Recent news re: source code, software reverse engineering, patent litigation, etc.

2017/06/24 06:03:51
Brutal Kangaroo USB malware could be reverse engineered
Reverse engineering is a potential threat of the Brutal Kangaroo USB malware, which had details — but no code — leaked by WikiLeaks.

2017/06/24 04:28:49
Symantec won’t allow Russia to examine its source code over security fears
Symantec is worried that giving Russia access to its source code could result in security breaches.
“IBM, Cisco, Hewlett Packard Enterprise and McAfee have given Russia access to their respective source codes.”

2017/06/24 04:27:03
Microsoft confirms some Windows 10 source code has leaked
A portion of Microsoft’s Windows 10 source code has leaked online this week. Files related to Microsoft’s USB, storage, and Wi-Fi drivers in Windows 10 were posted to Beta Archive this week. Beta…
“The leak will be embarrassing for Microsoft, but the source code itself is already shared with partners, enterprises, governments, and other customers who choose to license it through the Shared Source initiative.”

2017/06/19 05:28:05
Defense Strategies In Billion-Dollar Software Copyright Cases – Law360
The limited availability of patent protection post-Alice has led to a resurgence in using copyright law to protect software programs. Two recent high-profile software copyright infringement cases illustrate how much is at stake and highlight the use…
“The scènes à faire doctrine depends on the circumstances presented to the creator at the time of creation, not the circumstances presented to the copier at the time it copied.” ; Arista analogized its use of CLI labels to remote controls for a TV set to explain its scènes à faire defense

2017/06/19 05:20:29
EU seeks to outlaw ‘backdoors’ in new data privacy proposals
Draft report from European parliament clashes with UK government calls to allow access to encrypted communications from WhatsApp and others
… look to deal with so-called over-the-top (OTT) services. The services replicate the functionality of traditional communications systems, such as landline telephones, but aren’t not regulated in the same way and so are not affording similar protections. For example, the UK government has repeatedly called for ways to gain access to encrypted communications such as the end-to-end encryption (E2EE) used by Signal and WhatsApp, which prevents the interception of private messages….

2017/06/11 07:00:01
Windows Resource Dumper (resdump) from Clive Turvey
Clive Turvey has re-released the resource dumper for Windows that he and I first worked on back in the early 1990s. Yes, a utility first written in 1992 still works to display the internal representation of menus, dialogs, and other resources in Windows executable files: RESDUMP v8.02c – Windows Resource Dumper – FREEWARE Edition Copyright (c) 1992-2017 Andrew Schulman undoc@sonic.net Copyright.

2017/06/06 02:35:12
Integrated Circuit Reverse Engineering, 1970s Style
We are used to stories about reverse engineering integrated circuits, in these pages. Some fascinating exposés of classic chips have been produced by people such as the ever-hard-working [Ken Shirrif…

2017/06/05 07:47:24
Copying source code: reproducing even a small portion of source code can constitute copyright infringement | Lexology
In the case of IPC Global Pty Ltd v Pavetest Pty Ltd (No 3) [2017] FCA 82, the Federal Court was given the difficult task of determining what was a.
Australian case

2017/06/01 05:34:39
Reverse Engineering: A Basic How-To
How will this image be used? Do I anticipate any changes? What are your tolerance requirements? All these questions are paramount in determining the successful path of the data output and each are mutually exclusive of one another.
Article on reverse engineering physical objects with 3D scanning, include x-rays (CT); determining the reason for the reverse engineering is presented as a first phase in the process, before data acquisition.

2017/05/31 07:06:55
As Computer Coding Classes Swell, So Does Cheating
Growing numbers of computer science students are getting caught plagiarizing code, either from classmates or from someplace on the web.
As Computer Coding Classes Swell, So Does Cheating https://nyti.ms/2rh25gg; … Usually, anti-cheating software can uncover these tricks. One, developed by Dr. Aiken, is called MOSS, for Measure of Software Similarity….

2017/05/31 05:44:33
What We Know So Far About Direct Infringement Post-Form 18 – Law360
Following the abrogation of Form 18 in December 2015, what does it mean to state a claim of direct patent infringement? Eric Kaviar of Burns & Levinson LLP recently reviewed all of the substantive district court opinions grappling with this question….

