Data Flow Tracking in Flash Player: DefineBitsJPEG2
Here are some offsets of the standalone Flash Player 12.0.0.38 (flashplayer_12_sa.exe has a size of 10,339,208). The offsets are reached when parsing ImageData field in DefineBitsJPEG2 tag.0x570e7 |...
View ArticleData Flow Tracking in Flash Player: Undocumented Bytecodes and JIT
Undocumented BytecodesI did some analysis how the bytecodes in DoABC tag parsed, and compared the result against what I saw in the AVM2 documentation (May 2007). I found that Flash Player can parse...
View ArticleBug in Flash Player when processing PNG format
The BugThe PNG file consists of a sequence of data structures called chunks. A chunk has a Length field that is a DWORD value. A specially crafted Length field can cause integer overflow in Flash...
View ArticleTrace And Watch
This is how I recently performed dynamic integer analysis on a 32-bit binary application that reads DWORD values from the file.The file format contains many fields of type DWORD. There was given a...
View ArticleOn-the-fly Switching Between Debuggers
Sometimes it's useful to switch between debuggers without restarting the target application. An example for doing so is when you want to use another debugger's capability that the one doesn't have....
View ArticleTracking Down by Pin
Recently, there was a challenging situation I had faced. At first sight it looked like a common debugging problem that can be solved with some experiment but the more time I spent on it the more...
View ArticleChange of Execution Flow in Debugger
When debugging sometimes we need to force the execution to either take or not take the conditional jump.There are several ways to achieve this. One possibility is to overwrite the conditional jump with...
View ArticleThoughts About Finding Race Condition Bugs
Race condition bugs can exist in multi-threaded applications. Improper synchronization can be the root cause of race condition bugs.Executing stress testing is a good start to find bugs. It might not...
View ArticleExamining Unknown Binary Formats
This post is about to discuss the methods for examining unknown binary formats that can be either a file, file fragment, or memory dump.Before discussing the methods I'm describing few scenarios when...
View ArticleYou May Not Need to Debug SSE Instructions
There are binaries that contain implementation of an algorithm in two ways. The first one is optimized to run on all architectures and so it consists of i386 instructions only. The second one is...
View ArticleInspection of Division & Multiplication
Division and multiplication calculations can lead to trigger bugs, and potentially pose as security risks. Here are few things that I believe to be helpful for those who do binary...
View ArticleClik here to view.
Order of Memory Reads of Intel's String Instructions
Neither the Intel Manual nor Kip R. Irvine's assembly book discusses the behavior I'm describing about x86 string instructions in this post.Given the following instruction that compares the byte at ESI...
View ArticleSecurity Implications of IsBad*Ptr Calls in Binaries
IsBad*Ptr [1] functions are to test whether the memory range specified in the argument list is accessible. Despite the fact they have been banned, they are still being referenced in many binaries...
View ArticleIssues with Flash Player & Firefox in Non-default Configurations
Few months ago I encountered a bug when a fuzzed flash file is being rendered by Flash Player in Firefox. This bug can be reached only in the non-default configuration described below so very unlikely...
View Article251 Potential NULL Pointer Dereferences in Flash Player
251 potential NULL pointer dereference issues have been identified in Flash Player 14 by pattern matching approach. The file examined is NPSWF32_14_0_0_145.dll (17,029,808 bytes).The issues are...
View ArticleExamining Native Code by Looking for Patterns
Earlier this year a post was published of examining data format without using the program that reads the format. That post discusses patterns to look for, in order to identify certain constructs. This...
View ArticleInspection of SAR Instructions
SAR stands for Shift Arithmetic Right and the instruction performs arithmetic shift. The instruction preserves the sign of the value to be shifted and so the vacant bits are filled according to the...
View ArticlePractical Suggestions for Writing a Pintool
This is my list of practical suggestions to people developing a pintool. Since I dealt with these previously I thought to jot them down to help others. By applying this you should be somewhat closer to...
View ArticleInstrumenting Flash Player to Inspect JITted Pages for Integer Errors
In this blog post I'm writing about the method I experiment with to discover potential areas, that may or may not be prone to integer errors, in Flash Player.I have 26k flash files that are used as a...
View ArticleVariable-length permutation with repetition using backtracking
Recently, I needed the implementation of the search algorithm that qualifies for the followings.It must be able to produce the variable-length permutation with repetition of the given set.It must be...
View Article