Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: BinNavi versus WMF

From: "Dave Korn" <dave.korn () artimi com>
Date: Tue, 3 Jan 2006 18:44:01 -0000
Dave Aitel wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.immunityinc.com/downloads/navi_wmf_loadlibrary.PNG

"I wonder if there's any way for me to get the MetaFile reader to load
an arbitrary library?"

One of the weird things you have to get used to with BinNavi is
learning to be a bit more fluid about the questions you ask. 


  That's not "getting used to BinNavi", that's pretty much the definition of
hacking, isn't it?  ;)

  Instead of asking yourself "How can I do this", you ask yourself "Here's a
system that responds to these stimuli with these responses - what might the
final outcome of the chain of cause and effect be if I don't do things in the
typical/expected way?".

  You don't think about buffers and overflows, you just think about stimuli
and responses, inputs and outputs, and the very basic building blocks that you
have before you that could be assembled or made to interact in any way you
like that reaches an interesting or desirable end goal.

  Can't find a convenient "push reg/ret" sequence to overwrite the saved eip
with in order to use to bounce into your user-controlled data?  Then overwrite
the eip with the address of memcpy - or just a single "rep stosd" that you
found somewhere convenient in the code or data of the program - if the eip
won't come to the code, the code must come to the eip!

  So yeh, I guess "becoming a bit more fluid" about the questions you ask is
one way of describing it.  Another way to say it would be "Ask less *directed*
questions, because they constrain the breadth of your thinking less"; as soon
as you've asked "How can I do /this/", you'll be thinking about every idea in
terms of whether or not it achieves /this/ or not, and entirely overlook the
incredibly interesting /that/ which your idea might achieve instead.


Some
people, like Sinan, can read flat disassembly to answer these sorts of
questions. I'm not one of those people. Having the right tools helps
though. I thought the graph was pretty because it illustrates the
complexity of exposure.


  It's very much like playing chess, and trying to consider all the branching
possibilities of future outcomes based on the opponent's responses to the
moves you make and trying to find a sequence of moves that forces them into a
response you want!


Plus it's just plain pretty - a nice picture
of 1985 innocence. Kinda like Britney in her first video.


  To me it looks more kinda like a wireframe render of the MCP, from Tron...
<g>

   cheers,
      DaveK
-- 
Can't think of a witty .sigline today....
Previous By Date Next
Previous By Thread Next

Current thread: