call dwerd ptr [6c756973]

Monday, July 24, 2006

Moving Along ...

I figured out what I was doing wrong in regards to my AbstractValue and stack emulation. My AbstractValue type was trying to do too many things. I removed the internal array storage and it can now only hold one value. Pointers can hold references to an array of AbstractValues. These changes force the creation of buffers outside of the class, which avoids the circular creation problem greatly simplifying the class.

The ideal time to refactor seems difficult to gauge. Although when you absolutely need to refactor, the code will definitely let you know. Things are moving fast as I am decoding various opcodes. Btw, this site has the best x86 opcode reference.

I will soon put up the promised pdb internals as well as some ideas I'm working on regarding C++ RE.

Friday, July 21, 2006

I've been working on the static analysis code for BlackHat using TDD and C#. I started emulating the stack as part of a customer test that related to tracking tainted values. The customer test involves dereferencing argv, which is user supplied and tainted.

I have been using a type AbstractValue consisting of a Byte[] for storage. Now I need to also hold a taint property (Boolean) for each cell in the buffer representing argv. I changed the storage to an array of AbstractValues. It compiled, but trying to run it killed sharpdevelop and nuint-gui. It turned out to be a stack overflow caused by recursion in the constructor.

I have the feeling I'm doing too much with this type, storing values, pointer representation, and buffer emulation.

Subclasses seems like the next step, but then several places in the code would have to check to see what type something is before dealing with it. Matt would probably know what to do, but he can't give me any concrete direction.

I'll call him later and make another post about his thoughts and the solution (if I come up with one).

Monday, July 17, 2006

TDD and me

I have been learning TDD using the resources here: [1][2][3] Why am I learning TDD?

I have always heard that TDD is really slow and requires you to do obvious tests for the sake of testing.

I wanted to try it out and see what it is like. Was it slow?
Yes at first, omg was it slow! To be honest, part of this may be related to my inexperience in C#. Eventually I got much faster at coding with less mistakes, which is the goal of any new programming method.

Nothing is for free. There is definitely a period of time when TDD is slower. It can be similar to learning any new method or technique.

There have always been detractors to new methods.

"Assembly is for true coders. C is for suckas"

"C++ and OOP are useless"

"Managed code is too slow for real programs"

etc...

The truth lies between detractors and proponents.

Back to the slowness. I thought it was slow at first until I noticed that I wasn't debugging anything. I was running code and tests but hadn't started a debugger at all -- everything basically just works.

I have no aversion to debuggers and assembly. Even when looking at someone else's software that has src, I usually open it in IDA first.

I've spent many a time in a debugging session only to find out that like Michael Bolton from Office Space, “I always mess up some mundane detail!”

I am not under the illusion that TDD will get rid of all mistakes.

So far I like:
- testing each module of an app independently
- customer tests specify functionality allowing clean room implementations
- confidence from knowing sections of the code are fully tested

Not sold on yet:
- the design as you go concept
- the "simple" tests

I'll see how it goes as I move into more complicated code.

Tuesday, July 11, 2006

This is going to be a busy summer. I am helping my friend Matt with some training at BlackHat. The training covers binary static analysis concepts and implementation. Matt can't write any implementation code for various reasons, but he is driving the development with slides from the class and test binaries. I will be writing all the code for the class. I'm using it as an opportunity to learn C# and test driven development. Matt's blog has some preparatory material for the class, which I used to learn the basics of C# and TDD. I will be adding some material here as well.

I am also speaking at defcon. The first talk is entitled: Bridging the Gap between Static and Dynamic Reversing. The talk will cover ways to use static disassembly and runtime debugging together to yield better results. In order to make this easier, I'll be releasing a couple of IDA Pro plugins.

pdbgen - This plugin takes symbolic information from IDA and generates custom pdb files. Microsoft does not document the internal format of pdb files. I will be publishing some internal details here as I discover them.

REdress - This plugin will reinsert debug information into ELF files. The name comes from fenris written by Michal Zalewski. In fenris he included a program called dress(opposite of strip) to reinsert library information into files using detection methods similar to FLIRT.

For the other two talks, I will also be working with Matt. The first one is a very condensed version of the training. The second talk is on pair programming and tdd. For people that want to participate in pair programming sessions on the code should attend both talks and take a look at some of the preparatory material here.

See ya in Vegas!

recon was great: good talks and good people. If you haven't attended, you should definitely go next year. The presentations are up on their site.

I talked about patching bugs, security or otherwise, in binaries. I used my phone's buggy camera software as an example.

The AKU 2.2 update for my WM5 phone was recently released. Included in the update is a new version of camera.exe. HTC fixed the corrupt Exif header bug.

I still patch the binary to avoid the inclusion of the owner name in the Exif header.

Tuesday, July 04, 2006

¡Viva la REvolución!