Breaking Code

April 9, 2012

MSDN Help Plugin for OllyDbg / Immunity Debugger

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 4:49 pm

Hi everyone! I just wrote a quick OllyDbg 1.x plugin and I wanted to share it. If you don’t know what that means, read my other article instead at the Buguroo Blog which has a more detailed explanation on what it is and how to use it. This post is more about why I wrote it and how it works.

Anyway. After a conversation on Twitter about how it’s becoming increasingly harder to find the venerable WIN32.HLP file – and how it was becoming ever more outdated, I came to realize I didn’t know of any OllyDbg plugin to use the more modern and up to date MSDN documentation. I asked around and no one else seems to have written such a plugin, so I wrote my own.

It’s sort of a dirty hack – in general there’s no easy way of overriding existing features in Olly, the plugin API is rather meant to add new functionality. So after messing about with it for a while I came up with an easy hack – the plugin just hooks the WinHelp() API call to detect when WIN32.HLP is about to be opened, and launches the default web browser instead. Any other help file is launched normally.

The next step would be to search the MSDN looking for the API call the user requested. Then again, a quick hack came to the rescue ๐Ÿ™‚ since instead of figuring out how to perform MSDN searches it was much easier to just use a Google search with the “I Feel Lucky” button. You can find out more here about the unofficial Google Search API.

The plugin is also compatible with the newer Immunity Debugger which is based in OllyDbg, and was tested on both.

To install, just copy the DLL file in the plugins folder (by default is the same where the main EXE lives). You do need to have set the win32.hlp file in the configuration at some point (so Olly actually tries to open it, otherwise the plugin never finds out). It doesn’t need to be the real file though, any file named “win32.hlp” will do the trick, even if it’s 0 bytes long. ๐Ÿ™‚



April 8, 2012

Installers for BeaEnginePython, Pymsasid, PyDasm and Libdisassemble

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 7:25 pm

I’ve packaged the BeaEngine Disassembler along with its Python bindings into a no-frills Windows installer. Certainly easier than manual install, and it really helps me when installing it on virtual machines. ๐Ÿ™‚


Update: Just added another disassembler package, Pymsasid.

Update: Added precompiled Windows binaries for PyDasm on Python 2.6 and 2.7.

Update: My installers were added to the Python Arsenal for RE. ๐Ÿ™‚

Update: The Pymsasid package was updated with a small change, so the importation works just the same as loading the .py files from the current directory (it’s just an “import *” in

Update: Added a simple setup script for Libdisassemble 2.0. Since I had to put the sources inside a package the import statement in your scripts will have to be adjusted if using this version. With a simple try/except block you can make scripts compatible with both versions as well, if you need to.


BeaEngine win32 installer: BeaEnginePython-3.1.0.win32.exe

BeaEngine win64 installer:

BeaEngine source installer: (run “python install”)

Libdisassemble 2.0 win32 installer: libdisassemble-2.0.win32.msi

Libdisassemble 2.0 win64 installer:

Libdisassemble 2.0 source installer: (run “python install”)

PyDasm precompiled binaries: (run “python install”)

Pymsasid source installer: (run “python install”)

March 18, 2012

Heappie! + WinAppDbg

Filed under: Tools — Tags: , , , , , , — Mario Vilas @ 7:35 pm

In case you missed it, Anรญbal Sacco released a new tool called Heappie! to analyze heap sprays in multiple platforms. It uses PyGame and PythonCard for the GUI and Kenshoto’s VTrace as the backend. It’s really cool, check it out ๐Ÿ™‚

Trippy screenshot, dude!

Now, I never get tired of saying how great VTrace is. It’s written in Python, supports multiple platforms and quite comfortable to develop with. But alas, I tend to prefer my own debugger (call me biased if you wish!). So today I went ahead and added WinAppDbg support to Heappie!. When WinAppDbg is installed, it’s chosen automatically as the backend. If not found, it falls back to VTrace. That way we don’t lose support for other platforms, since WinAppDbg naturally only works on Windows.

This patch also adds support for 64 bit versions of Windows, in case you were thinking this was just an exercise in self indulgence. Well, it is that, but not just that. Ahem.


Just download the file above, go to Anรญbal’s blog to learn how to use it, and exploit all the bugs! ๐Ÿ˜€

So many vulns, so little time.


