Skip to content

Cheating in Single-Player Freemium Games

About 15 days ago I bought the game Muffin Knight for $2.99 from the Android Market. Muffin Knight is a freemium game. Maybe that's not a completely precise label due to the $2.99 upfront cost but the point is that there is an in-game currency that players can purchase more of with real dollars. This in-game currency, stars, is used to level up your characters, to acquire new skills, and to increase your health points. Usually you get 1 star for each level you reach. A back-of-the hand calculation reveals that you would need about 150 stars to unlock everything. That's quite a lot of levelling.

About 15 years ago I was young and very interested in cheating in computer games. In fact - and literally nobody who reads this blog post knows this - the first app I wrote for public consumption was a cheat database. Its competitive advantage over other cheat databases was that mine had a save game patching engine. It allowed you to patch save game files for games included in the database and it allowed you to extend that engine with your own save game cheats. The commercial success of this program was $10, a pity buy from a friend. It's social success was worse, as one of my school teachers commented in my website guestbook. This was considered deeply uncool at the time. Later I also wrote a few game trainers (the ones where you get extra money by pressing certain key combinations) for Windows games.

Nowadays, while playing Muffin Knight, I am starting to feel an old itch again that I have not felt in a while. I am now a level 62 Muffin Knight with most expensive things unlocked. I need about 50 more stars to unlock the rest just to reach the feeling of having beaten the game completely. 50 stars go for $4.99 if I buy them the official way or they go for nothing if I modify the save game. I have not actually looked into modifying Muffin Knight save games yet but according to http://forum.xda-developers.com/archive/index.php/t-1395221.html save games can be traded so I don't see why they could not be modified. And even if they could not be modified, I have plenty of means to change the program code of Muffin Knight or modify the memory of the running process. In the end, I am sure that I could get the 50 stars for free using some sort of cheat technique.

I am wondering what the moral implications of this are. Back in the old days, I only wrote cheats and trainers for single-player games. Using such cheats never hurt anybody. The game developers had already been paid. The lack of other players meant that only the player who chooses to cheat is affected. Everything is morally in the clear here. But what about freemium single player games like Muffin Knight? I already paid $2.99 to get the game. Does that make it OK to use cheats to access in-game content?

Let's separate things out a bit. There are freemium games like Muffin Knight and there are freemium games like Paradise Island and Tap Fish. Their freemium mechanics are very similar with one significant difference. Muffin Knight is structured kind of like Diablo 2. Getting everything in these games is an unbearable grind but it's possible. Getting everything in Paradise Island or Tap Fish is basically not possible unless you reach a biblical age or punch your credit card number into the right form. I call games from the second category 'unsafe for children scam apps'. They are really just wallet openers hiding behind pretty colors. If anybody cheats in games of this category I am not going to shed a single tear.

Now I am wondering what the closest analogy of freemium content to games of 15 years ago is. I think an optionally purchasable piece of in-game content is closest to an expansion pack. It's a tiny expansion pack but it is one. You pay money to add something to the game. Think of the purchased stars in Muffin Knight as less of an in-game currency and more of what you can get for them: three extra classes and more health points. From this point of view I would have a problem cheating in Muffin Knight. The developers offer an expansion pack for purchase and just because I could cheat my way into having it is no different than downloading an old PC game expansion pack off some torrent site.

I think for now I will keep grinding Muffin Knight but I am interested in what other people think about this.

I have also noticed a disturbing lack of cheats for Android games which might tie in with the general theme of this topic. What's the deal here? Lack of tools, lack of interest, problems with morality of stealing freemium content? Tools are available, Dalvik is easy to understand. It's been a long time since getting into game cheating has been so easy.

Book Review: Metasploit - The Penetration Tester's Guide

Recently I received a free review copy of Metasploit - The Penetration Tester's Guide from No Starch Press. I was pretty excited about the book because I have not yet worked with Metasploit before, even though I have followed the Metasploit development for a long time. For those who do not know, Metasploit is a "free open-source penetration testing solution developed by the open source community and Rapid7". Originally started by HD Moore in 2003, it also doubles as one of the world's largest open-source Ruby projects.

