|
It's Blogging Time by Arkon
|
2007-05-31 22:52:31 |
I just finished installing Wordpress. Actually it was pretty easy and no-brainer. :) way to go for them.
It means I intend to write very frequently (hopefuly) about computers' related topics, mainly programming, and guess what?! Low-Level. Actually, Insanely Low-Level. :)
It will be mostly technical and cover lots of stuff I mess with daily.
There you go.
|
|
ZERT Strikes Again by Arkon
|
2007-04-03 13:01:43 |
Hello,
Last week another vulnerability was found, this time in user32.dll with animated cursors. It seems that if you visit a malicous website, the bad guys can simply use the cursor style to instruct the browser to download and parse the malicious .ani file. And then boom, the classical stack buffer overflow gets exploited.
Therefore, ZERT has come up with a patch that I wrote once again, with the help of the team.
The code is opened and licensed under GPL. I even used diStorm for a really simple code analysis task to find what I need to patch...
What actually keeps me excited is the knowledge that my code works so far on many Windows' versions. I had the chance to test my patcher on winxpsp2/2003/Vista, and it works well in all of them, and ZERT tested them on other platforms as well. Now this is cool! yeah If you think about it again, it's not an easy task, it's not an application that is written in some language that is supposed to work on all platforms, when I say my code works, I meant to the PATCHing code itself which fixes the vulnerability. The patch is 100% generic, although as we all know, there are always surprises on the road to perfection...
Anyways, for more information and for your better safety, you better download the patch and use it, until MS releases their own patch.
And as I said, the code is opened to the public domain, you better give it a glance.
Visit the ZERT page!
Happy Passover
|
|
A new tutorial by Vergil
|
2007-03-17 16:10:53 |
After a period of nearly 4 years spent in the lonely steppes of Kazakhstan, Vergil has finally returned to RageStorm, having broken his teeth on the monolith of modern computability. To celebrate this event, he has written a tutorial devoted to the idle question of whether a mathematical formula when plotted can produce its own image. Click here for the juicy details.
|
|
disOps by Arkon
|
2007-03-10 21:43:37 |
Finally I released disOps, after a long time that I wanted to do so. :) yipi
disOps is the instructions tables generator for diStorm. I rewrote it in Python and made it really easy to use. So now you can tinker with this tool and recompile diStorm on your own.
Although disOps is tightly coupled with diStorm, I wrote it in such a way that it has the DB of the instructions in a different module that you can walk on it and do anything you wish with it.
For example, retrieving all one byte instructions that have no operands is as easy as this:
def filter(ii): if ii.OL == OpcodeLength.OL_1 and len(ii.operands) == 0: return True return False
for i in db.GenerateInsts(filter): print i.mnemonics[0]
Another practical use for this tool, which I intend to do, is to generate the code for the unit-testing...
For more information, visit the diStorm's page.
Time is all needed, I will do the rest.
|
|
diStorm64 goes for ring0 and BSD by Arkon
|
2007-01-19 19:16:17 |
Yet another disassembler for Ring0? Since diStorm code doesn't depend on any standard C library, it was compiled using the DDK as a kernel driver in a jiffy. Really, it's that simple. Now the diStorm package contains a sample project to compile it using the DDK.
I tested diStorm at PASSIVE level and this is what DebugView shows: 00000028 178.28797913 diStorm Loaded! 00000029 178.28800964 Resolving KeBugCheck @ 0x805332df 00000030 178.28805542 805332df (02) 8bff MOV EDI, EDI 00000031 178.28808594 805332e1 (01) 55 PUSH EBP 00000032 178.28810120 805332e2 (02) 8bec MOV EBP, ESP 00000033 178.28811646 805332e4 (02) 33c0 XOR EAX, EAX 00000034 178.28813171 805332e6 (01) 50 PUSH EAX 00000035 178.28813171 805332e7 (01) 50 PUSH EAX 00000036 178.28814697 805332e8 (01) 50 PUSH EAX 00000037 178.28817749 805332e9 (01) 50 PUSH EAX 00000038 178.28819275 805332ea (01) 50 PUSH EAX 00000039 178.28820801 805332eb (03) ff75 08 PUSH DWORD [EBP+0x8] 00000040 178.28822327 805332ee (05) e8 c7f4ffff CALL 0x805327ba 00000041 178.28823853 Done! Thanks to Izik who came up with the diStorm-ring0 idea.
