I am new to exploit development, and I am wondering how I could go about fuzzing a local application (e.g. Windows Media Player) using software if I did not have access to the source code. I have basic-intermediate knowledge of buffer overflow vulnerabilities, how they work, how to find them and how to write exploits for them. I just need the 2nd step - finding them in the first place...
Thanks!
Fuzzing is a useful tool but not necessarily easy. I'd suggest starting with listening to some talks online on fuzzing or doing some reading. The big picture is that you want to find a way to generate random/mutated input and then script your application to run with this random input. So for Windows Media Player, you might start by:
Figuring out how to run WMP in an automated/scripted way.
Looking for tools to generate fuzzed file input.
Related
I want to know if i can extract data from .dat file imitating the way I do it inside the software.
Commonly, I load the .dat file in the software through "Load Data" option, then is on my interest obtaining 2 files, generated through "Params to ASCII" and "Data to ASCII" options inside the software. Like you see, I obtain 2 ascii files, which are easily read with a text editor.
The concern is that I do it all manually, and there are lot of .dat files, so I spend lot of ass-hours doing just clicks.
So, I want to know if there is some way to automatize those operations, anyway serve. I am thinking, through my limited knowledge, in scripts that imitate what I do manually (don't know how to do it), or something more complex, which involves reverse-engineering (also don't know how to do it or if it's possible). Or maybe using powershell...
Maybe you guys could help me, surely you have more brillaint minds!
Kind regards!
There are at least four options that I can think of. Sadly, .dat is not a well-defined file format like .pdf, but a general extension used for all kinds of data files. Do you know the name of the software you open the files? That would help to find a solution. Anyway, some general ideas; to recommend any or be more practical requires to know the software.
Use application vendor's API or libraries to read the file. Vendors often provide .Net library for reading the file from disk or via API call. This would be the clean and supported way. For example, to read dBase database files, there's a library at Github.
Read the file as raw binary (as explained in the article linked by Abraham Zinala). I'd rather not try this first, as it requires some reverse engineering and might provide unexpected errors.
Use UI automation. That is, create a script that uses SendKeys to simulate pressing keyboard keys. There are tools such as AutoIT that make this easier. This is kind of last resort, as it is error prone and cumbersome. If the software supports macros or has internal automation capability, try that before 3rd party tools.
The system sending you .dat files offers the data in some other easy to process format. Whilst this is the easiest solution for you, the other party might not agree.
I alongwith some friends of mine was having this idea of creating a very basic media player,Say it only plays mp3s(very limited GUI showing the controls of the player).The Tricky part is we wish to do it without any OS.i.e It will be loaded directly from the boot loader and we will read the file off from a pen drive.Is this a feasible project idea.Its a hobby project so there is no time limit as of now. Can someone guide me as to how to proceed?
If you want to do this from scratch, all I can say is good luck. Yu'd have to write file system drivers, sound drivers, display drivers, keyboard drivers, mouse drivers, USB drivers, etc. it would be a massive amount of work.
Instead, if you still want to write things like the mp3 codec yourself, you can, but do it on top of an existing Os. You could go with DOS if you wanted, and have at least something built in to work off of. If I were doing this, I'd be going with embedded Linux + x11. But it's your choice.
I am pretty dissatisfied with all the available media players, and I was also looking for a major project to really get into programming. so I am thinking of writing my own media player . Or to be more accurate a gui-frontend for mplayer (something similar to smplayer). How hard would this be.? I have plenty of time (months), and am willing to learn anything.
I practically don't have any knowledge of any windows/gui libraries . My programming experience : tried lots of different languages, wrote a couple of websites in php, lots of practice in java (although did nothing major) . Thats all
Can someone provide some guidance, about where to get started. what all to read. Which language should be used. is C#/.net a good language for this? since I am no expert in any language and have dabbled in plenty of different languages , I think I can pick up any language. Though My main concern is my lack of any practical knowledge . So guide me please.