Written by the four authors David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni, this new book aims to "teach you the ins and outs of Metasploit and how to use the Framework to its fullest" while also acknowledging that their "coverage is selective". They set out to live up to that aim on roughly 300 pages divided into 17 chapters and two appendices. The individual chapters are 'The Absolute Basics of Penetration Testing' (6 pages), 'Metasploit Basics' (8 pages), 'Intelligence Gathering' (20 pages), 'Vulnerability Scanning' (22 pages), 'The Joy of Exploitation' (18 pages), 'Meterpreter' (24 pages), 'Avoiding Detection' (10 pages), 'Metasploit Auxiliary Modules' (12 pages), 'The Social-Engineering Toolkit' (28 pages), 'Fast-Track' (14 pages), 'Karmetasploit' (8 pages), ' Building your own Module' (12 pages), 'Creating your own Exploits' (18 pages), 'Porting Exploits to the Metasploit Framework' (20 pages), 'Meterpreter Scripting' (17 pages), and 'Simulated Penetration Test' (16 pages).

As you can see, due to the small amount of pages and the high number of chapters there is not a lot meat per chapter. In fact, roughly one-third of the book is console output listings or screenshots. That means you can subtract one-third of the pages of each chapter to get a more accurate estimate of the information provided in each chapter. It also means that you will read roughly 100 pages of console output over the course of book. In the beginning I made an effort to do that but after a while this gets ridiculously boring and I began skipping most console output.

There is a reason for the huge amount of console listings you are expected to read. The book is a cook book, not a compendium. Throughout the book, you are basically told to 'enter <somestring> and hit enter' or 'click menu X' and then they show the console listing of what output you can expect. Between being told what to enter and output dumps to expect, there is little space left for any in-depth background discussion of what is actually going on. Now, I learned to write code using these sorts of books and it worked out well for me so if you are at that stage of your professional life you might appreciate this writing style. I have moved on to prefer compendium style books though.

Another issue I noticed is probably the result of having different authors write individual chapters of the book seemingly without much coordination. The assumed skill level of the reader is confusing and non-linear. Here is an example. At the beginning of chapter eight (Exploitation using Client-Side Attacks), the authors spend a whole paragraph explaining the x86 instruction NOP starting with the phrase "NOPs are covered in detail in chapter 15 [in itself the funniest phrase of the book, nearly as absurd as my long-time favorite 'There aren't actually physical rings on the microchip' from Greg Hoglund's rootkit book], but we'll cover the basics here...". Just a few pages later (and again in chapter 14), without explaining other x86 instructions before, the reader is expected to understand complete Immunity Debugger code listings. Only in chapter 15 - after you were supposed to create your own exploits in chapter 14 - do the authors explain things like 'EIP and ESP registers' or 'The JMP Instruction Set'. The order of assumed and explained knowledge of x86 assembly code is completely out of whack.

Before starting the book I expected to read about internal in-depth information about the Metasploit framework itself and less cook book style. This might have been a wrong assumption since it's the penetration tester's guide after all, not the contributor's guide. The good news is that the last few chapters kind of go into that direction and were more interesting to me. Starting with chapter eight, the content of the chapters move away from pure usage of Metasploit to extending Metasploit. Especially the chapters 14 and 15 about creating your own exploit and adding it as a module to the Metasploit framework were enjoyable.

Let's take a closer look at those two chapters. In chapter 14, the authors explain how you can use Metasploit as a fuzzer. The target of the chapter is a known vulnerable version of SurgeMail. Once the fuzzer hits the expected crash, they walk you through the bug and instruct you how to control the SEH chain to get to remote code execution and how to structure the shellcode. In the end, a new module is created to add this exploit to Metasploit. At the beginning of chapter 15 - after writing a SEH overwrite exploit - you finally learn about ESP, EIP, JMP and NOP. Afterwards the authors take an existing MailCarrier exploit written in Python and port it to Metasploit. Even though I liked those two chapters I have to wonder whether both are necessary (they are really similar) or whether the order of the two chapters was supposed to be different at first.

In general, while the first edition of the book is rocky, not all is lost for a second edition. The authors are clearly knowledgeable and touch upon large parts of the Metasploit framework. It's just that they favored breadth over depth. My recommendation would be to find a way to seriously cut down on the console output listings to improve the flow of reading, to give more in-depth background knowledge instead of mostly cookbook style instructions (think of the IDA Pro book as a positive example), and to make a clear model of what skill level you are targeting in the reader. I think it is safe to assume that the average reader of a penetration testing book knows what a NOP is. Even more so after implementing a SEH exploit earlier in the book.

