Strange Cellphone Behavior

Hey all,

I know this blog post is a bit weird, but I reckon I'd share this: For some reason that is quite unknown to me, my cellphones have a habit of developing strange behaviors. I used to use a Nokia N73, which developed the following habit:

When in foreign time zones (Japan, Norway, USA) the phone would send more-or-less random old text messages to more-or-less random people from my address book. There would be a merry mix & match between the two, leading to more than one amusing misunderstanding that needed clearing up.

Then, at some point last fall, I switched to the silly shiny Apple telephony device (perhaps people do better QA on their backdoors on that platform). For a few months, the problems went away.
This changed last week -- now, when I send text messages to certain numbers, the phone seems to send a more-or-less random old text messages that has already been sent to the same number along with the message. This is a bit nicer (as it will not mix & match), but still annoying.

So .. uhm ... I am trying to come up with plausible explanations for this behavior. Can anyone offer one ? My total-guess-in-the-dark ideas would be:

1. Current behavior is caused by international text message routing weirdness -- e.g. text messages I sent a few days ago in the US get duplicated for some reason and re-sent
2. Both current and N73 behavior is triggered by shoddy QA on lawful intercept systems
3. Both current and N73 behavior is triggered by shoddy QA on the side of the parties that backdoor my phones

Now, I don't know if anyone else has ever suffered from this, or if there is a perfectly valid and proper explanation, or if there is an easy way to do diagnostics, but:

1. If you backdoor my phone, fix your software. Kthx.
   
2. If you write LI software, fix your software. Kthx.
   
3. If there are multiple people backdooring my phone, please test for interoperability between your tools.
   

So, any other theories on what might be going on ?

Reverse Engineering / Bug hunting trainings in Amsterdam

Hey all,

I haven't given a reverse engineering trainings class in Amsterdam for a few years, but this year is different :-) -- I will be at BH Amsterdam, and there are still seats open in the trainings class for April 14th and 15th.

What will be done in the course ? Well, for one thing, we'll go bug-hunting in some interesting piece of code. Furthermore, we'll talk quite a bit about C++ and it's effects in the binary. We'll do a fair bit of differential debugging, some more bug-hunting, and a lot of IDA automation. Questions like

• given a C++ executable, how do I recover an inheritance diagram of the classes ?
• given a big and ugly executable, how do I find the interesting places to focus on ?
• how do I make sure IDAPython and NaviPython make my life easier ?

will be treated thoroughly.

So, if you still have some trainings/travel budget left in spite of the crisis, you can find more
details here.

Diffing x86 vs ARM code

I posted a while ago about the new DiffDeluxe comparison engine, and that we'd release it in Q1 2009. Well, we're almost there, the engine is now in beta. If you are a BinDiff user and wish to give the new engine a try, send mail to info@zynamics.com :-)

I mentioned in my last post on the topic that DiffDeluxe was designed to facilitate symbol porting, and to allow comparisons between executables that are "far away" from each other.

In the last post I wrote about Mozilla JS engine vs. Acrobat EScript.dll. Today I am going to try something slightly crazier: In order to evaluate how well these matching algorithms work, we will be diffing an executable that was compiled for ARM against a very similar executable compiled for x86.

My coworker Vincenzo is a big fan of all things OSX, and he brought up the idea of comparing x86 and ARM versions of the OSX dynamic loader -- namely the disassembly of dyld on the iphone against the disassembly of dyld on OSX.

Now, the first voices are going to yell: "You have names for all functions, BinDiffing is easy then!". Well, true, but we will run DiffDeluxe without taking the names into account, and then just using the names to validate the results.

The two executables have 704 (x86) and 618 (ARM) functions respectively. Without name
matching, we match 345 functions. Inspecting the symbols, we see that we have matched
160 of these functions in full accordance with the symbols. Let's have a look at some of the details:

Cute, eh ? Let's look at some more...

It is almost surprising how far one can get without actually looking at the instruction semantics.

If we take the names into account, matching functions becomes easy, but matching basic blocks properly ends up the difficulty. With name matching enabled, DiffDeluxe matches 3809 basic blocks, out of 7904 respective 5196.

So to summarize: The structural comparison is sufficiently strong to yield some useful results even accross two different CPUs. While there is still (a good amount) of room for improvement, I am quite happy with these results so far :-)

So, if you want to beta, and you already use BinDiff, drop us a line !

Washington DC, Trainings, Demos :-)

Hey all,

I will be in Washington DC from the 16th to the 20th of February. Amongst other things, I will be teaching a course at Blackhat DC. The economic crisis is clearly hitting -- e.g. there are still seats available. We will also get around to using some of the nice features of BinNavi v2 in class, which I am looking forwards to.

Now, aside from the course: If you are in the DC area and interested in a product demo for BinDiff (and the upcoming DiffDeluxe), BinNavi v2 (including REIL), or the latest VxClass (now available as service and virtual appliance), do not hesitate to drop a line to info@zynamics.com :-)

Correction: Clam *does* have some unpacking support

Correction of my last post: It appears that Clam has *some* unpacking support. It is not as comprehensive as some of us would like, but progress is being made :-)

ClamAV and unpackers

Hey all,

this might be a rather odd question, but given the (unfortunate) fact that ClamAV can't unpack
even the simplest packers, has nobody ever contemplated writing packer-specific unpackers
for ClamAV ?

Cheers,
Halvar

TAOSSA blog post I didn't see but will comment on :-)

http://taossa.com/index.php/2008/10/13/bugs-vs-flaws/#more-83

I didn't see this post beforehand, and I would like to comment on it (mainly because commenting on his blog post might be the easiest way of getting into a conversation with Mr. McDonald these days ;), but I don't have time right now. Will fix this later this week hopefully.

Sometimes, diffing can remove obfuscation (albeit rarely)

Hey all,

apologies for the sensationalist title, but I found another amusing example today where the same function was present in two different executables -- in two differently obfuscated forms. Amusingly, DiffDeluxe identified the "common components" between these two functions, effectively removing a lot of the obfuscation.


While this is clearly not a typical case, it nonetheless made me smile.

Merry Christmas everyone !