2017/05/31 03:24:15
Changes to Expert Discovery May Place Communications With…
Communications between non-reporting experts and attorneys are at risk of being subjected to discovery. Under United States v. Kovel and its progeny…
… Non-reporting, testifying experts are typically those that were “not specially retained to provide expert testimony, but rather would testify on the basis of percipient knowledge.” … In Luminara Worldwide, LLC v. RAZ Imps., non-reporting witness was a named inventor on the asserted patents.

2017/05/31 01:07:22
Supreme Court Rules Patent Laws Can’t Be Used to Prevent Reselling
The justices said that Lexmark International, which makes toner cartridges for its printers, could not stop another company from refilling and selling them.
… Roberts writing for unanimous court, said Lexmark could not use the patent laws to enforce the contractual conditions it placed on the sale of its cartridges….

2017/05/29 07:51:00
Opinions Of Counsel Post-Halo: Lessons From 16 Cases – Law360
Following the U.S. Supreme Court’s Halo decision 11 months ago, the case results show that investigating the patent and forming a good faith belief of invalidity or noninfringement is a key factor – perhaps the key factor – courts rely on in deciding…

2017/05/29 05:00:31
What We Know So Far About Direct Infringement Post-Form 18 – Law360
Following the abrogation of Form 18 in December 2015, what does it mean to state a claim of direct patent infringement? Eric Kaviar of Burns & Levinson LLP recently reviewed all of the substantive district court opinions grappling with this question….
… one judge has commented that, following the abrogation of Form 18, it may make sense to amend local patent rules such that initial infringement contentions are due at the time the complaint is filed. Straight Path IP v. Apple (N.D. Cal.). However, several opinions from the Eastern District of Texas suggest that a plaintiff before that court must simply address the “central claim limitations” in the complaint. E.g., Semcon IP v. Huawei

2017/05/27 06:09:19
Kaspersky Lab Offers Source Code to U.S. Government
Speaking in Australia today, founder and CEO Eugene Kaspersky made the latest overture in his effort to clear his company of claims that its alleged ties to the Russian government pose a national security threat for users of its cybersecurity…

2017/05/24 05:55:56
Researchers Find Computer Code That Volkswagen Used to Cheat Emissions Tests
An international team of researchers has uncovered the mechanism that allowed Volkswagen to circumvent U.S. and European emission tests over at least six years before the Environmental Protection Agency put the company on notice in 2015 for…

2017/05/23 03:20:17
Clive Turvey’s dumppe and dumppdb utilities for Windows PE and debug symbol files
Clive Turvey has written some excellent tools for extracting information from Windows PE executable (exe, dll, sys, etc.) files, and from Windows PDB debug symbol files. Clive has given me permission to host these. Download a zip file containing dumppe, dumppdb, and dumplx: turvey_dump_utils_pe_pdb.zip I will be using these tools in a forthcoming six-hour video from Packt on Software Reverse.

2017/05/22 06:20:56
Supreme Court Ruling Could End Texas Patent Troll Problem
The Supreme Court delivered a major blow to patent trolls by making it harder for them to bring lawsuits in friendly venues like East Texas.
… In its ruling, the Supreme Court stated it was upholding one of its earlier patent decision from 1957 known as Fourco. In that decision, the top court had found the specific rules of the Patent Act, which require a plaintiff to sue companies where they are incorporated, applied despite rules to the contrary in the general venue law….

2017/05/22 06:15:54
East Texas could see nation’s patent cases go elsewhere with Supreme Court ruling | Technology | Dallas News
Dallas News: your source for breaking news and analysis for Dallas-Fort Worth, Texas and around the world. Read it here, first.

2017/05/19 06:13:04
Patent Owner Comments During an IPR Can Lead to Prosecution Disclaimer – Even for Non-Instituted Claims
The doctrine of prosecution disclaimer prevents patent owners from recapturing specific meanings of claim terms that were disclaimed during…

2017/05/19 03:10:38
Huawei spied, Federal jury finds
Tappy the robot is a Happy robot
Huawei spied, Federal jury finds. Huawei argued that T-Mobile’s own IPR on Tappy (eg, “Touch Screen Testing Platform patent application”, US 2012/0146956) blew up its own trade secret defence: they weren’t secrets any more.