Release of SWFRETools 1.3.0

It's only been two weeks since I released version 1.2.0 of my SWF reverse engineering tools collection SWFRETools and here is already the next version. This new version 1.3.0 focuses primarily on allowing users to pass command line arguments to Flash Dissector to do useful things like unpack compressed SWF files or dump the content of SWF files to stdout. The latter is very useful because it is easier to understand disassembled ActionScript code when you have it in a real code editor instead of the (still) crude GUI of Flash Dissector. Here is an example of what the output of such a dump looks like.

The official list of changes:

  • Feature: It is now possible to dump the content of a SWF file to stdout by doing 'dissector.jar -dump <input file>'.
  • Feature: It is now possible to decompress SWF files by doing 'dissector.jar -decompress <input file> -o <output file>'.
  • Feature: It is now possible to open files in SWF Dissector from the command line doing 'dissector.jar <file1> <file2> ... <filen>'.
  • Feature: Function bodies defined by the ActionScript 2 functions DefineFunction and DefineFunction2 are now aligned better in the GUI to improve readability of the code.
  • Feature: Individual elements of a SWF file can now be dumped to a new file by right-clicking on the elements in the main tree of the GUI.
  • Bugfix: Fixed a bug in the Minimizer that prevented it from working with compressed SWF files.

As usual you can download the SWFRETools from GitHub. If you find bugs or want features to be added to the SWFRETools, please open issues on GitHub. I am thankful for any kind of feedback I get.

Release of SWFRETools 1.2.0

I have just made version 1.2.0 of my SWF reverse engineering tools collection SWFRETools available for download. This release focused on improving the disassembly quality of ActionScript 2 code after a user reported some issues last Friday. Specifically the changes I made are:

- Feature: Made parsing of files more robust. This became necessary after the recent spike in obfuscated ActionScript code malware.
- Feature: Unknown ActionScript 2 instructions are now shown in the GUI with their action code.
- Feature: In ActionScript 2 code, the jump target of ActionIf instructions shown in the GUI is now the adjusted address instead of the raw relative address. This makes it easier for the user to find out where a jump is going.
- Feature: In ActionScript 2 code, the jump target of ActionJump instructions shown in the GUI is now the adjusted address instead of the raw relative address. This makes it easier for the user to find out where a jump is going.
- Feature: Strings defined in ActionScript 2 ConstantPool actions are now surrounded by quotes to make them more readable.
- Feature: When ActionScript 2 code is shown in the GUI, registers pushed by ActionPush are now easily distinguished from pushed integers.
- Feature: When ActionScript 2 code is shown in the GUI, constants pushed by ActionPush are now easily distinguished from pushed integers.
- Feature: When ActionScript 2 code is shown in the GUI, strings pushed by ActionPush are now easily distinguished from pushed integers.
- Bugfix: In previous versions, the ActionScript 2 actions belonging to a DoAction tag were not shown in the Flash Dissector tree. This has been fixed.
- Bugfix: In previous versions, the ActionScript 2 actions belonging to a DoInitAction tag were not shown in the Flash Dissector tree. This has been fixed.
- Bugfix: The constant list defined by an ActionScript 2 ConstantPool instruction is now better formatted for improved readability.
- Bugfix: ActionScript 2 Push instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 PushDuplicate instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Pop instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Play instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 PreviousFrame instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 RandomNumber instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 RemoveSprite instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Return instructions were previously not shown in the GUI.

Happy using and please use GitHub to open tickets for problems or feature requests you encounter. Or alternatively shoot me an email. 

Release of SWFRETools 1.1.0

Two weeks ago I gave a presentation at SOURCE Boston where I released a new collection of open-source tools for Adobe Flash SWF file reverse engineering. I am developing these tools, called SWFRETools, to help reverse engineers like vulnerability researchers and malware analysts that have to deal with SWF files regularly. Today I have published version 1.1.0 of the SWFRETools on GitHub for everyone to download.

As of right now, the SWFRETools package contains three different tools. The most advanced tool is called Flash Dissector. It is a Java-based GUI tool you can use to inspect the binary content of SWF files. The second tool is a Java-based command-line tool called Minimizer. This tool is useful for vulnerability researchers that have a SWF file that crashes Flash Player and now they want to get rid of all parts of the SWF file that are not related to the crash. The third tool is a primitive Python-based debugger that can be used to hook and trace the Flash Player executable.

