Programming stuff

Last Friday I was debugging random programs I found on my hard drive when I saw this:

Apparently µtorrent is sending lots of unrelated data back to the µtorrent servers when checking for program updates. I wanted to know what. Google was not very helpful. A thread in the official forum was all I found and that thread did not exactly have a lot of information. Apparently I had to figure out things myself.

Unfortunately it turned out that µtorrent is sending a lot more data than can be seen in the screenshot so this little project took longer than originally planned. In fact I am only 90% done but I don't want to put any more time into this. One weekend is already too much time spent on this. So, here's what I figured out.

Continue reading "Data sent home by µtorrent"

I'll be on vacation in San Francisco between November 4th and November 17th. If anybody wants to meet up there, please contact me in some way (see the side bar on the right hand side of this page). Possible reasons for hanging out with me include but are not limited to:

• You work for a cool company and feel like showing me around your office.
• You work on a cool product/technology and feel like I should see it.
• You think I work on cool stuff and want to talk about it.
• You want to talk about reverse engineering, binary code analysis, hacking NES games or anything related to that.
• You want to get a BinNavi product pitch.
• You want me to see some special place or event in San Francisco.

To waste some time today I played some Super Mario Bros 3 on my Wii. I only made it trough three levels before I reached the first Toad House. Upon receiving the item from Toad I decided to investigate something I've wanted to know for, I don't know, maybe 15 years. How exactly does the game decide what item you receive? I remember as a child that people playing Super Mario Bros 3 did the weirdest stuff in Toad Houses to improve their item karma. Running around, doing weird jumps, whatever.

Anyway, I really wanted to know when the game decides what item you receive and how it decides that. Does the game already know what item you receive as soon as you enter the Toad House? Are the items placed in the boxes when you enter the Toad House? Does it do any other weird stuff?

Continue reading "Toad Houses Disassembled"

Good news from the BinNavi front. For one, our GDB Agent which connects BinNavi with arbitrary GDB servers is now working on Linux. Since that was the last part of BinNavi which had to be used from Windows, all parts of BinNavi are now usable from Linux. Even cooler news is that we have made the Cisco router emulator Dynamips work with the GDB Agent. It is now possible for users of BinNavi to use the GDB server of Cisco devices emulated on Dynamips. This has a wide range of applications for situations where people had to work with physical devices in the past even though Dynamips would have been sufficient.

Out of the box, the GDB server of Cisco devices is not emulated properly by Dynamips. There were two issues that had to be fixed in the Dynamips code:

• Once the GDB server was active, the console of the Cisco device froze and GDB would neither send nor accept commands
• The single-step flag was not honored by the emulator, making single-stepping impossible

I have created a patch that solves these two issues. You can download the patch file here. Once this patch is applied to the Dynamips source code, the GDB server of the Cisco 2600 router I used for testing works like a charm and BinNavi can use the GDB server for debugging the emulated device.

Here are some impressions of BinNavi debugging the emulated Cisco 2600 router.

The first screenshot was taken shortly after attaching to the GDB server. You can see the "trap" instruction at offset 0x8021CCAC. When you attach to the GDB server for the first time, this is where the debugger halts.

Then I single-stepped a few times to leave the function in the first screenshot. The second screenshot shows another smaller function where you end up after leaving the first function.

The third screenshot shows a bigger function. In this function I told BinNavi to record all basic blocks which are ever executed and then I resumed the debugger. The result can be seen in the Trace log in the lower part of the window. The address of each basic block hit during execution is shown there in the order in which the basic blocks were hit. Double-clicking on the trace selects all basic blocks that were hit in the graph. This makes it very easy to get a quick code coverage analysis to see what basic blocks were executed and those that were not.

So I finally got around to writing a review for Justin Seitz's new No Starch Press book Gray Hat Python (Official Website / Amazon). Unlike the other No Starch Press books I reviewed in the last months my copy of Gray Hat Python is not a free review copy. I actually bought Gray Hat Python because I wanted to support Justin Seitz who I met at this year's CanSecWest conference for the first time. And because Justin seems to be a pretty nice guy I will punch a bit harder in this review than I usually do (unless the reviewed book really sucks) by giving unsolicited advice on how to improve the book for the second edition.

