I wanted to present you a new plugin today. It was about switch idioms (jump tables). I spent a few hours trying to find a problematic x86 sample file but could not locate anything impressive. All jump tables were nicely recognized. This certainly does not mean that IDA handles them perfectly, but rather that my search methods must be improved.

Anyway, things were going nowhere and I decided to make a micro-break. It really helps to unblock the thought process (sometimes my entire working day consists of innumerable micro-breaks :)

Continue reading "MRXDAV.SYS and Hex-Rays Decompiler" »

Posted by Ilfak Guilfanov at 02:18 AM | Permalink | Comments (1)

What happened to OpenRCE, does anyone know? It would be a pity to lose such a nice resource.
This news is not a bright one neither but I hope that the explanation for openrce is purely technical.

Posted by Ilfak Guilfanov at 01:15 PM | Permalink | Comments (2)

I think you have noticed that the site was down for a while. My web hoster again played the same trick: shut down the site with no notice. I'm leaving them.

While I was busy with all this stuff, the ZERT group has created a patch for the VML vulnerability. These guys did a really great job. Gil Dabah, who programmed the patch, deserves a special mention for his fast coding speed and the robustness of his code.

We all know that third party patches should be taken with caution. They can not be thoroughly tested in many environments as the official patches are. Yet the availability of such a patch is a good thing: at least you have a choice and can protect yourself today, without waiting the preprogrammed patch day.

If you use the Internet Explorer then either unregister vgx.dll (as Microsoft advices it) or install the unoffcial patch. It can be downloaded from http://isotf.org/zert.

UPD: Since the official patch is available, please use it: http:/update.microsoft.com.

Posted by Ilfak Guilfanov at 03:23 PM | Permalink | Comments (0)

If you are one of unfortunate users still forced to use the Internet Explorer, consider installing this temporary patch from Determina:

http://www.determina.com/security_center/security_advisories/securityadvisory_march272006_1.asp

Just do not forget to reboot your computer after applying the patch, the installer seems not to insist on it. If you can not reboot the computer, then at least close all IE6 windows to get rid of the vulnerable copies in the memory.

The patch is nice and clean. It does not modify the system files on the disk.

If you continue to use IE6 by inertia, consider switching to another browser. Diversity is good for security.

Posted by Ilfak Guilfanov at 07:58 PM | Permalink | Comments (1)

Quite busy week, sorry for being silent.
I wanted to talk about an annoyance I discovered with all my C/C++ compilers.

Here is quite interesting presentation from Halvar Flake:

Attacks on uninitialized local variables

After reading it I wanted to verify my compilers and created a small C file. I wanted to check if the compilers would warn me of a potential uninitialized variable. The source code was pretty simple:

void const_ptr_acceptor(const int *);

int check_func(void)
{
int x;
const_ptr_acceptor(&x); // we do not modify x here!
return x + 1; // compiler does not emit a warning
}

We have two functions, they both use an uninitialized variable. The only difference is the call to const_ptr_acceptor() which promises not to modify 'x'. I compiled this source code with all warnings turned on. I was expecting two warnings from the compiler: the first warning about 'control_func' and the second warning about 'check_func'. However, there was only one warning:

E:\hex\const_ptr>cl /Wall /c const_ptr.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50215.44 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

const_ptr.cpp
e:\hex\const_ptr\const_ptr.cpp(6) : warning C4700: uninitialized local variable 'x' used

I tried with all available compilers, but they were unanimous in their behavior: as soon as we pass a pointer to a variable, the compiler thinks that it is initialized. We explicitly specify with the const specifier that the function does not modify the variable, but the compilers seems to ignore it.

I compiled the code with Microsoft Visual Studio, Borland BCB6, GNU C, Intel compilers.
Still have no explanation why all compilers behave this way.

Posted by Ilfak Guilfanov at 10:29 AM | Permalink | Comments (16)

Each year in Brussels, Belgium there is a conference called FOSDEM. It is organized on the last weekend of February. There seem to be some interesting talks about security and program developement this year. The development track is almost fully dedicated to various CVSes. The choice of CVS is an object of faith like the choice of the editor so it doesn't hurt to go and see what others use...

I'll also attend the the talk about valgrind by Julian Seward. I loved the tool from the first time I used it.

See you there :)

Posted by Ilfak Guilfanov at 07:10 PM | Permalink | Comments (0)

I restored the old configuration and the blog will continue its normal operation now. The hotfix can not be downloaded from the site anymore but its source code is still available.

Thank you all for the support! I'd like to say thank you once more to the guys who mirrored the files!

P.S. Next week we will talk about some decompilation problems.

Posted by Ilfak Guilfanov at 12:30 PM | Permalink | Comments (17)

The new version is suitable for automated setup (for example, in logon scripts).

Continue reading "Silent WMF Hotfix Installer" »

Posted by Ilfak Guilfanov at 12:22 AM | Permalink | TrackBacks (2)

It seems that many users installed the hotfix for the WMF vulnerability on their machines.

Continue reading "WMF Vulnerability Checker" »

Posted by Ilfak Guilfanov at 11:55 PM | Permalink | Comments (54) | TrackBacks (12)

This week a new vulnerability was found in Windows:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it.

Continue reading "Windows WMF Metafile Vulnerability HotFix" »

Posted by Ilfak Guilfanov at 06:53 AM | Permalink | Comments (157) | TrackBacks (33)

I updated my EFD utility to handle the packed XCP.DAT file. To extract files from the archive, use:

efd -x xcp.dat

in a clean directory. It will create files like xcp1.dat, xcp2.dat, etc. Unfortunately the file names are not present in the archive, that's why the names are so meaningless.

Here is the utility: efd.zip

Posted by Ilfak Guilfanov at 10:40 AM | Permalink | Comments (0)

The last week several LGPL violations were found in Sony's DRM implementation.
Here is a proof of one violation. Here is a dedicated page with many other findings.

By the way the license breach could be found using the simplest tools on the earth: any hex editor or the strings tool from unix would be enough to find the copyright strings. In MS Windows Start, Search for Files or Folders would be sufficient as well. Just think about it and look.

In theory the license breach is easy to fix: just add the required copyright notice to the initial dialog box and there is no license violation anymore.

What is not easy to fix is the public opinion. Many will think: Sony's rootkit is a bad thing and (therefore) DRM in general is a bad thing too. In fact what we need is a good DRM implementation (since the option of having no DRM is not available). Without rootkits and 'security by obscurity' approach. Which does not punish legal buyers.

Posted by Ilfak Guilfanov at 05:14 PM | Permalink | Comments (0)