OpenRCE: Blog

Blog is moving

Tue, 01 Apr 2008 00:55:00 -0500

I am moving the blog to its new home. The move was done primarily to support my new book. (yes, my amazon associates account is in the link). Amazon has not updated the author list.

Back from the dead and I have scope images with me...

Thu, 19 Apr 2007 05:23:00 -0500

These images were taken with an oscilloscope. The bit stream shown uses a simple protocol to send data over RF. The wide image was made by cut/pasting various ones together. I used the parallax USB scope. While the supported bandwidth seems low, it is quite good at the low rate bit streams used in simple RF devices.

The images are part of the talk Im doing at CansecWest this evening.

Other Wireless New Ways to Get Pwned
The talk doesnt cover 802.11 or Bluetooth. Rather the talk focuses on RF devices such as wireless presenters, mice, and a little about keyboards. The attacks are done in hardware by sniffing and injecting communication between chips.

Moving Along ...

Mon, 24 Jul 2006 16:41:00 -0500

I figured out what I was doing wrong in regards to my AbstractValue and stack emulation. My AbstractValue type was trying to do too many things. I removed the internal array storage and it can now only hold one value. Pointers can hold references to an array of AbstractValues. These changes force the creation of buffers outside of the class, which avoids the circular creation problem greatly simplifying the class.

The ideal time to refactor seems difficult to gauge. Although when you absolutely need to refactor, the code will definitely let you know. Things are moving fast as I am decoding various opcodes. Btw, this site has the best x86 opcode reference.

I will soon put up the promised pdb internals as well as some ideas Im working on regarding C++ RE.

Fri, 21 Jul 2006 13:49:00 -0500

Ive been working on the static analysis code for BlackHat using TDD and C#. I started emulating the stack as part of a customer test that related to tracking tainted values. The customer test involves dereferencing argv, which is user supplied and tainted.

I have been using a type AbstractValue consisting of a Byte[] for storage. Now I need to also hold a taint property (Boolean) for each cell in the buffer representing argv. I changed the storage to an array of AbstractValues. It compiled, but trying to run it killed sharpdevelop and nuint-gui. It turned out to be a stack overflow caused by recursion in the constructor.

I have the feeling Im doing too much with this type, storing values, pointer representation, and buffer emulation.

Subclasses seems like the next step, but then several places in the code would have to check to see what type something is before dealing with it. Matt would probably know what to do, but he cant give me any concrete direction.

Ill call him later and make another post about his thoughts and the solution (if I come up with one).

Tue, 11 Jul 2006 04:15:00 -0500

This is going to be a busy summer. I am helping my friend Matt with some training at BlackHat. The training covers binary static analysis concepts and implementation. Matt cant write any implementation code for various reasons, but he is driving the development with slides from the class and test binaries. I will be writing all the code for the class. Im using it as an opportunity to learn C# and test driven development. Matts blog has some preparatory material for the class, which I used to learn the basics of C# and TDD. I will be adding some material here as well.

I am also speaking at defcon. The first talk is entitled: Bridging the Gap between Static and Dynamic Reversing. The talk will cover ways to use static disassembly and runtime debugging together to yield better results. In order to make this easier, Ill be releasing a couple of IDA Pro plugins.

pdbgen - This plugin takes symbolic information from IDA and generates custom pdb files. Microsoft does not document the internal format of pdb files. I will be publishing some internal details here as I discover them.

REdress - This plugin will reinsert debug information into ELF files. The name comes from fenris written by Michal Zalewski. In fenris he included a program called dress(opposite of strip) to reinsert library information into files using detection methods similar to FLIRT.

For the other two talks, I will also be working with Matt. The first one is a very condensed version of the training. The second talk is on pair programming and tdd. For people that want to participate in pair programming sessions on the code should attend both talks and take a look at some of the preparatory material here.

See ya in Vegas!