyone who is/was interested in trainers/adding code,
I've put source code of trainers for some NES games into my repository. They explain how to add code to an existing ROM image, how to patch memory on the M6502 and how to win if you suck at games ;-)

If you're too lazy to assemble the source code yourself, you can use the included IPS files to patch your own ROM image.

Be sure to check out this as well.