Flash Dissector hex view showing the binary content of a SWF file

Flash Dissector code view showing ActionScript 3 code in a SWF file 

Data mining H-1B salary data

Recently I became aware that all H-1B salary data is is publicly available on the Internet. You can get a very detailed Access database of the salary information and there is even a very nifty web application that allows you to quickly search for whatever salary data you are interested in. Now, these figures are probably the best available resource for figuring out how your salary compares to that of your peers. Unlike salary information from sites like Glassdoor, this salary data is not self-reported but directly taken from H-1B visa proceedings making the salary figures much more truthful.

I had already played around with the web application a few weeks ago and uncovered a few interesting pieces of data (mostly related to information security jobs, the field I am working in) which I posted on my Twitter but until today I had not had time to actually do further analysis with the Access database.

The first thing I tried was to search for the highest average salaries in the database. I applied additional filters like only counting job titles for each company that had at least three granted H-1B visas for each listed position (to remove outliers like CEOs on H-1B visas making millions of dollars, for example). I also aggregrated all statistics over the minimum salary specified for each position in the database. Originally I wanted to work with the maximum salary field but apparently this field is optional and not many positions have it listed. Still, I know that at least for my position (I am in the database too) the maximum salary field gives the amount of money I am really making. To make things simpler for me I also only considered salaries given per year and discarded those given per hour.

Continue reading "Data mining H-1B salary data"

CanSecWest 2011 - Day 3

The third and last day of CanSecWest 2011 is over. Once again we started with talks at 9:00 AM after a breakfast that was actually better than yesterday's (ask me about eating 8 slices of banana bread). As the official CanSecWest party was yesterday, it was no surprise that only about half of the chairs were occupied for the first talk. Fighting hard to get out of bed, I nearly missed the first talk myself.

Chris Eng and Brandon Creighton of Veracode were first to go up on stage. In the third CanSecWest talk about an Adobe product, they exposed many security issues in ColdFusion web applications. At first they talked about the usual suspects like XSS and SQL injection and what these attacks look like in ColdFusion code. Then they went through a few other issues that are specific to ColdFusion and not existant in other web application frameworks. For me, the funniest part was the incredible amount of variables that are supposed to be server side read-only but still writable by web applications. This has plenty of potential for all sorts of unintedend havoc.


The second talk was about automated pointer analysis by my former co-worker Vincenzo Iozzo and his friend Giovanni Gola. They talked about doing interprocedural pointer analysis with the goal of automatically finding bugs like double-frees. After about five minutes in I got a work-related call that occupied me for the next half an hour. Shortly after I had headed back into the conference room, the fire alarm went off. I already had ReCon 2010 flashbacks but fortunately it turned out to be a false alarm. I can't say I saw a lot about that talk, but I am sure it was good.


The fourth and last talk about an Adobe Product came from Richard Johnson of Sourcefire. He described some of the internals of the Acrobat Reader sandbox, that abstraction layer that was introduced in Acrobat Reader 10 to mitigate the effects of Acrobat Reader exploits. He also talked about some of the potential weaknesses in the sandbox, for example how the networking code and the filesystem code is not properly sandboxed, potentially allowing attackers to send file information over the network.


More work-related issues made me miss much of the talk about fuzzing by Dan Kaminski, Adam Cechetti, and Mike Eddington. From what I saw they set their fuzzers on applications like MS Office, OpenOffice, and Acrobat Reader and tried to draw conclusions about improvements in products security from the number of exploitable crashes (as determined by !exploitable) they got. The talk itself was pretty entertaining but the methodology they used to draw the conclusions did not always seem to be solid. Several people asked very good question during the discussion after the talk. In the end, the speakers made their raw fuzzing results data available to everyone in the form of a SQL dump.


I did not see any more talks today as I had seen the Microsoft talk about fuzzing last week at Microsoft already. I also skipped the last talk because I really don't care enough about fuzzers to see another one of these talks.

So, that is the end of CanSecWest. The line-up this year was pretty fantastic and most of the usual suspects were there. As usual many people are heading up to Whistler again this evening for the post-conference party weekend. Not me, though. Having done this in the last two years already, I actually want to see more of Vancouver now.

