Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 14:13

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: Question for luigi
PostPosted: 12 Nov 2008 01:16 

Joined: 12 Nov 2008 01:13
Posts: 6
Hey i was just wondering, how do you pick what you want to try create exploits for? is it like you're doing something then a program crashes and you decide to follow it up or you just decide to pick popular programs to reverse? I'm asking because I've been programming in C for a little over 2 years now and just recently got into Reverse Engineering.


Top
 Profile  
 
 
 Post subject: Re: Question for luigi
PostPosted: 12 Nov 2008 10:52 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
exist various ways to research vulnerabilities and various levels of complexity depending by the input to analyze.

the most common and which gives usually more results is fuzzing, which is just a "cool" word to define the trying of various different values of a protocol/format until an effect of the tested application (crash, directory traversal and so on), so after having seen the effect is possible to start with a deeper look to what caused it and if there are other more important security effects (for example a crash that in reality is a stack based buffer-overflow).

note that it's not needed to know the protocol/format of the input for testing it, if you are lucky you can get an effect even replacing a random byte in a pre-existent packet/file... blind fuzzing.

the other way instead is deeper and is the auditing of the target application, which means analyzing its source code if it's open source or debugging it almost step-by-step if it's closed.
in closed source application sometimes it's used encryption and proprietary protocols which means that you are forced to reverse them too, this can be looked as an obstacle depending by the complexity of the protocol/algorithm and your interest in it but you can consider it like an additional stand-alone research (personally it's the part that I like because allows me to release two or more projects instead of only one).

note that even with auditing some bugs can be missed for mistake or because they are very hard to see (imagine a long sequence of sub-functions), and this is the point where fuzzing fills the gap.

oh and the "luck" is not optional...

as said at the beginning the type of input is important too.
talking about network, personally I have ever looked to protocol related vulnerabilities due to my passion for them and they major impact (usually the protocol related vulnerabilities are pre-auth/join) but there are other inputs more easy to test, for example talking about games, the in-game commands are a joke to test since it's only needed to use the existent commands without C/assembly/reversing/bugs_researching skills


Top
 Profile  
 
 Post subject: Re: Question for luigi
PostPosted: 12 Nov 2008 11:42 

Joined: 12 Nov 2008 01:13
Posts: 6
aluigi wrote:
exist various ways to research vulnerabilities and various levels of complexity depending by the input to analyze.

the most common and which gives usually more results is fuzzing, which is just a "cool" word to define the trying of various different values of a protocol/format until an effect of the tested application (crash, directory traversal and so on), so after having seen the effect is possible to start with a deeper look to what caused it and if there are other more important security effects (for example a crash that in reality is a stack based buffer-overflow).

note that it's not needed to know the protocol/format of the input for testing it, if you are lucky you can get an effect even replacing a random byte in a pre-existent packet/file... blind fuzzing.

the other way instead is deeper and is the auditing of the target application, which means analyzing its source code if it's open source or debugging it almost step-by-step if it's closed.
in closed source application sometimes it's used encryption and proprietary protocols which means that you are forced to reverse them too, this can be looked as an obstacle depending by the complexity of the protocol/algorithm and your interest in it but you can consider it like an additional stand-alone research (personally it's the part that I like because allows me to release two or more projects instead of only one).

note that even with auditing some bugs can be missed for mistake or because they are very hard to see (imagine a long sequence of sub-functions), and this is the point where fuzzing fills the gap.

oh and the "luck" is not optional...

as said at the beginning the type of input is important too.
talking about network, personally I have ever looked to protocol related vulnerabilities due to my passion for them and they major impact (usually the protocol related vulnerabilities are pre-auth/join) but there are other inputs more easy to test, for example talking about games, the in-game commands are a joke to test since it's only needed to use the existent commands without C/assembly/reversing/bugs_researching skills


Very cool :D thanks for the long reply. I like programming a lot, i create programs all the time to shorten certain tasks etc. but when it comes to reversing it's so frustrating, earlier i opened up Ventrilo in ollydbg and poked around for about 2-3 hours trying to find how to change the value that is displayed beside "Ping: " after a lot of access violations i gave up on that then moved onto trying to disable the green light when talking, which failed too -.- but i wrote down some addresses which i think are correct but i'm not really sure

Code:
7C80B5AE - GREEN LIGHT BP ENTRY CALL (Beginning of function that starts the green light)


which brought me to a XOR EPB,EPB which i had no idea what it was there for but i noted it down anyway >.>

Code:
7C810659


but still no progress, I've just been desperately trying to get anything to work but anytime i change an address that i think is related, i get access violations etc. :(


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron