October 5, 2011June 4, 2015 by ReWolf

Windows SuperFetch file format – partial specification

According to ForensicWiki (http://www.forensicswiki.org/wiki/SuperFetch):

SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications (…)
Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory. These files appear to start with the prefix Ag and have a .db extension. The format of these files is not known…

When I read above statement I just couldn’t resist and I’ve decided to take up a challenge. Below you can read what I’ve found, as a bonus I’ve also prepared simple dumper for SuperFetch .db files (attached at the end of this post).
Continue reading →

August 31, 2011June 4, 2015 by ReWolf

rep movsb isn’t memcpy()

Some of you probably noticed that HexRays translates rep movsb opcode to memcpy() function from standard C library. In most cases this is perfectly correct behaviour, but there is at least one example when it will not work as it should.
Continue reading →

July 4, 2011November 25, 2016 by ReWolf

Mixing x86 with x64 code

papers, programming, reverse engineering, source code, WoW64, x64
99 Comments

Few months ago I was doing some small research about possibility of running native x64 code in 32-bits processes under the WoW64 layer. I was also checking it the other way round: run native x86 code inside 64-bits processes. Both things are possible and as far as I googled some people used it already:

Unfortunately I wasn’t aware of any of above results when I was doing my research, so I’ll just present my independent insights ;)

Continue reading →

June 8, 2011August 18, 2013 by ReWolf

UPX “accidentally” increments LoadCount for DLLs

When I was preparing last dirtyJOE update I’ve noticed that under some circumstances python DLLs are not freed from memory. What was even more interesting, this behaviour was occurring only in ready to release version of application. I’ve tested few scenarios and I figured out that the problem lays in UPX loader.

I’ll try to explain what exactly happens.

Continue reading →

June 7, 2011July 4, 2011 by ReWolf

Using Python scripts in dirtyJOE

Python scripting in dirtyJOE can be used to modify CONSTANT_Utf8 objects from Constant Pool. One of the main use is decryption of CONSTANT_Utf8 objects in obfuscated .class files. Decrypted objects are useful in forensic analysis, they can be also used to translate obfuscated java application.

Example

I’ll show how to use python scripting on sample obfuscated java malware called Boonana. Mentioned malware appeared in october 2010 and was obfuscated with Zelix KlassMaster 5.3.3E (according to entry in constant pool “ZKM5.3.3E”).

Continue reading →

June 7, 2011July 6, 2011 by ReWolf

dirtyJOE v1.4

New version of dirtyJOE is available for download from http://dirty-joe.com

Short change-log:

Python scripting for Utf8 objects
drag’n’drop support
ability to copy disassembly to clipboard
ability to change font in disassembly windows
update check on startup

I’ll publish short tutorial about python scripting in the next blog post (it is already available as a part of help file)

September 18, 2010August 6, 2013 by ReWolf

dirtyJOE – Java Overall Editor

Post moved from OpenRCE, original date: Saturday, September 18 2010

dirtyJOE – Java Overall Editor is a complex editor and viewer for compiled java binaries (.class files). Current version still have some limitations, but hopefully those will be removed within the next releases.

dirtyJOE is free for non-commercial use.

dirtyJOE is entirely written in C++, no third party libraries were used.

Main features:

Viewer for: constant pool, methods, fields, attributes
Editor for: constant pool, bytecode

You can download it from http://dirty-joe.com

March 4, 2010May 25, 2015 by ReWolf

When memory management goes bad…

Post moved from OpenRCE, original date: Thursday, March 4 2010

Few months ago I’ve encountered a strange behavior in cmd.exe when I wanted to list some big collection of files and execute some command on every single file. I used for this task ‘for’ command similar to this:
for /R c:\ %c in (*.*) do echo %c >> cmd_ptc.log

After few hours of processing I get a very disturbing message:
"Not enough storage is available to process this command."

Actually cmd.exe can eat all memory available for the process. I decided to check why it needs such amount of memory and if it will be possible fix it. Below you can find link to the full article and package with the fixed binaries (from Windows Vista SP2, password: rewolf.pl):

http://rewolf.pl/stuff/rewolf_cmd_research.pdf – article
http://rewolf.pl/stuff/rewolf_cmd_research.zip – article and binaries

Happy reading !

April 15, 2009August 6, 2013 by ReWolf

Hacker Challenge 2008

Post moved from OpenRCE, original date: Wednesday, April 15 2009

My reports from Hacker Challenge 2008 are already available online:

(zip archives contains original challenge, cracked binary and report)

Phase 1:
http://rewolf.pl/stuff/rewolf_hc2008_phase1.zip
http://rewolf.pl/stuff/rewolf_hc2008_ph1_report.pdf

Phase 3 (third place in “quality of report” category):
http://rewolf.pl/stuff/rewolf_hc2008_phase3.zip
http://rewolf.pl/stuff/rewolf_hc2008_ph3_report.pdf

January 30, 2009May 25, 2015 by ReWolf

Old dbghelp and an old exploit…

Post moved from OpenRCE, original date: Friday, January 30 2009

Recently I’ve came across some “strange” problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I’ve figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). Continue reading →