Other

These are various projects that didn’t fit anywhere else. Like with most of the legacy content (created prior to this website), I’ll be using the text I used to originally describe these things, which may well be outdated or just plain irrelevant. You have been warned.

Wordlist Generator

Wordlist Generator was a rather fun project. What it does is automatically build giant wordlists out of a couple of words, by abusing their concatenation combinations and upper-case and l33t 5p34k variations. With just these two things, any two or three words fed to Wordlist Generator will explode into an amazing number of unique “passwords”. I did this while working for Scanit ME and the code is rather interesting. If you think about it, it’s a problem that demands a creative solution. The code only uses the standard C library, so it can compile pretty much anywhere else with a compliant toolchain. Here’s what the release notes said…

This small utility should be used to aid dictionary-based attacks against pass{word,phrase} security. That is, it can be used to feed any password cracking software with specially targeted guesses of what the password might be. The concept behind this tool is that, instead of using general-purpose wordlists (such as a language dictionary or dictionary of computer terminology), one should be able to build a specially crafted wordlist that increases the chances of guessing a given password of a given individual. So, you basically input a few strings that you think have HIGH probability of forming the password in question, and this program will output a list with every possible combination of theses strings. Featured is also the exploration of (upper/lower)-case variations and use of ‘l33t 5p34k’. The link for this file has both the executable files for Win32 systems as well of the source code. Next versions will entail new features like phonetic and radical permutations, as well of switches for controlling permutations types (like “–no-leet-speak”) so stay tuned!

Download code and Win32 binary

DbgPlus Extension for WinDbg

DbgPlus is another interesting piece of code I did while working for Scanit ME. I’ll simply skip any introductions and jump directly into the release notes, which are large and informative enough. Here we go…

This is the alpha release of the first public version of the DbgPlus extension. We call it alpha because it still contains a few minor glitches and bugs, as well as ‘non-functional’ points of improvement (such as performance). It is a 1.0 version, though, in the sense that it displays the feature set desired for this first release and it is, in fact, a hundred percent usable.

Although DbgPlus was born from hackish code created to aid vulnerability analysis, one can say its features are generic enough to make it useful for general-purpose debugging as well. Below, we describe its functionalities in brief:

[1] Remote call - This feature makes it possible to execute a call to a function in the debuggee address space and see the return value. Unlike windbg’s ‘.call’ meta-command, we are able to call a function even without symbol information. In fact, the user can call a function just by specifying its address. Furthermore, unlike Skywing’s excellent extension, SDbgExt (which contains a similar functionality), we execute the call without needing the user to resume the execution of the process itself, making it perfect for post-mortem analysis (e.g. when the process has already crashed and you want to call some functions that will retrieve useful information on the process data).

[2] Trace and print history - This command will make the program execute until it reaches a breakpoint or exception and then print the last N (where N is an user-supplied number) instructions executed.

[3] Watch a range of memory - In order to overcome the processor’s (and debugger’s) limitation on the number of watchpoints, this command enables the user to watch for read and writes to a range of memory unlimited in size. Different from the way that the breakpoint/watchpoint-setting commands normally work, when you issue !watchrange the program will execute and print the instructions accessing the range of memory. It will do so without ever breaking and until it reaches a breaking condition (breakpoints, exceptions…). These are not persistent watchpoints, meaning you should then issue the command again is you’re still interested in watching that range of memory further.

[4] Watch a register - This feature is perhaps the most exotic of the ones in DbgPlus, but can be a life saver if the user has to investigate the data-flow of a specific register for any reason. The !watchreg command takes a register name as parameter and watches for changes to that register in a similar fashion as the !watchrange command, printing the relevant instructions until a breaking condition.

As previously said, DbgPlus suffers from a few limitations. Most notably, the user should be aware that DbgPlus is not able to work with 64-bits targets and makes no effort to be otherwise. Adding support for 64-bits is doable but requires modifications in many parts of the code was not considered critical for this release. Furthermore, the last 3 commands described above change the execution to stepping mode, making the performance thousands of time slower and therefore, being unsuited for long excerpts of code (depending on the power of the computer and how long you want to wait for the analysis) or code that interacts with the user. Therefore, the sensible user will want to delimit the pieces of code he wants to analyze with care, instead of issuing those commands to work throughout the whole execution of a big program or on GUI code.

Last but not least, any new user is extremely recommended to issue the !help command, which will hopefully enlighten him/her on the usage of the rest of the DbgPlus commands.

Download code and binaries