|It's Blogging Time by Arkon
I just finished installing Wordpress. Actually it was pretty easy and no-brainer. :) way to go for them.|
It means I intend to write very frequently (hopefuly) about computers' related topics, mainly programming, and guess what?! Low-Level. Actually, Insanely Low-Level. :)
It will be mostly technical and cover lots of stuff I mess with daily.
There you go.
|ZERT Strikes Again by Arkon
Last week another vulnerability was found, this time in user32.dll with animated cursors. It seems that if you visit a malicous website, the bad guys can simply use the cursor style to instruct the browser to download and parse the malicious .ani file. And then boom, the classical stack buffer overflow gets exploited.
Therefore, ZERT has come up with a patch that I wrote once again, with the help of the team.
The code is opened and licensed under GPL. I even used diStorm for a really simple code analysis task to find what I need to patch...
What actually keeps me excited is the knowledge that my code works so far on many Windows' versions. I had the chance to test my patcher on winxpsp2/2003/Vista, and it works well in all of them, and ZERT tested them on other platforms as well. Now this is cool! yeah
If you think about it again, it's not an easy task, it's not an application that is written in some language that is supposed to work on all platforms, when I say my code works, I meant to the PATCHing code itself which fixes the vulnerability. The patch is 100% generic, although as we all know, there are always surprises on the road to perfection...
Anyways, for more information and for your better safety, you better download the patch and use it, until MS releases their own patch.
And as I said, the code is opened to the public domain, you better give it a glance.
Visit the ZERT page!
|A new tutorial by Vergil
After a period of nearly 4 years spent in the lonely steppes of Kazakhstan, Vergil has finally returned to RageStorm, having broken his teeth on the monolith of modern computability. To celebrate this event, he has written a tutorial devoted to the idle question of whether a mathematical formula when plotted can produce its own image. Click here for the juicy details.
|disOps by Arkon
Finally I released disOps, after a long time that I wanted to do so. :) yipi|
disOps is the instructions tables generator for diStorm.
I rewrote it in Python and made it really easy to use. So now you can tinker with this tool and recompile diStorm on your own.
Although disOps is tightly coupled with diStorm, I wrote it in such a way that it has the DB of the instructions in a different module that you can walk on it and do anything you wish with it.
For example, retrieving all one byte instructions that have no operands is as easy as this:
if ii.OL == OpcodeLength.OL_1 and len(ii.operands) == 0:
for i in db.GenerateInsts(filter):
Another practical use for this tool, which I intend to do, is to generate the code for the unit-testing...
For more information, visit the diStorm's page.
Time is all needed, I will do the rest.
|diStorm64 goes for ring0 and BSD by Arkon
Yet another disassembler for Ring0?|
Since diStorm code doesn't depend on any standard C library, it was compiled using the DDK as a kernel driver in a jiffy. Really, it's that simple.
Now the diStorm package contains a sample project to compile it using the DDK.
I tested diStorm at PASSIVE level and this is what DebugView shows:
00000028 178.28797913 diStorm Loaded!
00000029 178.28800964 Resolving KeBugCheck @ 0x805332df
00000030 178.28805542 805332df (02) 8bff MOV EDI, EDI
00000031 178.28808594 805332e1 (01) 55 PUSH EBP
00000032 178.28810120 805332e2 (02) 8bec MOV EBP, ESP
00000033 178.28811646 805332e4 (02) 33c0 XOR EAX, EAX
00000034 178.28813171 805332e6 (01) 50 PUSH EAX
00000035 178.28813171 805332e7 (01) 50 PUSH EAX
00000036 178.28814697 805332e8 (01) 50 PUSH EAX
00000037 178.28817749 805332e9 (01) 50 PUSH EAX
00000038 178.28819275 805332ea (01) 50 PUSH EAX
00000039 178.28820801 805332eb (03) ff75 08 PUSH DWORD [EBP+0x8]
00000040 178.28822327 805332ee (05) e8 c7f4ffff CALL 0x805327ba
00000041 178.28823853 Done!
Thanks to Izik who came up with the diStorm-ring0 idea.
Another happy new is that diStorm64 is now an
official port in FreeBSD.
Thanks to Lutz Boehne who did it on his own, even without me knowing about it. :P
For more information visit here.
|Long Live Kondor by Arkon
It's been 7 years since Kondor was released. ;)|
Back then when game programming ruled the world... today it's security, I wonder what's next.
You can say Kondor is ugly, you can say Kondor is old, you can say it sucks, but you can't deny one thing, it's a complete application and I was 16 and Oren 14, and for that I'm proud!
The first thing you face when coming up with a new project is its name...then you code and code some more and suddenly one day you abandon it, seeking for truth in another project. And that's my fellows, is the real problem you have to face
|x86 Machine Code Documentation by Arkon
As part of the diStorm project, I have written a few docs describing how diStorm works. Among them I wrote one specifically to x86, which is very informative. It explains thoroughly how an instruction is formatted, how to decode an instruction and even talks about x86-64 decoding. Also prefixes are extensively covered (including mandatory prefixes for multimedia instructions).|
I am sure it might be valuable resoruce for some of you who messes with assembly or just are interested in how x86 instruction sets works.
Start reading here: x86 Machine Code.
|The Tiniest PE Ever by Arkon
After a hard work session on a really tightly coded PE .exe file that will download a file from the Internet and execute it, I got to a remarkable result of 384 bytes.
For more information look at the SecuriTeam's blogs post here.
It was really challenging and that's the final version: tiny.exe.
Do you remember the good old CodeGuru code crunching in DOS? This time I produce new code crunching tricks as well as anti disassemblers trick, it's Win32 based and there are other crazy tricks there too.
"P Po Pop Pop-Ret", danski :)
|ZERT - Unofficial Patch for IE VML Vulnerability by Arkon
Last week I have been working hard to release a patch for Internet Explorer VML Vulnerability.
Well, other than programming, I like to do some research,
this time as a member of the team.
The patch was released in the name of the Zero-day Emergency Response Team (in short, ZERT).
If you haven't already applied our patch for IE, you should install it, for more info visit here!
And to something different:
- diStorm supports the SVM instructions set of AMD.
- I am working to release a newer version of diStorm with support of some instructions that I found that could be decoded more accurately (only in 64 bits).
- diSlib is going to be released with support for AMD64 PE files.
And I still work on diStorm3, though not much, but there is a progress. Eventually, one day, it will be uploaded :)
That's it for now
|Happy Birthday diStorm by Arkon
It's a good reason to party people!|
diStorm is one year old today :) yey
In the last year diStorm has grown up seriously:
supports AMD64, SSE4 and VMX instructions set.
pure C code which compiles both in MSVC/GCC seamlessly.
supports big endian CPU's.
compiles on 64bit (compilers) CPU's.
What more can you ask, diStorm3?
It's on the way!
Have a nice day,
hell o' a date: 6.6.6 :)
|diSlib to the World by Arkon
I just wanted to let you know that diSlib is released.
Oh, of course, it's a Python module to parse PE files,
it's easy to use and gives you lots of essential information.
diSlib is a part of a bigger disassembler project that I run with Imri.
You can check it out in diStorm's project page. In addition to this release I uploaded an output snippet of my disassembler, it's worth a look :)
And I am proud to announce that no more bugs were found in diStorm in the last few weeks, 'till the next one, heh!
Good I'm-Flying-to-Austria-for-ski bye
|diStorm has gone open source! ! ! OMFG by WebMaster
happy new year!
I am glad to announce that diStorm's source code is finally published to the community! Oh yeah
Along with the source code I uploaded a big documentation file, which talks about 80x86 in general and the project specifically, you should read it even if you are not interested in the disassembler itself.
I promise you it's for your own benefit only!
This is the first release of the code,
if there are bugs out there, I hope you will find them and report to me.
Shortly, I will further edit the documentation and embellish the source code some more.
I wish to thank to some people who helped me getting diStorm to a complete product (no special order though): Izik, Imri, Stefan and Ido. Greetingz yo
If you wish to join diStorm's mailing list, you can subscribe here.
At last, enter diStorm's project page and grab its source code.
Don't hesitate to send me emails regarding anything.
|diStorm for Linux by Arkon
Hi Linux people!|
diStorm was ported to Linux the last week, and it's ready for use.
0x00000000 (02) 33c0 'XOR EAX, EAX'
0x00000002 (01) 40 'INC EAX'
0x00000003 (02) cd 80 'INT 0x80'
Thanks to Izik (TTY64) for the help in porting diStorm to Linux.
Anyways, the source code will be opened in a couple of months.
I work on the documentation and benchmarking (more optimizations probably will be done before the release).
''A true assembly guru respects Debug.'', Arkon
|Comments System by WebMaster
We just wanted to let you know that the comments system is up and kicking.
User contributed comments can be posted by any one for the following resources: snippets, samples and tutorials.
Feel free to add notes and useful information.
Joy joy happy happy
|Release Announcement: :[diStorm64}: by Arkon
what's going on people?!
Today I am a bit more excited to announce diStorm64 release than last release. so...
diStorm64 is now released ! ! !
Yeah baby, yeah!
- It's been a wonderful 3 months of development, adding the AMD64 support into diStorm.
I hope you will find it useful, because there are currently no other free, final, released disassemblers out there for AMD64.
When I finish writing documentation for diStorm, I will upload its source code and the documentation, of course. This will happen in the upcoming next months, because I wish to be free for other projects as well.
Get diStorm64 now!
Now that my spare time is free for other things, I will upload source codes (Kernel Drivers related) and new tutorials I've been planning to write already.
I want to thank you all for the encouragement,
keep on sending emails regarding anything.
| :[diStorm}: Official Release by Arkon
diStorm is finally released, after 2 years of coding in my spare time. :)
diStorm is an 80x86 disassembler module both for Python and as a C library file.
The first version is capable of decoding all 80x86 related instruction set. x86-64 decoding will be on the next version, hopefully.
Next goal is messing with code-analysis. Another developer joined the task. Greetingz Imri.
For more information about diStorm, click me.
See you around
|<!_HEADER_MISSING_~>::31C040C3 by Arkon
It seems that the FTP had a few problems we weren't aware of, all downloads should be alright now. Besides, the FTP was removed, I think it was useless anyways...
We are really sorry for the site not getting updated often, to be honest, it's a lack of time issue, yeah! but some assembly optimization tutorial is being cooked out there.
The Distorm project got some boost recently, and version 0.9 is done, but still not out. It disassembles 16/32/FPU instructions, and now it's time for PE/functions analysis (using THE Python). I must admit it disassembles the instructions wisely and it supports other nice-to-have-in-disassembler stuff :)
Happy new year anyways!
|Late Update by WebMaster
Well, it's been a while without updates, we are really sorry for that, we don't have much time lately.
We fixed some stuff in the site, like CGI scripts and other things, but you shouldn't notice any difference though :)
Anyways, I uploaded an example of how to use PyShell inside your application as the main interactive window (good for Pythoneers). And another source for self deleting executable. Both could be found in the Samples section. That's it for now, unforetunately.
The diStorm project is still alive, although it doesn't look so, there still nothing special to see, so I won't bother you much about it.
Expect for more.
R E S P E C T 'a
|Recent site downage by Vergil
Hi everybody. First, we apologize about the site being down
for the several recent days due to server misconfiguration, this matter has now been resolved. Stay tuned for more stuff to come that we're working on now.
|Delayed Updates by Arkon
Hey people, what's up?
Well it happens that the three of us (Gil, Uri and Oren) are all busy with our jobs, so it comes out we barely have time for ourselves and for the website of course.
However, I still update the site here and there:
New article about Embedded Python [Part 2].
New worthy stuff in the Downloads section (PE and PS/2 Mouse).
In addition I just added a few links about Windows Internals and stuff...
The diStorm project is still under development, I still work on it when I have time (which is almost never, honestly).
Be patient for the upcoming articles...(Win32 Serial- Communcations shit, Dijkstra algorithm and maybe Windows Drivers).
Please drop us a line if you have any ideas for improvement, or you think you can help us in some way (or you hate us just like that Mr Fucker in the guest book, hehe).
|FTP Problem by WebMaster
I just realized that you guys couldn't download files from this web site, because some of them are FTP based (well, at least the samples/snippets/downloads).
The problem was that the web site manager changed this server's IP for some unknown reason to me, so the IP wasn't properly linked to the domain name...yeah right, whatever! ha ha
It's now working again, so don't hesistate to download stuff :)
See you around
|Downloads Section by Arkon
I just created a new section called Downloads...You will find in there some interesting resources in my opinion, currently it's all regarding DOS, but Win32 will take over :) It's a matter of time.
We plan to upload new tutorials: Serial Communication (Win32) and some special algorithm explained...
That's it for now.
BTW - I am 20 this weekend... :) Happy Birthday to me!