What is Gray Hat Python all about? The back cover of the book describes it like this: "Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators." And all of that using Python code and popular Python libraries. How awesome is that? Pretty awesome I thought when I first heard about the book. So awesome in fact that several months before the book was published I actually sent Justin an email asking him if everything's fine because I was concerned that the publisher is imposing stuff on him which could lead to a shitty book (see: Reverse Engineering Code with IDA Pro; if you ever meet any of the authors of that book ask them to tell you just how much Syngress sucks; it's an entertaining story).

Continue reading "Book Review - Gray Hat Python"

Growing Software - Proven Strategies for Managing Software Engineers (Amazon / Official Website) written by Louis Testa is the latest No Starch Press book I received a free review copy of (thank you No Starch Press). Imagine that you are working for a mid-sized software development company and you were recently promoted to become the manager of a small development team. Now you have to figure out how to plan and schedule the software development process and how to manage the people in your team. Growing Software wants to assist you with this.
Continue reading "Book Review - Growing Software"

Staying true to our 6 months release cycle we will probably release BinNavi 2.1, the latest version of our binary code reverse engineering tool, next week. After BinNavi 1.5 and BinNavi 2.0 this is the third release of BinNavi I have been in charge of. I want to take this opportunity to talk about the features I like most in BinNavi 2.1. You can actually find a more or less complete list of what is new in BinNavi 2.1 compared to BinNavi 2.0 over here.

Continue reading "An unconnected string of thoughts about BinNavi 2.1"

A few months ago my friend Rolf Rolles created the Reverse Engineering reddit. It's pretty awesome. It focuses on random reverse engineering related articles and lots and lots of academic papers, mostly for static code analysis. The submission quality is pretty high (or the moderators reject a lot of submissions, I don't really know). So just in case you are not aware of this reddit yet, I suggest you hop over there and subscribe to it.

While we are at it, for those of you stalking me already. I have a Twitter account now. That should make your job easier.

Continue reading "A flurry of Web 2.0"

In late 2008 Raoul Chiesa, Stefania Ducci, and Silvio Ciappi published an interesting book called Profiling Hackers (Amazon). The idea behind this book is simple: Police officers use profiling to find criminals. Hackers often do illegal things. Police officers therefore need to profile hackers. Most police officers do not have a clue about hackers though. On 240 pages divided into seven chapters this book tries to help them by explaining what Hackers are like.

Continue reading "Book Review - Profiling Hackers"

In a bit less than two weeks I will be attending CanSecWest 2009. If anybody wants to meet me there to talk about reverse engineering, static code analysis, BinNavi, or why Sierpinski triangles are tools of the devil please contact me. You can find my contact information on the right side of this website.

If you do not want to talk about any of the above, you can still watch my talk and tell me your opinion about it. This would be much appreciated. Thank you.

A few days ago I complained about the incredibly awkward IT Security Girl of the Year award that will be dished out later this year at the French IT security conference FRHACK. Apparently the FRHACK organizers did not like what I wrote because they are now threatening to sue me if I do not remove the screenshot of the incredibly inappropriate photos they used to advertise the IT Sec Girl award. The following sentence is from an email I received from one of the FRHACK organizers.

We just ask you to remove this picture http://www.the-interweb.com/bdump/misc/itsec_girl.jpg because these pictures are copyrighted. Thanks to delete your screenshot or we will take legal action.

After I received this email I was incredibly annoyed. It's less about them requesting me to take down the screenshot though. I was more annoyed with their reply in general. In no way did they even bother to address the issue I complained about. This would have been the perfect time to show some character. They could have discussed their point of view. They could have apologized for their mistakes. They could have told me to stuff it (in case they think their point of view is correct; which apparently they don't because they changed their website). All of these (and more) would have been perfect ways to show some personal responsibility and the whole issue would be finished from my point of view.

But that's not what happened. Instead they sent me this incredibly limp-dicked legal threat which I believe to be more about removing evidence that documents their failures than about any legit copyright issues. The passive-aggressive vibes I am getting from this (and the fact that I am allergic to legal threats) piss me off so much that I need to complain about this publicly. I hope I will never have the displeasure to meet any of the FRHACK organizers in real life.

Now the thing is, I do not have the time or the resources to fight their legal threat. I will take down the screenshot in the next few days (probably at one point between now and next Wednesday; whenever I feel like it).