2017/05/18 05:57:34
WannaCry ransomware shares code with North Korea-linked malware – researchers
The source for WannaCry ransomware, which has spread to 150 countries, may be Pyongyang or those trying to frame it, security analysts say, pointing to code similarities between the virus and a malware attributed to alleged hackers from North Korea.
Though RT cautions that “attribution” is a tricky business

2017/05/14 09:38:39
03/10/2017: Important announcement:
“As some of you know, The WikiLeaks dump of “Vault7” contained, among other things, a 2015 copy of my “Android Internals” book, since Technologeeks provided training for them. Though by now a bit outdated, it’s still a high quality, color PDF updated…”
http://newandroidbook.com/

2017/05/14 05:42:50
Reverse Engineering Apple Location Services Protocol
While working on Whereami I got interested on how Apple location services actually work. I know it is handled by locationd since Little Snitch keeps blocking it. Usual way of inspecting traffic with proxychains did not work since macOS now has…
“While working on Whereami I got interested on how Apple location services actually work. I know it is handled by locationd since Little Snitch keeps blocking it. Usual way of inspecting traffic with proxychains did not work since macOS now has something called System Integrity Protection (SIP). Alternative way was to setup Charles as MITM proxy for an iOS device. After looking at the traffic which was mostly the device phoning home I got what I needed – a location services request.”

2017/05/14 05:36:54
How an Accidental ‘Kill Switch’ Slowed Friday’s Massive Ransomware Attack
The ransomware that swept the internet isn’t dead yet. But one researcher managed to at least slow it down.
As he worked to reverse-engineer samples of WannaCry on Friday, MalwareTech discovered that the ransomware’s programmers had built it to check whether a certain gibberish URL led to a live web page. Curious why the ransomware would look for that domain, MalwareTech registered it himself. As it turns out, that $10.69 investment was enough to shut the whole thing down-for now, at least.

2017/05/14 12:36:44
OSS-Fuzz: Five months later, and rewarding projects
Five months ago, we announced OSS-Fuzz , Google’s effort to help make open source software more secure and stable. Since then, our robot ar…

2017/05/01 08:19:00
Sent to Prison by a Software Program’s Secret Algorithms
Using artificial intelligence in judicial decisions sounds like science fiction, but it’s already happened in Wisconsin.
… the case of a Wisconsin man, Eric L. Loomis, who was sentenced to six years in prison based in part on a private company’s proprietary software. Mr. Loomis says his right to due process was violated by a judge’s consideration of a report generated by the software’s secret algorithm, one Mr. Loomis was unable to inspect or challenge….

2017/04/25 09:10:24
3D X-ray Tech for Easy Reverse Engineering of ICs
Researchers map an Intel processor down to its transistors

2017/04/25 04:32:16
http://swipreport.com/softwares-capability-to-infringe-is-not-patent-infringement/
A claim for direct patent infringement could not be sustained where Microsoft software, even under the plaintiff’s theory of infringement, would have required
“A claim for direct patent infringement could not be sustained where Microsoft software, even under the plaintiff’s theory of infringement, would have required additional user configuration before all claim elements were met. Parallel Networks Licensing LLC v. Microsoft Corp….”

2017/04/21 05:38:13
DraftKings and Bwin in Nevada source code battle
DraftKings, Bwin and 888 Holdings are leading a group of gaming companies that have asked a Nevada court to block a bid by two gambling technology firms to force them to produce their source code in Las Vegas as part of a patent suit.

2017/04/20 08:43:07
Top 8 Reverse Engineering Tools for Cyber Security Professionals
Whether it is rebuilding a car engine or diagramming a sentence, people can learn about many things simply by taking them apart and putting them back toget
A useful list, though a list of “top 8” reverse engineering tools might have instead included dumpbin, IDA Pro, Fiddler, Wireshark, etc.

