Mixing x86 with x64 code

Few months ago I was doing some small research about possibility of running native x64 code in 32-bits processes under the WoW64 layer. I was also checking it the other way round: run native x86 code inside 64-bits processes. Both things are possible and as far as I googled some people used it already:

Unfortunately I wasn’t aware of any of above results when I was doing my research, so I’ll just present my independent insights ;)

Continue reading →

When memory management goes bad…

Post moved from OpenRCE, original date: Thursday, March 4 2010

Few months ago I’ve encountered a strange behavior in cmd.exe when I wanted to list some big collection of files and execute some command on every single file. I used for this task ‘for’ command similar to this:

for /R c:\ %c in (*.*) do echo %c >> cmd_ptc.log

After few hours of processing I get a very disturbing message:

"Not enough storage is available to process this command."

Actually cmd.exe can eat all memory available for the process. I decided to check why it needs such amount of memory and if it will be possible fix it. Below you can find link to the full article and package with the fixed binaries (from Windows Vista SP2, password: rewolf.pl):

http://rewolf.pl/stuff/rewolf_cmd_research.ziparticle and binaries

Happy reading !

Hacker Challenge 2008

Post moved from OpenRCE, original date: Wednesday, April 15 2009

My reports from Hacker Challenge 2008 are already available online:

(zip archives contains original challenge, cracked binary and report)

Phase 1:

Phase 3 (third place in “quality of report” category):

Old dbghelp and an old exploit…

Post moved from OpenRCE, original date: Friday, January 30 2009

Recently I’ve came across some “strange” problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I’ve figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). Continue reading →