RT @kyprizel: Yandex School of Information Security is back:

As revealed from conversation with support, I was the only one to have (read: have license and report) this problem so far. Maybe it is indeed such a rare scenario to have stack frame larger than 1MB, dunno.

Wrote a small Hex-Rays plugin to support x86 MOVBE instruction (fused MOV+BSWAP): Even with MicroAVX sources on hand it still took like 8 hours to just insert intrinsic calls in Hex-Rays, official docs are very good 🤥

Still waiting to see this limit as an option in hexrays.cfg. .

How to make Hex-Rays decompile functions with frames larger than 1MB:.1. Open hexrays.dll/hexx64.dll in IDA, decompile all.2. Search for number 4294967287 (error Stack frame too big).3. Look for two comparisons with 0x100000 nearby, patch this limit to whatever you want.

. aaand I just discovered that all instructions can be found in ida_allins module. But which prefix do you use for x86 instructions? X86? X8664? PC? Right, of course it's NN — ida_allins.NN_jmp is 0x56.

RT @__paulch: Seems like I have finally started a blog! . Hunting for bugs in VirtualBox (First Take) .

Of course it only patches instructions in IDA, but if you only need static, that's enough. For example, CFG from code1_.bin before (flattened) and after loading the extension:

Only problem is that you still need to set proper refs in `emu` (I expected that IDA will perform `emu` by itself since we set known ID, maybe there is somehting missing in my code). My script (part) from ctf:

IDA docs say that you must use custom instruction IDs but I didn't have problems with using internal IDs used for real instructions, that way you automatically get pretty printing and stuff. For example, if we set ID to 0x56, the instruction will be threated as JMP.

To solve it, you can make an plugin that will hook the processor and make it look like there is completely different instruction at X, and its length can be set to 1 byte. That way you can squeeze as much instructions as you have free bytes.

It's pretty easy to write processor extensions for IDA (see , on 0CTF it occured to me that they can be used to "patch" the binary to ease reverse. Example: you want to replace short JMP (2 bytes) at address X with long one (5 bytes) - you have a problem.

So I "solved" first problem by using this abomination as a `command`:. cmd /c start "" /MIN cmd /c ""path_to_launcher.bat" "%1"". And second one by sleeping a bit in script (yeah, ping 127.1 actually). Sadly, there is now minimized cmd.exe for a second after clicking.

There are 2 problems:.* There is blinking windows (cmd?) on launch. I tried "start /B . " in context command, did not help. * IDA is started as "least priority" window, so you need to Shift+Alt+Tab to it. Does anybody know how to fix any of them?.

Made a context menu launcher for IDA which automatically chooses 32 or 64-bit version based on `file` output run in WSL: Usage: right click on file, Open with IDA. Set your IDA_DIR env or change it in ida_launcher.bat.

> Planning the journey?. Very fun, Microsoft.

RT @solardiz: Memory corruption vulnerabilities in VNC protocol implementations, research by @__paulch: https://t.c….

RT @Gankra_: Hey, I made a gallery of the things I've made while breaking Firefox's rendering code! Check it out! h….

RT @VDashchenko: Kaspersky ICS CERT invites you to join the IoT Vulnerability Research and Exploitation Training at Security Analyst Summit….

RT @nneonneo: Just published my writeup for CPU Adventure at DSCTF, wherein me, @zwad3, @thebluepichu and @jay_f0xtr0t reverse engineered….