2017/04/20 04:47:42
Judge Sleet Grants Defendant’s Motion to Dismiss Induced Infringement Claims But Denies Motion as to Direct Infringement Claims
By Memorandum Opinion entered by The Honorable Gregory M. Sleet in IP Communication Solutions, LLC v. Viber Media (USA) Inc., Civil Action No….
“Plaintiffs in infringement action need to be mindful to plead enough specific facts in their claims to meet the requirements of Twombly/Iqbal.” ; specific intent to induce infringement: “…the complaint failed to allege facts supporting how Defendant specifically instructed or directed customers to use Defendant’s application and corresponding server system in a manner that would infringe the patent-in-suit….”

2017/04/20 12:47:30
Report: Commercial Software Riddled With Open Source Code Flaws
Black Duck Software has released its 2017 Open Source Security and Risk Analysis, detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges. Black Duck conducted audits of more than 1,071…
“The report’s title, “2017 Open Source Security and Risk Analysis,” may be a bit misleading. It is not an isolated look at open source software. Rather, it is an integrated assessment of open source code that coexists with proprietary code in software applications….”

2017/04/13 06:35:37
X-rays Map the 3D Interior of Integrated Circuits
With X-ray ptychography, researchers take the first step toward being able to easily map a chip for reverse engineering
“all it takes is a few more years of this kind of work, and you’ll pop in your chip and out comes the schematic,” says Anthony Levi of the University of Southern California. “Total transparency in chip manufacturing is on the horizon”

2017/04/13 06:32:36
Dodd-Frank Redo Would Limit SEC Access to Source Code
The SEC couldn’t gain nearly unrestricted access to trading systems’ computer software under a new Republican proposal to overhaul the Dodd-Frank Act.

2017/04/09 04:02:13
Windows 10 telemetry data collection details revealed
Privacy concerns result in Microsoft detailing Windows 10 telemetry practices, revealing Windows 10 data collection options.

2017/04/07 07:44:41
Uber said to use “sophisticated” software to defraud drivers, passengers
Class action says Uber’s “methodical scheme” manipulates rider fares, driver pay.
“When a rider uses Uber’s app to hail a ride, the fare the app immediately shows to the passenger is based on a slower and longer route compared to the one displayed to the driver. The software displays a quicker, shorter route for the driver. But the rider pays the higher fee, and the driver’s commission is paid from the cheaper, faster route, according to the lawsuit”

2017/04/06 04:02:03
Uber finds one allegedly stolen Waymo file – on an employee’s personal device
Uber admitted today that it had found one of the documents Waymo alleges was stolen by a former employee — who left its self-driving car effort to join..

2017/04/06 04:00:00
CAFC: Prior Judicial Opinions Do Not Bind the PTAB
Novartis v. Noven Pharma (Fed. Cir. 2017) This short opinion by Judge Wallach affirms the PTAB findings that the claims .
Novartis v. Noven: “The idea here is that in litigation, invalidity must be proven with clear and convincing evidence while inter partes review requires only a preponderance of the evidence. As explained by the Supreme Court on Cuozzo, this may lead to different outcomes”

2017/04/06 03:55:50

PwC/BAE report on APT10 targeting of managed IT service providers

2017/04/06 03:48:41
Lazarus Under The Hood
Today we’d like to share some of our findings, and add something new to what’s currently common knowledge about Lazarus Group activities, and their connection
Kaspersky analysis of Lazarus Group advanced persistent threat

2017/04/05 06:54:50
Reverse Engineering Is Not Just for Hackers
We spend a lot of time putting apps together, but when was the last time you pulled one apart? If we can streamline the process of looking inside a compiled application then we’re more likely to employ it to answer questions and teach us valuable…
Inspecting Android apps

2017/04/04 07:39:01
Amazon.com wins $1.5 billion tax dispute over IRS
Amazon.com Inc on Thursday won a more than $1.5 billion tax dispute with the Internal Revenue Service over transactions involving a Luxembourg unit more than a decade ago.
Transfer pricing of software

2017/04/04 03:35:34
Modified Opinion: Federal Circuit Won’t Enjoin Non-Party
Asetek Danmark v. CMI USA (“Cooler Master”) (Fed. Cir. 2017) The Federal Circuit has updated its original decision in Asetek, with .
“Federal Circuit substantially affirmed but remanded on the injunction since it applied to a non-party and went beyond that non-party’s `abetting a new violation’ by the adjudged infringer… companies and owners divide-up the structure of their firms without substantially dividing management and control – and then use that division to partially avoid legal liability”

2017/04/03 04:05:40
Cloud Computing: Software patent claims and the risks to service availability
Cloud software patent claims will likely increase as more users migrate to the cloud.
… anecdotal evidence to suggest that claimants may prefer to claim against a CSP’s customers rather than the CSP itself….