CanSecWest 2011 - Day 2

Alright, I am back from day 2 of CanSecWest. Even though we started right at 9:00 AM today, surprisingly many people made it to the conference room at the Sheraton Wall Centre on time. I am detecting disturbing lacks of party dedication there. Or maybe all these people were just like me hoping for a free breakfast. Unfortunately, the free food provided by the hotel gets worse from year to year. Anyway, let's take a quick look at the talks today as the line-up was amazingly strong today.

The day started off with a talk about malware on gaming consoles and mobile devices by DongJoong Ha and KiChan Ahn. They talked about what kind of network attacks are possible by owning some kind of always-connected gaming consoles. They also showed how malicious code can be injected in pirated software to build up botnet capabilities with the help of people that really, really need to get the latest Super Mario game for free. I really enjoyed the talk even though they did not really present new ideas. Rather, they ported known techniques from older devices to game consoles. Still, you can never be wrong talking about game consoles in front of a crowd of nerds.


The second talk was called Dynamic Cryptographic Trapdoors by Eric Filiol. That was the only talk I skipped. Eric is a pretty smart guy and when he talks about cryptography it will fry my brain. I did not need this again. Rather, I went outside to hack away for an hour on my Flash RE tools.

After Eric's talk I went back inside to see Haifei Li's talk about ActionScript 3 vulnerabilities in Flash. He focused on type confusion in the ActionScript virtual machine caused by mismatches between what the ActionScript code verifier verifies and what the ActionScript JIT compiler compiles and executes. Due to my day job I have seen exactly that kind of bug roughly a million times already. Still, Haifei's talk was interesting and it is good to see what kind of work other people do on Adobe stuff.

After lunch (my food quality complaint still applies), Andrea Barisani and Daniele Bianco of Inversepath talked about Chip & PIN cards which are very popular in Europe. The talked a bit about the Chip & PIN standard, its weaknesses, and potential attack vectors. They also brought some surprisingly small skimming devices to show to the audience. Even though this is not my kind of topic, the talk was the most interesting talk of the day. As part of their presentation, Andrea and Daniele produced a short movie that can only be described as legendary. I have already asked them to upload the video to YouTube but unfortunately they did not warm up to that idea.


The next talk was by Ilja van Sprundel. Oh no, wait. When it was time for Ilja's talk he was not to be found anywhere. Instead, Graeme Neilson went on stage to give his talk first. Graeme talked about different network devices like switches and how to install rootkits on them. As part of his research he took a look at 10 devices from different vendors like Cisco, Juniper, Checkpoint, and others. He then gave three live demos of how fast he can put his own code onto those devices because of lacking code integrity checks by the network devices.


Afterwards it was finally Ilja's time on stage. Unlike the other speakers, he was not content with water. If the man wants beer, the man gets beer. He talked about iPhone security issues but unlike many other researchers he did not focus on iOS but rather on security vulnerabilities on the application level and the iPhone standard library. Stuff like cross-site scripting in default HTML components, format string vulnerabilities, or the misuse of the C-string functions. Unfortunately, Ilja was confused and surprised by the order and content of his own slides once in a while (see photo).

Then it was time for Michael Ossmann to give his talk about Bluetooth hacking. I do not know anything about Bluetooth or hardware hacking in general, so I can not comment on the content of the presentation. However, his slide set design was one of the best I have ever seen at a security conference and his speaking style was very pleasant too. The audience seemed entertained.

The last talk of the day belonged to Marc Schoenefeld. It was a talk about finding font parser bugs with his fuzzer. Most of the time when someone speaks about his awesome fuzzer at a con, he will not talk about the exploitable bugs he has found with it (because he has not found any). Marc did the opposite. He described bug after bug he found in the font parsing engines of the major browsers and operating systems. I have never seen anybody give his talk as tiefenentspannt as he did. It was great. I can only come up with one word to summarize his talk: Telephone.

And now I am off to the Tron-themed conference party!

Random observations of the day:

- Apple and Blackberry tried to game the Pwn2Own rules by releasing OS updates for their devices only days before the contest. Then they sent their biggest nitpickers to the Pwn2Own people to make sure that new OS version was used in the contest. This caused endless delays and much eye-rolling in the audience. All crocodile tears proved useless in the end and both the Blackberry phone and the iPhone fell as usual. No surprises there. More investment in security and less investment in Lincoln-Douglas courses might have helped.
- Google apparently does not have a single PR person here. Why bother if your browser always survives Pwn2Own?
- This is the first conference ever I am attending where my presence has literally no purpose. I am not giving a talk. I am not trying to connect with anyone. I am not giving product pitches or demos. I feel like I am a bum loitering around there.
- Did I mention the food quality already?