Lastly my preference is windows (haha whatever), so thats what my target is and thats where I'll doing my coding.
To sum it up I want to create a guifrontend for mplayer that would work in windows.
Thanks
Edit: by mplayer I mean mplayer (the linux one) , and not WIndows media player.
One good place to start could be looking at how the code for gmplayer works - gmplayer is the graphic frontend for mplayer on Linux. It could be that all you really need to do is port the gmplayer code to Windows, then you get a fully integrated GUI instead of just a frontend.
Also, feature request: a nice friendly UI for putting video / audio effects on the output stream (it is so hard to use in the CLI version that most mplayer users probably don't even know it is in there).
I know what I'm going to recommend you is not what you're looking for, BUT:
I'd create a front-end for VLC, which uses Qt, a GUI framework which is extremely usable and easy to start with, in C++.
From my experience as an user, VLC is also more stable and has more features.
Start by copying a working implementation. As you mentioned, SMPlayer exists as a working example of what you want. I'd recommend starting by either hacking it to work better (the playlist really needs more intuitive controls, and multiple monitor support in Windows was nonexistent last time I tried it) or trying to duplicate it in your language of choice.
The benefits of hacking on an existing probject include: the existing codebase works, the margin of work required to make a noticeable change is much smaller, and the existing developers are able to help you come to speed with internals. Also, learning the project's language (C++) would be useful, though it may not be worth the effort if it's more interesting to copy its features in your favorite language.
C# is great for creating any desktop gui quickly. Best way to start with the gui design is to play a bit with the drag/drop components available in visual studio. For the functionality you can use this: http://msdn.microsoft.com/en-us/library/dd564585%28VS.85%29.aspx .
I don't just mean publish, but pretty much everything between when the pure coding is finished and the first version is released. For example, how do games make it so that their save files are hidden/unhackable, how do they include their resources within the game as opposed to having a resource file containing all of the sprites, etc., how do they make it so that there are special file extensions like .rect and .screen_mode, and so on and so forth.
So does anyone know any good books, articles, websites, etc. that explain the process between completing the pure code for a game and the release of it?
I don't think developers make much of an effort to ensure saves are hidden or unhackable. PC games usually just save out to a folder, one file per save, and any obfuscation is likely the result of using a binary file format (which requires some level of effort to reverse-engineer) or plaintext values that aren't very meaningful out of context, but not deliberate attempts to circumvent hacking. There are probably a ton of PC games that have shipped with very easily hackable text or XML save files, but I've never been a save hacker so I don't have any specific examples. On consoles the save files are going to a memory card or the console's hard drive, which makes them inherently inconvenient to access, but beyond that I don't think console developers make much of an effort to encrypt or otherwise obfuscate save data. That energy would more likely be directed towards securing the game against cheating if it's on online game or just making other systems work better.
Special file extensions come from just using your own extensions and/or defining your own file formats. You can use any extension for any file, so there are tons of "special" file formats that are just text files with a different extension, I've done this plenty of times myself. In other cases, if they have defined their own binary file format, that means they also have their own file parsers to process those files at runtime.
I don't know what platforms you have in mind, but for PC and console games, resources are not embedded in the executable. You will generally see a separate executable and then various archives and configuration files. Depending on the game, it may be a single resource pack, or perhaps a handful of packs for related resources like graphics, sound, level data, etc. As a general observation console games are more aggressively archived (to minimize file operations on slow optical media, and perhaps to overcome limitations of the native file systems on more primitive platforms). Some PC games have very loose assets, with even script files hanging out in the open.
If you develop for Windows or XBox 360, Microsoft might offer some help here. Check out their Game Development tools for Visual Studio C++ Express Edition.
If you are looking for books the Game Development Essentials series should answer your questions.
For circumventing saved file modifications, you can implement a simple encryption algorithm and use it to encrypt saved files, and then decrypt them when loading. File extensions are simply a matter of choice.
To use special file extensions in your game, just do the following:
Create some files in a format of your choice that have that extension, and then
write some code that knows how to read that format, and point it at those files.
