Over The Wire - PullThePlug

ConceptNet (http://web.media.mit.edu/%7Ehugo/conceptnet/) is a common sense reasoning framework/database from the MIT Media lab. From their website "ConceptNet is a freely available commonsense knowledgebase and natural-language-processing toolkit which supports many practical textual-reasoning tasks over real-world documents right out-of-the-box". For a detailed explanation of the type of reasoning it supports and how it works check out either of the papers found on its home page (http://web.media.mit.edu/%7Ehugo/conceptnet/). Right now though, I'm going to run through some ways you could use it and hopefully you'll be able to think of many more.

To cut straight to the point, the development version of VoIPER is essentially at a stage where it is ready for testing against SIP servers. While I can test open source servers and what not myself, I would also like to test proprietary SIP compliant devices as I've had reports the current version has killed a number of hardphones and proprietary softphones. Anyone with access to Cisco, Avaya, Nortel etc. hardware or proprietary software, and would like to help out , can contact me at nnp [at symbol] unprotectedhex.com. Im interested in testing pretty much anything so phones, gateways, proxies etc are all fair game.

I've uploaded the latest version of VoIPER to sourceforge. Check out the site (http://voiper.sourceforge.net) for the release notes and change log. There aren't that many updates in this release as I've put most of the development effort into the dev branch. I've uploaded the work I've done on that to the Sourceforge SVN repository but I wouldn't recommend using it for the moment, as it is thoroughly untested and hilariously full of new stuff. Yes, thats right....stuff! More stuff than you can shake a strcpy() flavoured stick at in fact! I've also started using the wiki (http://voiper.wiki.sourceforge.net) on sourceforge to store tutorials and development info related to VoIPER. I might move that to Unprotectedhex.com though as 50% of the page display on Sourceforge appears to be taken up with menus and advertisments.

Title of the post nearly sums it up.  In win32, single stepping over a popf that sets the trap flag.  The trap flag when examined using GetThreadContext reports the trap flag as being clear.
I tried for the first time installing OllyDbg today also, but Olly has no problem in detecting the trap flag as set.  [...]

In my bid to emulate win32 seh (in my emulator), I needed (to test my emulator) to single step through exception handling.  My first approach was to just single step through the program by setting the trap flag in the eflags register.  I had some problems with this.
One of the problems is single stepping through [...]

My talk on testing VoIP devices has been accepted for DEFCON so looks like I'll be on my way to Vegas in August. The title the talk is VoIPER: Smashing the VoIP stack while you sleep and the abstract can be found here. (http://defcon.org/html/defcon-16/dc-16-speakers.html#NNP) Should be fun! I've a number of updates planned for VoIPER between now and then, including the entirely rewrote protocol/transaction modules, a number of new SIP fuzzers and hopefully IAX/H.323 support. The next release will be v0.05 in a few days that has a couple of bug fixes and one or two other changes.

UPDATE:  This isn’t a bug after all.  Aspect provided documtation of what is actually occuring.
It’s a feature since pentium pro computers to do ‘fast string’ or block operations.  A block operation (eg, movb) of 64 bytes is performeed if ecx >= 64, if edi is aligned to 8 an byte boundary, and if esi and edi are not [...]

Another CPU bug uncovered while testing my emulator.   I came across a repne scasb while emulating the win32 version of upx.  The logic of scasb (scan string), to paraphrase the intel manuals is

SRC = dereference(edi)
temp = al -  SRC
SetStatusFlags(temp)
update_edi

In the code I ran across, %al was set to 0, the byte at (%edi) was 70 [...]

I have my emulator running reasonably successfully on upx now.  It’s actually an auto unpacker, and identifies when the program is unpacked by monitoring execution on previously written memory.  In the process of emulating file io I came across a particular bug in gdb.
The file descriptor returned from an open call inside the debuggee, was [...]