CanSecWest 2011 - Day I

It's CanSecWest time again. How do I know? This morning I woke up in a hotel room and when I looked outside it was pouring cats and dogs. Usually when I wake up in a hotel room it is in a warm and sunny place. Anyway, once again about 400 (I guess) people interested in computer security gathered in the Sheraton Wall Centre in Vancouver, Canada to meet with friends, listen to amazing talks and make fun of HBGary.

The conference started off very unusual. The agenda was on time. That's quite a change compared to the last few years. Admittedly, the organizers moved the first talk to noon this year to make sure that everybody manages to recover from yesterday's conference dinner and karaoke bar. I had arrived early, at around 8 hoping to score some free breakfast which unfortunately did not happen today. I used the four hours to chat with old friends, some of which I was very surprised to meet here.

At noon the talks started. The first talk was by Brad Woodberg of Juniper. He talked about network application level firewalls. Admittedly I know absolutely nothing about application firewalls, so I can not comment on the content of the talk. He is a pretty decent public speaker though. I enjoyed the talk.

The second talk was by Aaron Portnoy and Logan Brown of Hewlett-Packard. They talked about their blackbox reverse engineering approach to the Adobe Shockwave player. They described what they did to triage crashes in fuzzed Shockwave files having no knowledge at all about the Shockwave file format. Using binary instrumentation and a combination of WinDbg and Python, they described how they were able to figure out the custom memory allocator of Shockwave and other important Shockwave internals. At 90 minutes, the talk was unusually long for CanSecWest but worth every minute. They have also promised to make their tools available if people are interested. I will definitely follow up with them to make that happen.

After this talk we had a lunch break and then Pwn2Own began. For the third year in a row, I ventured up to the Pwn2Own room to see what's going on. As usual, this is what happened: Some guy sat down on a computer, pressed a few buttons on the computer, and then the Hewlett-Packard people declared him a winner and there was a round of applause. That's it. You don't get to see more if you are in the audience. If you have never been there and think the whole contest is more amazing, I am sorry to disappoint there. I only stayed for the Apple Safari ownage.

The next talk I saw was about runtime firmware integrity checking by Yves-Alexis Perez and Loic Duflot. This was a continuation of their talk they gave at CanSecWest last year but this time they focused on the defensive side of firmware attacks. Unfortunately both are not very good at public speaking. I left halfway through the talk to work on some things and talk to people outside the conference room.

Alright, now I am heading out to the conference party. The second day of CanSecWest unfortunately starts at 9:00 in the morning.

Random observations of the first day:

Of all the vendor booths, Google was by far the most popular one. It was packed with people stopping the whole day. Only Amazon managed to keep up with them. Maybe it's because both companies gave away really quirky swag and their booths were staffed by people who looked like engineers. The opposite happened at the Rapid7 booth which was pretty deserted for literally the whole day. That's what you get if you put two suits up there who could not look more like used car salesmen if they tried and you have marketing cards with dollar signs on your table instead of quirky swag.

Alex Sotirov did live reviews of the talks he saw at http://research.phreedom.org/2011/cansecwest/ . I remember how he told me about this idea at PH-Neutral last year but I never thought he would actually ever start doing it.

Google Chrome survived the first day of Pwn2Own, much to my dismay.

Release of JHexView 1.0

Six years ago I wrote a custom .NET component for displaying binary data in a hex editor. A while later I discontinued the project as I left college and got a job at zynamics. The primary programming language we used at zynamics was Java, so I pretty much stopped .NET programming and switched over to Java. I noticed that zynamics did not have a good hex view component for use in their reverse engineering applications so I quickly ported my NetHex component from C# to Java.

Originally I wanted to open-source JHexView immediately but then I figured that this component is so awesome that I do not want any potential competitors of zynamics to make use of it. Since zynamics was bought by Google this week, I can now finally open source the Java component too. The component used in BinNavi, PDF Dissector, and Hexer to display binary data from files and memory is now available to everyone on my GitHub account.

To see some screenshots you can check out this former post of mine.