Another happy new is that diStorm64 is now an official port in FreeBSD. Thanks to Lutz Boehne who did it on his own, even without me knowing about it. :P For more information visit here.
|
|
Long Live Kondor by Arkon
|
2006-12-20 22:49:18 |
It's been 7 years since Kondor was released. ;) Back then when game programming ruled the world... today it's security, I wonder what's next.
You can say Kondor is ugly, you can say Kondor is old, you can say it sucks, but you can't deny one thing, it's a complete application and I was 16 and Oren 14, and for that I'm proud!
The first thing you face when coming up with a new project is its name...then you code and code some more and suddenly one day you abandon it, seeking for truth in another project. And that's my fellows, is the real problem you have to face
good luck
|
|
x86 Machine Code Documentation by Arkon
|
2006-12-16 10:00:50 |
As part of the diStorm project, I have written a few docs describing how diStorm works. Among them I wrote one specifically to x86, which is very informative. It explains thoroughly how an instruction is formatted, how to decode an instruction and even talks about x86-64 decoding. Also prefixes are extensively covered (including mandatory prefixes for multimedia instructions).
I am sure it might be valuable resoruce for some of you who messes with assembly or just are interested in how x86 instruction sets works.
Start reading here: x86 Machine Code.
|
|
The Tiniest PE Ever by Arkon
|
2006-10-17 18:44:09 |
Yo
After a hard work session on a really tightly coded PE .exe file that will download a file from the Internet and execute it, I got to a remarkable result of 384 bytes.
For more information look at the SecuriTeam's blogs post here. It was really challenging and that's the final version: tiny.exe.
Do you remember the good old CodeGuru code crunching in DOS? This time I produce new code crunching tricks as well as anti disassemblers trick, it's Win32 based and there are other crazy tricks there too.
"P Po Pop Pop-Ret", danski :) Arkon
|
|
ZERT - Unofficial Patch for IE VML Vulnerability by Arkon
|
2006-09-25 23:48:15 |
Hello everyone,
Last week I have been working hard to release a patch for Internet Explorer VML Vulnerability. Well, other than programming, I like to do some research, this time as a member of the team. The patch was released in the name of the Zero-day Emergency Response Team (in short, ZERT). If you haven't already applied our patch for IE, you should install it, for more info visit here!
And to something different: - diStorm supports the SVM instructions set of AMD. - I am working to release a newer version of diStorm with support of some instructions that I found that could be decoded more accurately (only in 64 bits). - diSlib is going to be released with support for AMD64 PE files.
And I still work on diStorm3, though not much, but there is a progress. Eventually, one day, it will be uploaded :)
That's it for now Good night, Gil
|
|
Happy Birthday diStorm by Arkon
|
2006-06-06 18:56:12 |
It's a good reason to party people! diStorm is one year old today :) yey
In the last year diStorm has grown up seriously: supports AMD64, SSE4 and VMX instructions set. pure C code which compiles both in MSVC/GCC seamlessly. supports big endian CPU's. compiles on 64bit (compilers) CPU's.
What more can you ask, diStorm3? It's on the way!
Have a nice day, hell o' a date: 6.6.6 :) cheers
|
|
diSlib to the World by Arkon
|
2006-02-17 13:42:38 |
Heya
I just wanted to let you know that diSlib is released. Oh, of course, it's a Python module to parse PE files, it's easy to use and gives you lots of essential information. diSlib is a part of a bigger disassembler project that I run with Imri.