July 20, 2011

Listing all available Java cryptographic services

Filed under: Cryptography, Tools — Tags: , , , , — Mario Vilas @ 1:17 pm

I recently wanted to know which hash functions were available to Java in a given machine, so I cooked up a little command line tool for that. Maybe this could be useful to others so I posted it here.

Java hash functions are implemented as a MessageDigest object, which you can’t instance directly but rather get an instance through the MessageDigest.getInstance() static method. It takes as it’s only argument a string with the name of the algorithm – but I couldn’t find an easy way to enumerate all available algorithms.

After a little googling I found this code example at Example Depot to do it programatically. Since results may vary from one installation of Java to the next, a command line tool would have been more useful to me, but I don’t know of any. (If you do, let me know!)

Anyway, I wrapped the code in a very simple Main function and compiled it using Eclipse. I called this little tool “ListServices” because I didn’t feel like thinking of a catchy name. ๐Ÿ˜›

By default this tool lists all available cryptographic providers, but you can specify just the ones you need (in the example below, we type MessageDigest to get just the hashing algorithms):

        $ java -jar ListServices.jar

                (... output omitted for brevity ...)

        $ java -jar ListProviders.jar MessageDigest


Enjoy! ๐Ÿ™‚

Update: Added source code to Github.


Executable JAR

Source code + Eclipse project

September 8, 2010

A dual screen hack: x2vnc

Filed under: Just for fun — Tags: , , , , — Mario Vilas @ 6:30 pm

Today I just had to use two laptop computers simultaneously, and switching back and forth was driving me insane. Then I remembered an old trick I used to pull back at my old job: the dual screen hack.

Most of you probably know it already, but just in case, here goes the explanation. You can connect two computers and simulate what would happen if you had two monitors instead: when the mouse leaves the screen in one computer, it “enters” the other computer on the opposite side of the screen. For example, if you have two laptops on your table and you move the mouse to the right, after reaching the border of the screen you see it coming out on the left side of the other computer. ๐Ÿ™‚

The magic is done by using a remote desktop protocol like VNC, which lets you send keystrokes and mouse events, but discarding the framebuffer updates. That is, a program that connects to the remote desktop, but instead of showing you the remote screen, it monitors mouse movements locally and when the mouse reaches the screen limits, it captures the mouse and starts sending mouse events to the remote system. Similarly, when the mouse reaches the opposite limit on the remote system, it stops capturing the mouse so you can use it on the local system.

Since I use Linux my choice was x2vnc, the Linux cousin of the more famous Win2VNC, also by the same author. But unlike Win2VNC which is now actively maintained at SourceForge, x2vnc seems to have been abandoned.

x2vnc supports SSH tunneling, which is just perfect since VNC is a plaintext-only protocol and insecure by design. However there’s no easy way to tell x2vnc to which port to connect or which username to login as – it defaults always to the current local user and port 22.

I also had a problem with my other laptop, which had Windows 7. When the mouse cursor leaves the screen, it is “parked” to a corner of the screen so it doesn’t show (it’d be confusing to see two mouse cursors as you wouldn’t know which one is active). But the corner chosen by x2vnc is always the lower right corner, causing Windows 7 to hide all active windows… very annoying.

So I did what any other geek would do in my situation – branch it! ๐Ÿ˜€

The patched code is now at Google Code Github. The new command line switches I added were:

-sshuser: Log in to the SSH tunnel using the given username.

-sshport: Connect to the given TCP port number instead of the SSH default (22).

-restingx and -restingy: Tell x2vnc where to park the mouse cursor. A value of 0 means left or top, a value of -1 means right or bottom. Then for example, -restingx 0 -restingy -1 means the top right corner of the screen.

Enjoy! ๐Ÿ™‚


Source code:

July 23, 2010

“Hiding” your Python source with ROT13

Filed under: Just for fun — Tags: , , , , , — Mario Vilas @ 5:50 pm

First of all I want to make something clear: this is an absolutely lame way to obfuscate your code. I guess some antivirus, IDS or other kind of security scanner may fail to properly analyze the code if it’s encoded like this, but you can’t really fool a human.

Anyway, it was fun ๐Ÿ™‚ and that’s my main motivation to write this blog in the first place, soooo… here it is! A Python source code obfuscator that uses ROT13.