2017/03/31 09:40:22
Beijing Intellectual Property Court Grants First Injunction in a SEP infringement suit | Lexology
Beijing Intellectual Property Court (BIPC) today (March 22, 2017) issued its judgment in the high-profile case IWNComm v. Sony, finding that Sony has.
“The patent in dispute is a core patent of the WAPI technology, and is essential to a national compulsory standard. In the negotiations, the plaintiff explained the patented technology relevant to WAPI and provided a list of its patent and a draft license agreement. Based on this, the defendant should be able to determine if the WAPI software within its mobile phone in dispute is covered by the claims of the patent in dispute, without the need for the plaintiff to provide a claim comparison chart. Thus, the defendant’s request for the plaintiff to provide the claim chart was unreasonable….”

2017/03/31 09:37:27
Federal Circuit Continues To Narrow Scope Of CBM Qualification – Intellectual Property – United States
The Federal Circuit reversed the PTAB’s determination that a challenged patent?relating “generally to computer security, and more particularly, to systems and methods for authenticating a web page”?qualified for CBM review.
The Federal Circuit reversed and held that a patent only qualifies for CBM if it claims a “method or corresponding apparatus . . . used in the practice [ ] of a financial product or service” and that it was error for the PTAB (1) to expand the statutory language “financial product or service” to cover methods and apparatuses merely incidental to a financial activity, and (2) to consider Secure Axcess’s choice of litigation targets-all financial institutions-as a factor relevant to the challenged patent’s qualification for CBM review.

2017/03/31 09:34:19
Mobile Payment Patent Remains Legal Tender after Alice Challenge
In the post-Alice world, patents that relate in any material way to financial processes or systems have come under increased attacks in the early stages of infringement litigation—as defendants
Because LevelUp’s claims are directed to a specific method for distinguishing between data streams that improves the operation of the POS terminal, Judge McConnell found that the claims were not directed to an abstract idea…. [in Alice step 2, court] rejected Relevant’s contention that the sentinels in the patented technology were akin to the use of Morse code, explaining that the existence of a pre-Internet analog does not automatically render a patent ineligible.

2017/03/31 09:31:15
Factual Findings Required to Show “Apparent Reason to Combine” | Lexology
Addressing issues of obviousness and anticipation in the context of an inter partes review, the US Court of Appeals for the Federal Circuit issued.
The Court also noted that the PTAB failed to consider the possibility that, even if the combination of prior art references taught long-term treatment with a PDE inhibitor of individuals with some forms of erectile dysfunction, a person of skill in the art may not have been motivated to combine those same references to treat individuals with fibrosis-related erectile dysfunction, for whom, LAB argued, the results would have been expected to be detrimental.

2017/03/31 09:28:48
Reading the Tea Leaves from the TC Heartland LLC v. Kraft Food Group Brands LLC Oral Argument | Lexology
On Monday, the Supreme Court heard oral argument in TC Heartland LLC v. Kraft Food Group Brands LLC, a case in which the Court could alter the.
To begin, despite the looming policy ramifications of this case, questions from the justices signaled that the Court viewed this case first and foremost as an issue of statutory construction. Justice Breyer most colorfully illustrated this through an early exchange with Heartland: “The Amici briefs] [a]re filled with this thing about a Texas district which they think has too many cases. . . . But is there some relevance to it?”

2017/03/31 09:20:28
WikiLeaks releases Marble source code, used by the CIA to hide the source of malware it deployed
Today, WikiLeaks publishes the third installment of its Vault 7 CIA leaks. We’ve already had the Year Zero files which revealed a number of exploits for popular hardware and software, and the Dark Matter batch which focused on Mac and iPhone…

2017/03/30 09:28:35
Samizdat no more: Old Unix source code opened for study
Nokia Bell Labs, Alcatel-Lucent pack away the sueball gun

2017/03/30 02:35:43
Cisco learned from Wikileaks that the CIA had hacked its systems
The Wikileaks documents describe how the CIA learned how to exploit flaws in Cisco’s widely used Internet switches.
Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.