Update: Looks like the screenshot stays on my website. See the end of the original post for a detailed update.

Update 2: Please check out the comments made by the FRHACK team in response to this post. This should clear some things up.

Today I am going to break with the spirit of this website. This entry is not about Programming Stuff as advertised in the title of my blog. Today I am going to complain about something which is only very casually related to Programming Stuff. In some way it is kind of similar to when CmdrTaco used the Slashdot front page to complain about Blizzard making him change his WoW name. It's my website and I post what I want. So if you came here expecting new Programming Stuff you can hit the Back button of your browser now.

Anyway, let's start. I woke up this morning and saw that someone I know will attend the French IT Security conference FRHACK. I began to browse the FRHACK website. I checked out the Events section. I came across something called Best IT Security Girl of the Year. For a split-second I was amused about this obvious little satirical reflection about the role of women in IT and especially IT Sec. I quickly scrolled around to find the IT Security Boy of the Year. There was no such award. It dawned on me that the IT Sec Girl of the Year award is actually a serious award and I started to feel sick.

Continue reading "IT Security Girl of the Year"

A few weeks ago I read some Reverse Engineering related blog which I can't remember right now and my Google-Fu is failing me too or I would link to it. Anyway, in one of the comments on that blog, the book Dumps, Bugs and Debugging Forensics - The Adventures of Dr Debugalov (Amazon) was mentioned. Since the book title and its cover amused me a lot and I can't spend all of my money on hookers and blow I quickly grabbed a few Benjamins from my money bin and bought the book without checking out what it is actually about.

Some days later it arrived and I was surprised. The book is actually a comic book. It is a compilation of the comics you can find here. As you can see, the comics are not especially well-drawn and they're nearly completely unfunny to boot. OK, four or five of the comics in the book are actually funny. The other 40 or so are not. The problem is obvious. There are only so many good jokes you can make about debugging (and to be honest, I debug a lot of stuff and I know very few good jokes about debugging). About four years and 100 blog entries ago, I complained about the ridiculous puns in the book C++ Coding Standards. The Dr Debugalov book suffers from exactly the same problem. Except that the Dr Debugalov book has (nearly) no content except for the puns in comic form. This magnifies the problem to the point where it's getting painful.

Talking about ridiculous puns. The pages of the book do not just contain comics. Every single page also features a more or less famous quote that has been reworked (by replacing or inserting words) to turn it into a quote about debugging. After reading approximately 20 of these so called bugtations I wanted to shoot myself.

So yeah, what to recommend. You should probably buy the book, rip off the cover (which is really cute), frame it and hang it onto the wall of your little cog-in-the-machine cubicle or wherever you are working. The rest of the book can quickly be discarded.

I am going to attend the Chaos Communication Congress 2008 in two weeks. People who want to meet me there to talk about BinNavi, Hexer, static code analysis, reverse engineering in general, or why the movie Hackers is more realistic than most people think, please contact me using one of the options you can find on the navigation bar on the right side of this page.

Here's something amusing. I spent the first half of the day writing a short Haskell program which generates x86 instructions in MASM syntax. The program generates all variants of the non-privileged instructions from the opcodes.chm file of the MASM32 package. This means that the instruction generator is not complete at all. FPU, MMX, SSE and other newer-than-x486 instructions are not covered. Nevertheless the generator already generates nearly 150,000 different x86 instructions.

When assembled with MASM32 the resulting file is more than 600 KB big. Trying to disassemble this thing with a few standard disassemblers turns out to be a problem. IDA fails to disassemble an instruction after maybe 5% of the executable and never manages to recover afterwards. Lots of manual help is necessary to convince IDA to go on. OllyDBG manages to disassemble that instruction but has huge gaps at many, many other points of the disassembly. The created file is an interesting test file for x86 disassemblers I'd say.

The Haskell program is just about 300 lines long. 280 of those lines are the definitions of  the instructions and what operands they can take. The generation of the instructions from the instruction definitions is just 20 lines and all but 8 lines are not even strictly necessary. I love Haskell's expressiveness.

Anyway, click here to see the Haskell source or click here to download the whole package including the Haskell program (source + EXE), the generated output of the Haskell program, a MASM32 source file that can be used to assemble the test file, and the test file EXE itself.