Tuesday, December 30, 2008

Making the theoretical possible

I'm looking forward to see the "big" talk.



Watch it here .

Monday, December 29, 2008

Windows Media Player Integer Overflow.

Hi Folks, today a Windows Media Player Integer Overflow exploit comes out.
"Windows Media Player 11 for Windows XP offers great new ways to store and enjoy all your music, video, pictures, and recorded TV. Play it, view it, and sync it to a portable device for enjoying on the go or even share with devices
around your home—all from one place."
The author (laurent gaffiƩ) found that Windows Media Player fails to handle exceptional condition when parsing a malformed WAV,SND,MID file. Which can lead to a remote integrer overflow.

The canonical wave heap format is the following:



Where:

The canonical WAVE format starts with the RIFF header:

 ChunkID Contains the letters "RIFF" in ASCII form (0x52494646 big-endian form).
ChunkSize 36 + SubChunk2Size, or more precisely: 4 + (8 + SubChunk1Size) + (8 + SubChunk2Size) This is the size of the rest of the chunk following this number. This is the size of the  entire file in bytes minus 8 bytes for the two fields not included in this count: ChunkID and ChunkSize. 8 4 Format Contains the letters "WAVE" (0x57415645 big-endian form).

The "WAVE" format consists of two subchunks: "fmt " and "data":
The "fmt " subchunk describes the sound data's format:

Subchunk1ID Contains the letters "fmt " (0x666d7420 big-endian form).
Subchunk1Size 16 for PCM. This is the size of the rest of the Subchunk which follows this number. 20 2 AudioFormat PCM = 1 (i.e. Linear quantization) Values other than 1 indicate some form of compression.
NumChannels Mono = 1, Stereo = 2, etc.
SampleRate 8000, 44100, etc.
ByteRate == SampleRate * NumChannels * BitsPerSample/8
BlockAlign == NumChannels * BitsPerSample/8 The number of bytes for one sample including all channels. 
BitsPerSample 8 bits = 8, 16 bits = 16, etc.
ExtraParamSize if PCM, then doesn't exist
X ExtraParams space for extra parameters

The "data" subchunk contains the size of the data and the actual sound:

Subchunk2ID Contains the letters "data" (0x64617461 big-endian form).
Subchunk2Size == NumSamples * NumChannels * BitsPerSample/8 This is the number of bytes in the data. You can also think of this as the size of the read of the subchunk following this  number.
Data The actual sound data.


The exploit builds the following heap:




Which makes no sense. In fact, if you keep a normal WAVE heap looks like that:


Every single byte of the "exploit made" WAVE file  is bad formed, no RIFF, no WAVE, no fmt, nothing. An integer overflow comes out during the execution of this "bad formed" multimedia file which eventually allows a remote user to run arbitrary code on victim's  machine. The correct header should start with "52 49 46 46" and should have on byte 9 through byte 12 the word "57 41 56 45" ("WAVE") followed by "66 6d 74 20" ( fmt ). The following image should explain in a easy graphic way what I meant.


It's very strange discovering that Microsoft makes this mistakes. At the end of the day, with respect to laurent gaffie's work, this bug is a well known integer buffer overflow due to a missed control on a (probably) "error check" 's loop counter. Microsoft should know this problematics.

Sunday, December 28, 2008

Dolphin-EMU for MAC

Dolphin is a great WII emulator but it runs only on Windows machine. So if you got a mac you need to emulate Windows. As you might guess it's pretty hard to play a game emulated twice. For this reason I decided to download the sources and to compile it over mac (Intel). Apparently it seems working :





If you get a right masterkey.bin and if you try to run a good .iso a lot of errors come out. Moreover there is no way to change the configuration plugins to improve (and to run) the visualization.



Dolphin still doesn't run over MAC . I will work on it during my netx free days.

Saturday, December 27, 2008

Introduction to Emulators

Hi Folks, during these days, I've been working on some emulators stuff .
There are many places where you can find lots of information about emulators but most of all are just fake web site that wanna steal your money. The first site that I suggest is EMU-ZONE where you might find some useful notes on all type of emulators. Another great place to look out, if you're looking for a emulator which runs over MAC OS X, is victoly . Here you find everything you need to emulate every platform on you own MAC.
There are emulators for each console, using a simple Torrent Client you'll have no problem to download the ROM to play with, BUT there is still a mystery over the WII emulators.



