Friday, March 13, 2015


The right way to ‪#‎hook‬ the ‪#‎PR_Write‬ f-n in ‪#‎Firefox‬ Summary: instead of instantly re-patching the f-n prologue (mprotect / memcpy) which lead to frequent crashes, one could patch the PR_Write once and mock its behaviour (the original function is just an interface to call the implementation of the method, and it's stable, the same code is used from FF 1.0 up to the latest).

Thursday, August 30, 2012

How I made $740 in ten minutes for reporting vulnerability

Two months ago I read in a popular blog that the bank (where I have my account) is extending their vulnerability reward program. "Why not?" - I thought and started to google the bank's sites to find the target for the attack. In ten minutes I found that one of the sites is leaking customers data. Probing specially crafted URLs with sequential ID and omitted security token allowed me to download the large portions of the database with sensitive data. No further actions were needed, so I just filled the report. The banks employee mailed me back and told me that they need time to confirm it. Today I got the mail notifying me that the vuln was confirmed, patched and evaluated at $740 (the max bounty in this program is $1k). I think it's worth ten minutes of googling, right? :-)

Thursday, March 15, 2012

Valhalla 2

The second issue of the Valhalla zine is out! I like it! :-) There is article by me too. In the last moment I decided to throw out the technical details, stop theorizing and switch to the code. :-)

Thursday, October 20, 2011

LDE based on exceptions

Recently Indy (from proposed the new design for the length disassembler. Rather than compare the bytes against patterns it's put the instruction on the boundary between RWE and NOACCESS pages. First, one byte is copied, if it's not enough, the CPU would try to fetch the next one and will trigger the exception. Engine will catch the exception and copy the next byte and so on. Here you can download his code. I also write a sketch of this idea for Linux (it needs a lot of improvements, but working in a simple cases):

Wednesday, September 21, 2011

Hardware breakpoints

In addition to. Spent some time trying to recollect how to set the hw breakpoints.