2017/03/27 04:28:57
After London Attack, U.K. Wants Access to Encrypted WhatsApp Messages
British lawmakers will meet with American tech representatives as part of a wider push to get Silicon Valley to do more to tackle potential threats.

2017/03/21 03:27:27
ITC: Licensee Investments May Satisfy Domestic Industry Requirement – IPWatchdog.com | Patents & Patent Law
Judge McNamara explained domestic industry is not limited to the activities of the patentee and may be satisfied based on a licensee’s activities alone.
SciGen / Soitec: First, the order considers whether a complainant may use a licensee’s activities to satisfy the domestic industry requirement; Second, the order considers whether a licensee must participate in a complaint when the patentee relies on that licensee’s activities to establish a domestic industry; Third, the order considers whether a change to a licensee’s status is material to a ruling on domestic industry.

2017/03/21 03:23:58
ITC Domestic Industry Ruling A Warning For NPE Licensees – Law360
A recent U.S. International Trade Commission decision allowing a patent owner to rely on its licensee’s activities to satisfy the trade body’s domestic industry requirement illustrates a way for nonpracticing entities to get in the ITC’s door that…

2017/03/20 09:59:48
Hundreds of Cisco switches vulnerable to flaw found in WikiLeaks files
The flaw was found by Cisco security researchers, despite WikiLeaks’ claiming that the CIA hacking unit disclosures did not contain working vulnerabilities.

2017/03/20 05:47:17
Hacking Tools Get Peer Reviewed, Too
A government-led effort paves the way for data extracted from electronic devices to be accepted as evidence in court.
Hacking Tools Get Peer Reviewed, Toohttps://lnkd.in/g_bF2TyNIST software quality group

2017/03/18 06:25:02
The Truth of Patent Data Quality | @BigDataExpo #BigData #Analytics #MachineLearning
The United States Patent and Trademark Office (USPTO) recently announced an expansion of PatentsView, its visualization tool for US patents. First launched a few years ago, the intent behind the tool was to make 40 years of patent filing data…

2017/03/18 06:24:11
Google’s new encoder makes JPEGs up to 35 percent smaller
Speed is everything on the internet, and as a general rule of thumb: the smaller the file, the faster it’ll load. To help with that, Google created a new open-source JPEG encoder that will…

2017/03/18 06:20:13
How Technology Timeline Can Help Find Hidden Prior Art – GreyB
With the passage of time, technological terms have evolved drastically. Earlier phones were called radio telephones, later as mobile stations and now we use a term user equipment. Did you also ponder on how such advancement in the timeline of a…

2017/03/18 06:12:33
Teaching Away Requires Discouragement or Implying the Combination Would Not Work – IPWatchdog.com | Patents & Patent Law
To reverse a finding obviousness based on overlooking a “teach away,” the evidence must show that the references discouraged the combination or implied that the resulting combination would not work as described in the patent.

 

Posted in Uncategorized | Comments closed

Windows Resource Dumper (resdump) from Clive Turvey

Clive Turvey has re-released the resource dumper for Windows that he and I first worked on back in the early 1990s. Yes, a utility first written in 1992 still works to display the internal representation of menus, dialogs, and other resources in Windows executable files:

RESDUMP v8.02c - Windows Resource Dumper - FREEWARE Edition
 Copyright (c) 1992-2017 Andrew Schulman undoc@sonic.net
 Copyright (c) 1995-2017 Clive Turvey cturvey@gmail.com
 All rights reserved. Non-Commercial use only

RESDUMP displays information about resources in a Windows .RES
 file or executable (EXE, DLL, DRV, etc.). Detailed information
 is provided for dialog boxes, controls, menus, string tables,
 accelerator tables, and version resources.