How does it work? Simply put, by misusing the Python source encodings feature. I stumbled upon this idea while reading a thread in Stack Overflow. Python allows us to use any supported form of text encoding for our source code, by placing a magic comment in either the first or second line of the script:

    #!/usr/bin/env python
    # -*- coding: <codec-name-goes-here> -*-

This is useful for example to use UTF-8 and other encodings that allow non-english characters. But Python also has some other fun encodings, like ROT13 (the ancient Roman empire encryption system). The following snippet from Stack Overflow shows how to do it:

    #!/usr/bin/env python
    # -*- coding: rot13 -*-

    cevag "Uryyb fgnpxbiresybj!".rapbqr("rot13")

The only caveat is, ASCII strings are not decoded when you run the script, so you have to do it yourself. Unicode strings on the other hand are decoded automatically.

    #!/usr/bin/env python
    # -*- coding: rot13 -*-

    cevag h"Uryyb fgnpxbiresybj!"

There are some other fun encodings like “base64”, “uuencode”, “zlib” or “bz2” that you can experiment with too. If you try them let me know how it went. ๐Ÿ™‚

I wrote a quick script to use the ROT13 trick. Naturally the source code itself is also encoded in ROT13, decoding it is left as an exercise for the reader. Enjoy!


Source code:

June 29, 2010

Using Google Search from your Python code

Filed under: Tools, Web applications — Tags: , , , , , , , , — Mario Vilas @ 6:31 pm

Hi everyone. Today I’ll be showing you a quick script I wrote to make Google searches from Python. There are previous projects doing the same thing -actually, doing it better-, namely Googolplex by Sebastian Wain and xgoogle by Peteris Krumins, but unfortunately they’re no longer working. Maybe the lack of complexity of this script will keep it working a little longer… ๐Ÿ™‚

The interface is extremely simple, the module exports only one function called search().

        # Get the first 20 hits for: "Breaking Code" WordPress blog
        from google import search
        for url in search('"Breaking Code" WordPress blog', stop=20):

You can control which one of the Google Search pages to use, which language to search in, how many results per page, which page to start searching from and when to stop, and how long to wait between queries – however the only mandatory argument is the query string, everything else has a default value.

        # Get the first 20 hits for "Mariposa botnet" in Google Spain
        from google import search
        for url in search('Mariposa botnet', tld='es', lang='es', stop=20):

A word of caution, though: if you wait too little between requests or make too many of them, Google may block your IP for a while. This is especially annoying when you’re behind a corporate proxy – I won’t be made responsible when your coworkers suddenly develop an urge to kill you! ๐Ÿ˜€

Below are the download links (source code and Windows installers) and the source code for you to read online. Enjoy! ๐Ÿ™‚


  • Version 1.0 (initial release).
  • Version 1.01 (fixed the IOError exception bug).
  • Version 1.02 (fixed the missing href bug reported by Rahul Sasi and the duplicate results bug reported by Slawek).
  • Version 1.03 (extracts the hidden links from the results page, thanks ubershmekel!).
  • Version 1.04 (added support for BeautifulSoup 4, thanks alxndr!).
  • Version 1.05 (added compatibility with Python 3.x, better command line parser, and also added some improvements by machalekj)
  • Version 1.06 (added an option to only grab the relevant results, instead of all possible links from each result page, as requested by user Nicky and others).


Source code: google-1.06.tar.gz

Windows 32 bits installer: google-1.06.win32.msi

Windows 64 bits installer:


Source code

Get the source code from GitHub:

May 5, 2010

The forgotten bug: silently patched vulnerabilities

Filed under: Vulnerabilities — Tags: , , , , , — Mario Vilas @ 10:39 am

Last month, Microsoft released the security bulletin MS10-024 with a patch for a denial of service vulnerability in Exchange and the Windows SMTP service:

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service.”

However, researcher Nicolรกs Economou found an interesting surprise in this patch: two additional, undisclosed vulnerabilities had also been patched… and they were far more severe than the ones reported! From the Core Security advisory:

“Nicolas found that the Windows SMTP Service does its own DNS resolution of MX records rather that use the DNS resolver from the operating system while investigating CVE-2010-0024.