File extensions are conventions, nothing more; there's nothing magic about them.
ETA: As for embedding resources, there are a few different ways to approach that problem. One common technique is to keep all your resources bundled together in a small number of files - maybe only one (Guild Wars takes that approach).
At the other extreme, you can leave your resources spread across many files in a directory tree, maybe in a custom format that requires special tools to modify, and maybe not. Civilization 4 does things this way, as do all the Turbine games I'm familiar with. This is a matter of taste, and not very important either way.
I think a better solution is two break your images in tiles of some known size and then join them back to back in some random order in a new file. This random order is only known to you and hence only you know how to jumble the tiles to get the original image back.
The approach would be to maintain a single dimensional array and maintains the position of tiles in it. Know use the crop functions of MIDP to extract each tile and render each tile back to the console.
If you need, I can post the code for you.
I would suggest to check the presentation from the developers of World of Goo (great game):
http://2dboy.com/public/eyawtkagibwata.pdf.
Our company is currently writing a GUI automation testing tool for compact framework applications. We have initially searched many tools but none of them was right for us.
By using the tool you can record test-cases and group them together to test-suites. For every test-suite there is generated an application, which launches the application-under-test and simulates user-input.
In general the tool works fine, but as we are using window handles for simulation user input, you can't do very many things. For example it is impossible for us to get the name of a control (we just get the caption).
Another problem using window handles is checking for a change. At the moment we simulate a click on a control and depending on the result we know if the application has gone to the next step.
Is there any other (simpler) way for doing such things (for example the message queue or anything else)?
Interesting problem! I've not done any low-level (think Win32) Windows programming in a while, but here's what I would do.
Use a named pipe and have your application listen to it. Using this named pipe as a communication medium, implement a real simple protocol whereby you can query the application for the name of a control given its HWND, or other things you find useful. Make sure the protocol is rich enough so that there is sufficient information exchanged between your application and the test framework. Make sure that the test framework does not yield too much "special behavior" from the app, because then you wouldn't really be testing the features, but rather your test framework.
There's probably way more elegant and cooler ways to implement this, but this is what I remember from the top of my head, using only simple Win32 API calls.
Another approach, which we have implemented for our product at work, is to record user events, such as mouse clicks and key events in an event script. This should be rich enough so that you can have the application play it back, artificially injecting those events into the message queue, and have it behave the same way it did when you first recorded the script. You basically simulate the user when you play back the script.
In addition to that, you can record any important state (user's document, preferences, GUI controls hierarchy, etc.), once when you record the script, and once when you play it back. This gives you two sets of data you can compare, to make sure for instance that everything stays the same. This solution gives you tests that not easy to modify (you have to re-record if your GUI changes), but that provide awesome regression testing.
(EDIT: This is also a terrific QA tool during beta testing, for instance: just have your users record their actions, and if there's a crash, you have a good chance of easily reproducing the problem by just playing back the script)
Good luck!
Carl
If the Automated GUI testing tool has knowledge about the framework the application is written in it could use that information to make better or more advanced scripts. TestComplete for example knows about Borland's VCL and WinForms. If you test applications build using Windows Presentation Foundation has advanced support for this build in.
use NUnitForms. I've used them with great success for single and multi threading apps and you don't have to worry about handles and stuff like that
Here are some posts about NUnitForms worth reading
NUnitForms and failed DragDrop registration - problem of MTA vs STA
Compiled application exe GUI testing with NUnitForms
I finally found a solution to communicate between the testing-application and the application-under-test: Managed Spy. It's basically a .NET application build on top of ManagedSpyLib.
ManagedSpyLib allows programmatic access to the Windows Forms controls of another process. For this it uses Window Hooks and memory-mapping files.
Thanks for all who helped me to get to this solution!
Managed Spy does not provide a solution for compact framework applications.
The company Jamo Solutions (www.jamosolutions.com) meets the requirements for automation testing on mobile devices, including .net compact framework applications.