On one hand there are plenty wii fakes around the net, like for example the following one:



On the other hand there are also lots of site that write about new wii emulators, like for example: WIIEMU, Nintendo WII Emulator, EMUWII, The Vintage Gaming Network
and WIISO. If there're so many people working on it and speaking about it, at-the-end-of-the-day is there someone who can emulate WII over a PC ? Unfortunately each of this sites says nothing really useful to emulate Nintendo WII. So what I've seen: surf to WIISO.com to download the ISO torrent of the "ripped" games (a WII game is more than 4GB, so this process will be pretty slow) and use Dolphin to emulate the WII console. Dolphin works only on Windows and it still have some big incompatibility problems on "drivers" ".NET" and so forth... But if you're lucky and if the forum's folks want help you you'll get a great wii console on your mobile laptop.

Monday, December 22, 2008

iPhone 3G Unlocked !

Finally, Dev-Team guys hacked the iPhone 3G baseband !
Too much time we have wait, but while we were looking at new iPhone Applications some one was working hard to break into baseband.






This is amazing ... ... Thank you guys !

Friday, December 19, 2008

ClickJacking ?

I really don't like the numerous names that people like to invent.
Is this "ClickJacking" ?



Well, in my opinion it's a simple code injection. I think more name you give at the same concept more confusion you make over the concept.

Thursday, December 18, 2008

Stanford On iPhone

Often university's courses are focalized on theory and most of the time they don't show practical things blaming time . Stanford University understood that practice is important as much as theory and comes out with an iPhone developer class.
I think this is a great idea, iPhone is one of the most important devices of these years, maybe of this decade, most companies know iPhone and most companies are looking for a good developer. Offering the possibility to learn useful practical skills in a university class, seems to be a really smart idea.
Here the class link. Here slides and all utilities. Don't forget to visit the student applications

Tuesday, December 9, 2008

How iPhone's Touch Screen Works

Sometime, usually when I find time,I like to look inside components and parts just to understand how something is working.
Today I found this great article on how the iPhone touch screen works.





The iPhone's screen detects touch through one of two methods: Mutual capacitance or self capacitance. In mutual capacitance, the capacitive circuitry requires two distinct layers of material. One houses driving lines, which carry current, and other houses sensing lines, which detect the current at nodes. Self capacitance uses one layer of individual electrodes connected with capacitance-sensing circuitry.

Both of these possible setups send touch data as electrical impulses.






Here's what happens:

Signals travel from the touch screen to the processor as electrical impulses.
The processor uses software to analyze the data and determine the features of each touch. This includes size, shape and location of the affected area on the screen. If necessary, the processor arranges touches with similar features into groups. If you move your finger, the processor calculates the difference between the starting point and ending point of your touch.
The processor uses its gesture-interpretation software to determine which gesture you made. It combines your physical movement with information about which application you were using and what the application was doing when you touched the screen.
The processor relays your instructions to the program in use. If necessary, it also sends commands to the iPhone's screen and other hardware. If the raw data doesn't match any applicable gestures or commands, the iPhone disregards it as an extraneous touch.
All these steps happen in an instant -- you see changes in the screen based on your input almost instantly. This process allows you to access and use all of the iPhone's applications with your fingers.

Friday, December 5, 2008

Apple suggestion: get an AV !

Yup, also Apple suggests a good AntiVirus :(. Is the end of a myth ?
I dunno but if you want be safe I suggest ClamXAv the front-end of ClamAV





ClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end.

Back in the days before OS X, the number of viruses which attacked Macintosh users totalled somewhere between about 60 and 80. Today, the number of viruses actively attacking OS X users is...NONE! However, this doesn't mean we should get complacent about checking incoming email attachments or web downloads, for two reasons. Firstly, there's no guarantee that we Mac users will continue to enjoy the status quo, but more importantly, the majority of the computing world use machines running MS Windows, for which an enormous quantity of viruses exist, so we must be vigilant in checking the files we pass on to our friends and colleagues etc. For example, if you're a wise person and you've turned MS Office's macro support off then you're not going to notice that virus which is hiding inside this month's edition of Extreme Ironing.doc which your friend sent you. If you then forward that document to a less wise person who has not turned off the macro support, then you have most likely just sent him a shiny new Pandora's Box with a sign saying "Open this end"!

Flippancy aside, I'm sure you get the idea: check the file before opening and/or sending it on to someone else. This gives you the opportunity to avoid the file altogether or at least copy and paste any vital information into a new document and send that instead.

Don't forget, if you run VirtualPC you can still become infected and lose valuable data on your Mac even though technically you're running Windows inside a sandbox. VPC will run any application you tell it to, virus or no virus, it doesn't know the difference. You can protect yourself slightly by not using VPC's "shared folders", but that's a useful feature which you shouldn't have to be without.





********** UPDATE ***********


Seems that Apple is a little bit confused: read this article: Apple deletes Mac Antivirus Suggestion !


*******************************

Monday, December 1, 2008