Furthermore, he found that the patch referenced in MS10-024 fixed two severe bugs that were not disclosed as such in the bulletin and had no CVE identifiers assigned to them. Basic analysis of the vulnerabilities disclosed in this advisory indicates that the threat of DNS spoofing attacks against Windows SMTP service and Microsoft Exchange or of exploitation of CVE-2010-0024 was underestimated in MS10-024.

An attacker may leverage the two previously undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.”

In fact, the two “new” vulnerabilities were quite crass. Both Exchange and the SMTP service were doing their own manually crafted DNS queries using incremental transaction IDs, which is a big no-no when implementing DNS because it makes it real easy for attackers to guess the transaction ID and spoof replies, as is a well known fact for… say… the last 16 years or so? But as it turns out, attackers didn’t even need to guess the transaction IDs… because they weren’t even being used when parsing the DNS responses! ๐Ÿ˜ฏ

This omission may be easily attributed to the “embarrasment factor” ๐Ÿ™‚ but it’s still a terrible idea to patch vulnerabilities silently: IT administrators, unaware of the real danger of the problem, may give the patch a lower priority. A denial of service just means having the mail server down for a while until it restarts, so the patch can wait – it’d be worse if the server didn’t work at all because patching went wrong. On the other hand, a DNS poison vulnerability means having an attacker browse through everyone’s emails and taking over all other services you may have on the same machine – patching becomes much more worth the risk.

Of course, this isn’t the first time this happens. Practically every vendor did this at one time or another. A quick Google search for “silently patched vulnerability” shows some 1.400.000 hits at the time I’m writing this, showing this is neither new or uncommon – and that even small software vendors may easily get caught. Especially thanks to the rise of binary diffing tools that can pinpoint precisely where and how the code was patched.

Thanks Alfredo Ortega for pointing out this advisory and providing such a cool sounding title. ๐Ÿ˜‰

April 2, 2010

Using Impacket/Pcapy with Python 2.6 on Windows

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 5:30 pm

Hello everyone! Today we’ll be installing Impacket and Pcapy for Python 2.6 on Windows. The Impacket module lets you parse network packets, this is very useful for example when developing a sniffer. The Pcapy module interfaces with WinPcap to do the actual packet capture.

From the CORE Security webpage:

What is Impacket?

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

What is Pcapy?

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

There is a problem though – Pcapy hasn’t been updated in quite a while, so there is no MSI installer for Python 2.6. I’ve built it myself and hosted in here in the blog, so you don’t have to. ๐Ÿ™‚ I’ve also built an EXE installer for Impacket, it’s not really needed since it’s a pure Python module, but why not?

So this is the list of files we’ll be needing:




Installation is now pretty much straight forward. After running all the installers, let’s try it out with this example script to dump all connection attempts by sniffing SYN packets:

    C:\Documents and Settings\Mario Vilas\Desktop>python
    Available network interfaces:
            1 - \Device\NPF_GenericDialupAdapter
            2 - \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
            3 - \Device\NPF_{9B7DC2FB-7660-4E68-B4EC-DB9682C76E40}
            4 - \Device\NPF_{166A618C-4230-42E7-93AD-298D1145F5BC}
            5 - \Device\NPF_{BE987C8D-D523-49B8-8B95-DDDBAA46EB3F}

    Choose an interface [0 to quit]: 2
    Listening on: \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->

Below is the source code to the script. Enjoy! ๐Ÿ™‚


  • A newer version of Impacket is hosted at Google Code, so I built a new installer. The previous version of the installer, based on the version of Impacket found in the Core Security webpage, is still available here: Impacket-
  • Ge0 has built Pcapy for Python 2.7 using MingW to avoid having a depencency against the Visual Studio runtimes. You can download it from here: pcapy.pyd


Source code


February 17, 2010

One-time pad encryption in Python

Filed under: Cryptography — Tags: , , , , , , — Mario Vilas @ 4:58 am

After some crypto sillyness with @feliam, @julianor and @ortegaalfredo on Twitter I cooked up a one-time pad crypto implementation in Python. This speaks volumes, not of my talent as a cryptographer (which is none at all) but the sad state of my social life these days (which happens to be the same amount).

What is one-time pad encryption?