To display resources in a Windows .RES or executable:
 RESDUMP [options] res_or_exe_file
 example: resdump \windows\winfile.exe

To display resources only of a given type:
 RESDUMP -TYPE [type] res_or_exe_file
 example: resdump -type menu \windows\winfile.exe
 resdump -type menu -type dialog -hex \foo\bar.exe
 types: CURSOR BITMAP ICON MENU DIALOG STRINGTAB FONTDIR FONT
 ACCEL RCDATA ERRORTAB CURSDIR ICONDIR NAMETAB VERSION
To also display (x,y) locations for dialog items: -VERBOSE
 To also dump bytes (hex) for each resource: -HEX
 For Windows 1.0 programs: -WIN10
 To disable ANSI to OEM conversion (Japan): -DBCS
 To dump any readable text for unknown resource types: -STRINGS
Also works with Win32 (NT) portable executable (PE) files

Resources may be in MUI (multilingual user interface) files rather than in EXE or DLL files; resdump also works on MUI files.

For example, a small dialog from \windows\system32\en-US\ieframe.dll.mui:

DIALOG #00000154h
 Language 1033 (US English)
 Style: SETFONT MODALFRAME CENTER
 Menu: ""
 Class: ""
 Caption: "New Folder"
 Font: "MS Shell Dlg" (8 Pt.)
 4294967295 (FFFFFFFFh) STATIC 50020000 "Folder &Name:"
 337 (00000151h) EDIT 50810080 ""
 4294967295 (FFFFFFFFh) STATIC 50020000 "C&reate in:"
 338 (00000152h) "ComboBoxEx32" 50210003 ""
 1 (00000001h) BUTTON 50010001 "Cre&ate"
 2 (00000002h) BUTTON 50010000 "Cancel"

Similarly, a popup menu from \windows\system32\en-US\ieframe.dll.mui:

MENU #00000108h
 Language 1033 (US English)
 POPUP ""
 41511 (0000A227h) "&Menu bar"
 41478 (0000A206h) "&Favorites bar"
 41481 (0000A209h) "&Command bar"
 41474 (0000A202h) "&Status bar"
 41480 (0000A208h) "" SEPARATOR
 42448 (0000A5D0h) "Disab&le toolbars and extensions when InPrivate Browsing starts"
 41484 (0000A20Ch) "&Lock the toolbars"
 END

The ID numbers can often be correlated with disassembly listings generated for example by Clive Turvey’s dumppe (see here) or by IDA Pro. For example:

dumppe -getsym -disasm \windows\system32\ieframe.dll > ieframe.a

resdump \windows\system32\en-US\ieframe.dll.mui > ieframe.dmp

Search the disassembly listing for “unusual” hex numbers appearing in the resource dump, such as 0A227h (“&Menu bar”) from the popup menu above:

10341161 6A01         push 1
10341163 6827A20000   push 0A227h
10341168 56           push esi
10341169 FF158CDC5810 call dword ptr [EnableMenuItem]

This can probably be relabeled:

10341161 6A01         push 1
10341163 6827A20000   push MENU_BAR ;; 0A227h
10341168 56           push esi
10341169 FF158CDC5810 call dword ptr [EnableMenuItem]

Similarly:

10341120 68D0A50000   push 0A5D0h
10341125 56           push esi
10341126 FF152CDA5810 call dword ptr [DeleteMenu]
1034112C EB24         jmp loc_10341152

can at least provisionally be relabeled (only “probably” and “provisionally” because of course these numbers, while “unusual,” may represent something else):

10341120 68D0A50000   push DISABLE_TOOLBARS_INPRIVATE ;; 0A5D0h
10341125 56           push esi
10341126 FF152CDA5810 call dword ptr [DeleteMenu]
1034112C EB24         jmp loc_10341152

To dump resources for more than one file, use the for command. For example:

for %f in (\windows\system32\en-US\*.mui) do resdump "%f" >> mui_resdump.txt

The -strings option will display readable text for any resource type unknown to resdump. For example, WordPad uses a “ribbon”:

resdump -strings "C:\progra~1\Windows NT\Accessories\wordpad.exe"

"UIFILE" "WORDPAD_RIBBON"
 Language 1033 (US English)
 ...
 WordpadOleObjectPopUpMenuNItems
 WordpadPicturePopUpMenue}
 WordpadTextPopUpMenu
 cmdRedo
 cmdUndo
 cmdQAT
 cmdClosePreviewCommand
 cmdChunkPreviewClose
 cmdNextPageCommand
 cmdPrevPageCommand
 cmdChunkPreviewPage
 ...

