Shifting yourself to space

August 12, 2011

Not dead yet

Filed under: Uncategorized — shift32 @ 2:36 pm
Tags: , ,

I’m not dead yet….I’m still sick……it seems that my body got the infectious mononucleosis
sounds like aids eh ? well, I’ve been staying at home most of the time, doing nothing mainly

However I got sometime fiddling around with ARM assembly (I might tell the whole story once I’ll be better), and got to disassemble one tricky file
as a VIM addict, I got the disassembly with radare2 , I saved it into a file

           0x0001320c  entry0:
            0x0001320c    0    18c04fe2^[[0m         sub ip, pc, #24 ; 0x18
            0x00013210    0    060c9ce8^[[0m         ldm ip, {r1, r2, sl, fp}
            0x00013214    0    0ca08ae0^[[0m         add sl, sl, ip
            0x00013218    0    0cb08be0^[[0m         add fp, fp, ip
            0x0001321c    0    0200a0e1^[[0m         mov r0, r2
            0x00013220    0    01904ce0^[[0m         sub r9, ip, r1
            0x00013224    0    011a81e2^[[0m         add r1, r1, #4096 ; 0x1000
            0x00013228    0    013aa0e3^[[0m         mov r3, #4096 ; 0x1000
            0x0001322c    0    0f002de9^[[0m         push {r0, r1, r2, r3}
            0x00013230    0    0720a0e3^[[0m         mov r2, #7 ; 0x7
            0x00013234    0    3230a0e3^[[0m         mov r3, #50 ; 0x32
            0x00013238    0    0040e0e3^[[0m         mvn r4, #0 ; 0x0
            0x0001323c    0    c070a0e3^[[0m         mov r7, #192 ; 0xc0
            0x00013240    0    000000ef^[[0m         svc 0x00000000
                ; syscall[0x0][0]=?

I used radare since IDA unknowingly failed to disassemble it correctly,
and now to the real things, see this annoying ^[[0m characters ? well, I tried using vim’s :%s to replace it with space with a classical


but apparently it did not work well at all, I started thinking I should add \ for the [ characters indeed


but it did not work either

I started getting a bit tipsy, maybe I’m doing something wrong w/ matching the correct patterns ?
I started walking around the string itself and found that the first ^[ is actually one character, which is quite stupid imho to miss something like it
so the actualy pattern to look for would be


and the day was saved, once again (:

I hope to feel better within a few weeks and start sharing more on my previous research I’ve done



April 28, 2011

Short tips: Debugging a vm with a named pipe

Filed under: Uncategorized — shift32 @ 12:59 pm
Tags: , ,

I recently started writing drivers with windows, so far I’ve only written one and you can see the results down below, however I tried loading the driver in a non-traditional way using the undocumented ZwSetSystemInformation

For some unknown reason, the driver halts the system and I get an exception of an invalid instruction
However this is not the case of this post

In order to debug things correctly, I’m using VirtualBox winxp-sp2 as a guest machine to run my code and my host machine runs a windbg session
VirtualBox’s support in com ports sucks and I didn’t make it at configurating a com port for my debugging session so I decided to use named pipes

In order to do so, go to the Settings -> Serial Ports – >
Check the “Enable serial port” and create “Host Pipe”

It is quite crucial that you’ll name your pipe as \\.\pipe\ since if not you’ll get an error while running the vm

Once you’ve created a named pipe, run

kdsrv.exe -t npipe:pipe=\\.\pipe\<pipe_name> in your guest machine

within the host machine go to File -> Kernel Debug ->
and choose “Port” within the COM box write your named pipe name, Check “Pipe” and you’re done.
You can also check “Reconnect” too, it saves a few things

Once you load up the os in debug mode (bcdedit etc) be sure to hit ctrl+break to halt the system and get control
It’s also noted to use the symbol server that ms offers in order not to fuck symbols up (it’s quite a nightmare setting things up imho)


Blog at