Feel free to skip this section if you already know the answer. Especially so you don’t have to suffer my layman’s explanations of cryptography. ๐Ÿ™‚

To put it simply, a one-time pad cipher is one in which the plaintext (i.e. the original message) is encoded using a completely new, random key each time it’s sent. When properly used (and I hope I have) this system is provably unbreakable. That means the ciphertext (that is, the encoded message) can never be decoded without the proper key – even if the encoding algorithm is very simple, like a bitwise XOR operation on each byte.

There are a few caveats: first of all, the key can never be reused. If you do, the system not only ceases to be unbreakable but it’s also as strong as the encoding algorithm you used. So if you chose XOR encoding and were tempted to use the key twice, you might as well have used a “magic ring” from a cereal box. ๐Ÿ˜‰

The second caveat: the key must be truly random. For this reason need a random generator that can guarantee a certain amount of entropy, for example /dev/random on many Unix systems, to get the one-time pads, instead of the random module, which is only a PRNG (pseudo-random generator). PRNGs can only produce a seemingly random stream of numbers, all derived from a single value (called the seed number) – so it’s “randomness” is just as good as the seed number from which all others are calculated. (This is a useful property in other contexts, like avoiding to have to store the contents of all malformed files produced by a fuzzer in order to reproduce the crashes, but I digress).

The third caveat: the key must never be transmitted over an insecure medium. Sounds pretty much like a no-brainer, I know, but it’s worth mentioning that public key crypto doesn’t suffer from this problem. (Now you know why GPG is so much better than this). Real-life uses of one-time pads include storing the keys in codebooks, which the recipient of the message would carry everywhere. Then the encrypted messages could be safely sent in the clear, say on some radio frequency by a numbers station, until the codebook was used up.

How does this code work?

If you weren’t among the lucky ones who skipped over my ramblings in the previous section you can easily guess by now: we’ll be using a bitwise XOR encoding of each byte of the plaintext against the corresponding byte of the one-time pad to produce the ciphertext. This is how we generate a one-time pad of any given size:

    $ ./ generate test.key -s 1024
    $ ls -l test.key
    -rw-r--r-- 1 user group 1024 2010-02-17 01:23 test.key

The alternative for the lazy is to pass the name of the file we want to encrypt. A one-time pad of the exact same size will be generated. We’ll use the -f flag this time to force overwriting the previous file.

    $ ./ generate test.key conscience.txt -f
    $ ls -l test.key conscience.txt
    -rw-r--r-- 1 user group 3880 2010-02-17 01:22 conscience.txt
    -rw-r--r-- 1 user group 3880 2010-02-17 01:24 test.key

And to satisfy all audiences, there’s also an option for the paranoid: the -p flag uses /dev/random for maximum security instead of the much faster /dev/urandom. It does take considerably longer to generate even small one-time pads, that’s why this option is disabled by default.

    $ ./ generate test.key conscience.txt -f -p
    $ ls -l test.key conscience.txt 
    -rw-r--r-- 1 user group 3880 2010-02-17 01:22 conscience.txt
    -rw-r--r-- 1 user group 3880 2010-02-17 01:38 test.key

Now that we have our one-time pad we can encrypt the message:

    $ ./ encrypt conscience.txt test.key conscience.crypto 
    $ ls -l conscience.*
    -rw-r--r-- 1 user group 3880 2010-02-17 01:38 conscience.crypto
    -rw-r--r-- 1 user group 3880 2010-02-17 01:22 conscience.txt

Both files are the same size but have different contents. Since it’s no longer ASCII trying to cat the file only renders a bunch of garbage in the terminal. Finally, this is how you decrypt it:

    $ ./ decrypt conscience.crypto test.key conscience2.txt
    $ ls -l conscience*
    -rw-r--r-- 1 user group 3880 2010-02-17 01:38 conscience2.txt
    -rw-r--r-- 1 user group 3880 2010-02-17 01:38 conscience.crypto
    -rw-r--r-- 1 user group 3880 2010-02-17 01:22 conscience.txt
    $ cmp conscience.txt conscience2.txt 

After decryption, conscience2.txt is identical to the original file and contains the familiar text of The Conscience of a Hacker.

As always, the code is available for download below. Enjoy! ๐Ÿ™‚


  • 24-Jul-2011: Small update to the command like parsing and the documentation.


Source code


« Newer PostsOlder Posts »

Blog at