Dailydave mailing list archives
RE: BinNavi versus WMF
From: "Dave Korn" <dave.korn () artimi com>
Date: Tue, 3 Jan 2006 18:44:01 -0000
Dave Aitel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.immunityinc.com/downloads/navi_wmf_loadlibrary.PNG "I wonder if there's any way for me to get the MetaFile reader to load an arbitrary library?" One of the weird things you have to get used to with BinNavi is learning to be a bit more fluid about the questions you ask.
That's not "getting used to BinNavi", that's pretty much the definition of hacking, isn't it? ;) Instead of asking yourself "How can I do this", you ask yourself "Here's a system that responds to these stimuli with these responses - what might the final outcome of the chain of cause and effect be if I don't do things in the typical/expected way?". You don't think about buffers and overflows, you just think about stimuli and responses, inputs and outputs, and the very basic building blocks that you have before you that could be assembled or made to interact in any way you like that reaches an interesting or desirable end goal. Can't find a convenient "push reg/ret" sequence to overwrite the saved eip with in order to use to bounce into your user-controlled data? Then overwrite the eip with the address of memcpy - or just a single "rep stosd" that you found somewhere convenient in the code or data of the program - if the eip won't come to the code, the code must come to the eip! So yeh, I guess "becoming a bit more fluid" about the questions you ask is one way of describing it. Another way to say it would be "Ask less *directed* questions, because they constrain the breadth of your thinking less"; as soon as you've asked "How can I do /this/", you'll be thinking about every idea in terms of whether or not it achieves /this/ or not, and entirely overlook the incredibly interesting /that/ which your idea might achieve instead.
Some people, like Sinan, can read flat disassembly to answer these sorts of questions. I'm not one of those people. Having the right tools helps though. I thought the graph was pretty because it illustrates the complexity of exposure.
It's very much like playing chess, and trying to consider all the branching possibilities of future outcomes based on the opponent's responses to the moves you make and trying to find a sequence of moves that forces them into a response you want!
Plus it's just plain pretty - a nice picture of 1985 innocence. Kinda like Britney in her first video.
To me it looks more kinda like a wireframe render of the MCP, from Tron... <g> cheers, DaveK -- Can't think of a witty .sigline today....
Current thread:
- BinNavi versus WMF Dave Aitel (Jan 03)
- RE: BinNavi versus WMF Dave Korn (Jan 03)