You can check it out in diStorm's project page. In addition to this release I uploaded an output snippet of my disassembler, it's worth a look :)
And I am proud to announce that no more bugs were found in diStorm in the last few weeks, 'till the next one, heh!
Good I'm-Flying-to-Austria-for-ski bye
|
|
diStorm has gone open source! ! ! OMFG by WebMaster
|
2006-01-11 20:49:46 |
Hello people,
happy new year!
I am glad to announce that diStorm's source code is finally published to the community! Oh yeah
Along with the source code I uploaded a big documentation file, which talks about 80x86 in general and the project specifically, you should read it even if you are not interested in the disassembler itself. I promise you it's for your own benefit only!
This is the first release of the code, if there are bugs out there, I hope you will find them and report to me. Shortly, I will further edit the documentation and embellish the source code some more.
I wish to thank to some people who helped me getting diStorm to a complete product (no special order though): Izik, Imri, Stefan and Ido. Greetingz yo
If you wish to join diStorm's mailing list, you can subscribe here.
At last, enter diStorm's project page and grab its source code.
Don't hesitate to send me emails regarding anything.
Arkon, lead diStormer
|
|
diStorm for Linux by Arkon
|
2005-11-20 22:45:53 |
Hi Linux people!
diStorm was ported to Linux the last week, and it's ready for use.
0x00000000 (02) 33c0 'XOR EAX, EAX'
0x00000002 (01) 40 'INC EAX'
0x00000003 (02) cd 80 'INT 0x80'
Thanks to Izik (TTY64) for the help in porting diStorm to Linux.
Anyways, the source code will be opened in a couple of months. I work on the documentation and benchmarking (more optimizations probably will be done before the release).
''A true assembly guru respects Debug.'', Arkon
|
|
Comments System by WebMaster
|
2005-11-03 20:21:42 |
Hullo
We just wanted to let you know that the comments system is up and kicking. User contributed comments can be posted by any one for the following resources: snippets, samples and tutorials. Feel free to add notes and useful information.
Joy joy happy happy
|
|
Release Announcement: :[diStorm64}: by Arkon
|
2005-09-06 14:23:14 |
Hi again, what's going on people?!
Today I am a bit more excited to announce diStorm64 release than last release. so... diStorm64 is now released ! ! ! Yeah baby, yeah!
- It's been a wonderful 3 months of development, adding the AMD64 support into diStorm.
I hope you will find it useful, because there are currently no other free, final, released disassemblers out there for AMD64.
When I finish writing documentation for diStorm, I will upload its source code and the documentation, of course. This will happen in the upcoming next months, because I wish to be free for other projects as well.
Get diStorm64 now!
Now that my spare time is free for other things, I will upload source codes (Kernel Drivers related) and new tutorials I've been planning to write already.
I want to thank you all for the encouragement, keep on sending emails regarding anything.
- Arkon
|
|
:[diStorm}: Official Release by Arkon
|
2005-06-04 15:41:40 |
Hello everyone!
diStorm is finally released, after 2 years of coding in my spare time. :) diStorm is an 80x86 disassembler module both for Python and as a C library file. The first version is capable of decoding all 80x86 related instruction set. x86-64 decoding will be on the next version, hopefully.
Next goal is messing with code-analysis. Another developer joined the task. Greetingz Imri.
For more information about diStorm, click me.
See you around
|
|
<!_HEADER_MISSING_~>::31C040C3 by Arkon
|
2005-01-10 22:59:39 |
Hey It seems that the FTP had a few problems we weren't aware of, all downloads should be alright now. Besides, the FTP was removed, I think it was useless anyways...
We are really sorry for the site not getting updated often, to be honest, it's a lack of time issue, yeah! but some assembly optimization tutorial is being cooked out there.
The Distorm project got some boost recently, and version 0.9 is done, but still not out. It disassembles 16/32/FPU instructions, and now it's time for PE/functions analysis (using THE Python). I must admit it disassembles the instructions wisely and it supports other nice-to-have-in-disassembler stuff :)
Happy new year anyways!
|
|
|
|