Writing file format parsers for reverse engineering tools: Insights from someone who does it too often

During the last year I have implemented quite a few file format parsers for a variety of reverse engineering tools, some in the context of malware detection and others in the context of vulnerability analysis. I wrote file parsers for complex modern file formats like SWF and PDF and for obscure file formats that are older than I and some that are nearly as old as my parents! In total I have written file format parsers for probably around 15 file formats and I have made some observations about the whole process I would like to share. Continue reading "Writing file format parsers for reverse engineering tools: Insights from someone who does it too often"

Data sent home by µtorrent

Last Friday I was debugging random programs I found on my hard drive when I saw this:

Apparently µtorrent is sending lots of unrelated data back to the µtorrent servers when checking for program updates. I wanted to know what. Google was not very helpful. A thread in the official forum was all I found and that thread did not exactly have a lot of information. Apparently I had to figure out things myself.

Unfortunately it turned out that µtorrent is sending a lot more data than can be seen in the screenshot so this little project took longer than originally planned. In fact I am only 90% done but I don't want to put any more time into this. One weekend is already too much time spent on this. So, here's what I figured out.

Continue reading "Data sent home by µtorrent"

San Francisco

I'll be on vacation in San Francisco between November 4th and November 17th. If anybody wants to meet up there, please contact me in some way (see the side bar on the right hand side of this page). Possible reasons for hanging out with me include but are not limited to:

  • You work for a cool company and feel like showing me around your office.
  • You work on a cool product/technology and feel like I should see it.
  • You think I work on cool stuff and want to talk about it.
  • You want to talk about reverse engineering, binary code analysis, hacking NES games or anything related to that.
  • You want to get a BinNavi product pitch.
  • You want me to see some special place or event in San Francisco.

Toad Houses Disassembled

To waste some time today I played some Super Mario Bros 3 on my Wii. I only made it trough three levels before I reached the first Toad House. Upon receiving the item from Toad I decided to investigate something I've wanted to know for, I don't know, maybe 15 years. How exactly does the game decide what item you receive? I remember as a child that people playing Super Mario Bros 3 did the weirdest stuff in Toad Houses to improve their item karma. Running around, doing weird jumps, whatever.

Anyway, I really wanted to know when the game decides what item you receive and how it decides that. Does the game already know what item you receive as soon as you enter the Toad House? Are the items placed in the boxes when you enter the Toad House? Does it do any other weird stuff?

Continue reading "Toad Houses Disassembled"

Debugging emulated Cisco devices with BinNavi

Good news from the BinNavi front. For one, our GDB Agent which connects BinNavi with arbitrary GDB servers is now working on Linux. Since that was the last part of BinNavi which had to be used from Windows, all parts of BinNavi are now usable from Linux. Even cooler news is that we have made the Cisco router emulator Dynamips work with the GDB Agent. It is now possible for users of BinNavi to use the GDB server of Cisco devices emulated on Dynamips. This has a wide range of applications for situations where people had to work with physical devices in the past even though Dynamips would have been sufficient.

Out of the box, the GDB server of Cisco devices is not emulated properly by Dynamips. There were two issues that had to be fixed in the Dynamips code:

  • Once the GDB server was active, the console of the Cisco device froze and GDB would neither send nor accept commands
  • The single-step flag was not honored by the emulator, making single-stepping impossible

I have created a patch that solves these two issues. You can download the patch file here. Once this patch is applied to the Dynamips source code, the GDB server of the Cisco 2600 router I used for testing works like a charm and BinNavi can use the GDB server for debugging the emulated device.

Here are some impressions of BinNavi debugging the emulated Cisco 2600 router.

The first screenshot was taken shortly after attaching to the GDB server. You can see the "trap" instruction at offset 0x8021CCAC. When you attach to the GDB server for the first time, this is where the debugger halts.

Then I single-stepped a few times to leave the function in the first screenshot. The second screenshot shows another smaller function where you end up after leaving the first function.

The third screenshot shows a bigger function. In this function I told BinNavi to record all basic blocks which are ever executed and then I resumed the debugger. The result can be seen in the Trace log in the lower part of the window. The address of each basic block hit during execution is shown there in the order in which the basic blocks were hit. Double-clicking on the trace selects all basic blocks that were hit in the graph. This makes it very easy to get a quick code coverage analysis to see what basic blocks were executed and those that were not.