More About SEH and SafeSEH

As explained before, SEH (Structured Exception Handling) is the protection integrated on a system of a software to handle the abnormal flow of the program that can caused the program to act abnormal too (crash, hang, etc). SEH will prevent the EIP to be overwritten directly by the excess data sent by the fuzzer. SEH will fully control the memory used by the software. This protection definitely forcing hackers to develop a technique to bypass the SEH protection. When this protection can be controlled, the execution process on the CPU also can be controlled easily like in the Direct Return Exploitation.


The most popular technique to bypass this protection is using the POP, POP, RETN technique. Basically stack in the memory is a structured memory consist of 32 bit virtual file. The first POP command will take out the topmost value layer of the virtual file to the other register on the memory. And the second POP command will take out the second layer of the stack on the memory. Finally the third command, RETN will be the first layer on the stack, so the system will start the execution process from that location depend on the memory address pointed by the RETN command. Continue Reading

Introduction to “OllyDbg”

In this post, we’ve learned about reverse engineering. What we will talk now is one of the tool used for that called OllyDbg.

Before discussing OllyDbg, we must know what is debugging. Debugging is a structured process to find and reduce the number of bugs or defects in a computer program and repair it. When there are a bug in a system, especially when there are lots of subsystem in it will make the debugging process become harder because a changes in one may cause bugs appear in the other.

To do this debugging process, we need a debugging tool called debugger. It is used to test and debug the program. It can see what activity a software runs on the memory. Based on that thing, we can see at what point a bug appear. OllyDbg, Debugger, and ImmunityDbg is the example of a debugger software. Continue Reading

Buffer Overflow : Direct Return & SEH Based

At my other post we’ve known a little thing about buffer overflow. Now we will talk two cases that happened when we do a Buffer Overflow that is Direct Return Exploit and SEH Based Exploit and whats the difference between those two.

– Direct Return Exploit
Direct return exploit happened to a program that can’t handle an exception. A condition where an application trying to execute a code outside its normal work cycle. As the results, when an application that can’t handle an exeption buffer overflowed, the EIP registered in the buffer memory will directly overwritten by the rest of the data that we use to overflow the application.

– SEH Based Exploit Continue Reading

Introduction to “CPU Register”

If we want to master the Buffer Overflow technique, first we must have a knowledge in CPU Register. Register is the part of the processor’s memory that can be accessed with a high speed and always used by microprocessor as the medium to do its work.

An x86 based CPU used 8 register : EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP. Each of them designed for a specific job that make the CPU process the information eficiently.

1. EAX Register
Used to perform calculations and store the value returned from the function call. Basic operations such ass add, subtract, and compare is optimized in EAX Register. Special operations such as multiplication and divide are done by EAX Register. Continue Reading

“Buffer Overflow” at Glance

Buffer overflow is one of hacking technique to gain root/adminstrator privileges access by exploiting the weak application vulnerabilities installed/running in a system. How can this be done? The hacker make an application/program that will make the buffer memories provided by the system for the target application will overload and then overwrite the other buffer.

Continue Reading