Quickpost: IDAPython script to identify unrecognized functions.

•December 6, 2011 • 1 Comment


Hey folks! This time I’m gonna share with you a small IDAPython tool made by Federico Muttis (aka @acid_. Maybe you remember him from the -pretty awesome- pidgin vulnerability or the WebEx one). This is one of those scripts that you have to use and reuse several times when working with obscure firmwares, memory dumps or even unknown pieces of code.  A lot of us made something like this in the past. It’s a must. But I felt that we really needed something with a little more generical approach. Like Acid did.

Let’s see what he has to say about it 😉

Continue reading ‘Quickpost: IDAPython script to identify unrecognized functions.’

Apple OS X Sandbox Predefined Profiles Bypass

•November 14, 2011 • Leave a Comment
 You know... the apple sandbox, the 'seatbelt', the dog. Heh, that's Funny, Isn't It?

Nice seatbelt.

Hey guys!
Today I wanna mention a little bug we found together with Matias Eissler. It’s not the big thing,  that’s clear. But it’s potentially dangerous and it shows the complexity of a sandbox implementation.

This is the story: After a few hours fooling around with the sandbox, we found this method that allowed us to bypass the network access restriction. The funny thing here is that we did a quick search on google about the topic to see if some of this was reported before and guess what?  Charlie Miller publicly disclosed the same thing (that apple events were allowed in a sandbox profile) in the quicklookd profile like 3 years ago.

Continue reading ‘Apple OS X Sandbox Predefined Profiles Bypass’

Ph-Neutral 0x7db

•May 23, 2011 • 21 Comments


And the day finally came. The last (public, at least) edition of Ph-Neutral is very close and i gotta say: I’m very excited about being there.  Luckily, I’ll be arriving two days before the conference so I’m gonna have enough time to recover myself after the flight. I wanna be in good shape to deal with the -pretty insane- Ph-Neutral rhythm that usually consist in the mix of highly technical talks with amazing parties at night.

Continue reading ‘Ph-Neutral 0x7db’

[Unpatched] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch (The Jailbreakme bug in OSX)

•November 9, 2010 • 6 Comments


Hey guys! It’s been a long time since my last post… I’ve been very busy with some personal projects but i though this advisory deserveded at least a small post about it.

I’ll make it short; Matias Eissler, a teammate at Core triggered the Jailbreakme bug in OSX, so we decided to spend some time researching it.

Continue reading ‘[Unpatched] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch (The Jailbreakme bug in OSX)’

IDAPython conditional breakpoints or ‘QuickHooking with IDAPython’

•June 29, 2010 • 4 Comments

Conditional breakpoints

Conditional breakpoints. Ohh beloved conditional breakpoints! Everybody loves conditional breakpoints. They allows us to wait at a certain moment to stop, sparing us a lot of tedious manual tracing. There isn’t anything easier and more gratifying that hooking our process’ code by just setting a breakpoint, typing some lines, and looking our process stopped right there, when the fun starts. Nowadays, almost every decent debugger counts with hardware breakpoints. Some of them with very flexibles interfaces and some others with very limited ones. In fact, this is a crucial point when deciding the limit between a complex hardware breakpoint and the use of a debugging library/tool that allows us to have full control of the context to programatically manipulate the process execution as we need. When talking about IDA, we can say that it has a very flexible interface because it allows us to define the breakpoint conditions using the IDC scripting language. It’s mostly used to express very simple conditions like EAX == 0x1 or to do little memory modifications. But, as an IDAPython fan, I’ve always wanted to be able to use IDAPython when handling my quick conditional breakpoints. Continue reading ‘IDAPython conditional breakpoints or ‘QuickHooking with IDAPython’’

[TIP] How to define a keyboard shortcut for an IDAPython script

•January 3, 2010 • 6 Comments


Today, i want to share with you a very useful tip that ive been using for a while, and i particulary like. Gera posted a variation of it in the IDA official forum some time ago but i think that would be useful to share it also here.

Usually, in IDA, we find ourselves needing a way to define a shortcut for that useful IDAPython script to bypass the tedious “alt+9 + [select the wanted IDAPython script] + enter” procedure.

Continue reading ‘[TIP] How to define a keyboard shortcut for an IDAPython script’

FindInfunc.py (Little script to search for a pattern within a function)

•January 1, 2010 • 3 Comments

It is very common, when involved on the reversing of a big function in IDA, to need to look for some specific instruction, basic block, or even some particular string within the function.
I know we can use Marks (CTRL+M) for this task but, to use that feature, we’d need to be previously there to set a mark (ALT+M).

Sometimes, we want to jump to some piece of code where we’ve never been before. We can not use the “Text Search” command for this task because it will search for the pattern through the whole binary. Well, we can in fact, but its not going to be so optimal.

Continue reading ‘FindInfunc.py (Little script to search for a pattern within a function)’