Download link: resdump_for_windows

 

Posted in Uncategorized | Comments closed

Clive Turvey’s dumppe and dumppdb utilities for Windows PE and debug symbol files

Clive Turvey has written some excellent tools for extracting information from Windows PE executable (exe, dll, sys, etc.) files, and from Windows PDB debug symbol files. Clive has given me permission to host these.

Download zip file containing dumppe, dumppdb, dumplx, and guid.dat and win32_dll_ord.dat files (see below): clive_turvey_utils_dumppe_dumppdb.zip

I will be using these tools (among many others) in a forthcoming six-hour video from Packt on Software Reverse Engineering.

dumppe command-line options:

Usage : DumpPE [options] <Win32 PE Portable Executable>

Options : -quiet Suppress copyright string
 -disasm Rough disassembly
 -disasm:start,length -disasm:400DE,1FE
 -disasm:+offset,length -disasm:+DE,1FE
 -disasm:!symbol -disasm:!start
 -def <File> Disassembler definition file
 -dat <File> Specify Ordinal database file
 -guid <File> Specify GUID database file
 -getsym Pull symbols from Microsoft Symbol Server
 -path <Path> Alternate path for PDB symbols
 -pdb <File> Specify PDB symbol file
 -reloc Display base relocations
 -checksum Calculate Checksum
 -resource Display resource section
 -nosym Suppress symbolic output

The combination of -getsym and -disasm is particularly useful, providing much of the functionality available for Win32 disassembly in IDA Pro.

The -guid option will use a file such as guid.dat (in the zip file) to improve disassembly by providing text names for UUIDs/GUIDs in the code.

The -dat option will use a file such as win32_dll_ord.dat (in the zip file) to improve disassembly by providing text names for module.ordinal imports (e.g. OLEAUT32.7 is SysStringLen).

====

For more information on PDB files, and source code for a Microsoft PDB dumper, see https://github.com/Microsoft/microsoft-pdb ; Microsoft’s cvdump works with PDB files and is available at https://github.com/Microsoft/microsoft-pdb/tree/master/cvdump .

cvdump help:

Microsoft (R) Debugging Information Dumper Version 14.00.23611
Copyright (C) Microsoft Corporation. All rights reserved.

Usage: cvdump [-?] [-asmin] [-coffsymrva] [-fixup] [-fpo] [-ftm] [-g]
 [-h] [-headers] [-id] [-inll] [-illines] [-l] [-m] [-MXXX] [-omapf]
 [-omapt] [-p] [-pdata] [-pdbpath] [-s] [-seccontrib] [-sf] [-S]
 [-t] [-tmap] [-tmw] [-ttm] [-x] [-xdata] [-xme] [-xmi] file

-asmin Merged assembly input
 -fixup Debug fixups (PDB only)
 -fpo FPO data
 -ftm Function token map
 -g Global Symbols
 -h Header (section table)
 -headers Section Headers (PDB only)
 -id IDs
 -inll Inlinee lines
 -illines IL lines
 -l Source lines
 -m Modules
 -MXXX XXX = Module number to dump
 -omapf OMAP From Source (PDB only)
 -omapt OMAP To Source (PDB only)
 -p Publics
 -pdata Function Table Entries (PDB only)
 -pdbpath PDB search details
 -s Symbols
 -seccontrib Section contributions (PDB only)
 -sf Sorted source file list
 -stringtable String table
 -S Dump static symbols only
 -t Types
 -tmap Token Map (PDB only)
 -tmw Type UDT Mismatches
 -ttm Type token map
 -x Segment Map
 -xdata Exception Data (PDB only)
 -xme Cross module export IDs
 -xmi Cross module import IDs
 file Executable file to dump

cvdump -pdbpath <pe_file> is especially useful when the results are piped through a C++ demangling utility such as Microsoft undname, or vc++filt , or submitted to the online demangler (https://demangler.com/).

 

 

Posted in Uncategorized | Comments closed