Welcome to the first advanced Peach article.  In this series I’ll be covering a number of more advanced Peach concepts, tips, and tricks.

Today we are going to talk about relative offset relationships.  It’s not uncommon to find file formats that contain offsets to other parts of the file.  Two examples of this are: OpenType font files (TTF), and ZIP files.  Both formats contain offsets to additional structures in the file.  In the case of TTF most of these offsets are relative to other portions of the file.  By default Peach relationships are relative to the start of the data stream, however it’s easy to change this for relative offsets.

Lets start out with a basic example that contains a Header, some Data in the body, and has an Index located at the very end of the file.  This is the most basic example, and as you would guess it looks something like the following:

<DataModel name="RelativeOffsets">
    <Block name="Header">
        <Number name="DataLength">
            <Relative type="size" of="Data" />
        </Number>

        <Number name="IndexOffset">
            <Relative type="offset" of="Index" />
        </Number>
    </Block>

    <Blob name="Data" />

    <Block name="Index">
        <Number name="CountOfStrings">
            <Relative type="count" of="Strings" />
        </Number>
        <String name="Strings" nullTerminated="true" minOccures="1" maxOccures="1024" />
    </Block>
</DataModel>

Now, the value of IndexOffset is going to be relative to the start of the data consumed or produced by this data model.  However what if the specification said that IndexOffset’s value was relative to the position of IndexOffset?  In that case we would set the relative attribute to true like this:

<DataModel name=”RelativeOffsets”>
    <Block name=”Header”>
        <Number name=”DataLength”>
            <Relative type=”size” of=”Data” />
        </Number>
        <Number name=”IndexOffset”>
            <Relative type=”offset” of=”Index” relative=”true” />
        </Number>
    </Block>
    <Blob name=”Data” />
    <Block name=”Index”>
        <Number name=”CountOfStrings”>
            <Relative type=”count” of=”Strings” />
        </Number>
        <String name=”Strings” nullTerminated=”true” minOccures=”1″ maxOccures=”1024″ />
    </Block>
</DataModel>

Lets take it one set further and say we are instead relative to the end of Header.  In that case we could use the relativeTo attribute to specify which element, note however that we will not use Header but instead Data!  Why? Because the value specified in relativeTo will be relative to the beginning of that element, not the end.

<DataModel name=”RelativeOffsets”>
    <Block name=”Header”>
        <Number name=”DataLength”>
            <Relative type=”size” of=”Data” />
        </Number>
        <Number name=”IndexOffset”>
            <Relative type=”offset” of=”Index” relative=”true” relativeTo=”Data” />
        </Number>
    </Block>
    <Blob name=”Data” />
    <Block name=”Index”>
        <Number name=”CountOfStrings”>
            <Relative type=”count” of=”Strings” />
        </Number>
        <String name=”Strings” nullTerminated=”true” minOccures=”1″ maxOccures=”1024″ />
    </Block>
</DataModel>

Hey, that wasn’t so hard!!

  The first Peach training at Blackhat finished today and it was a blast.  This first class had about 18 people in it writing fuzzers for PNG, QuakeWorld, Yahoo! IM Client, and Quicktime.  Everyone learned allot, we found a number of bugs, and we are planning on many improvements to the error messages and debugging of Peach fuzzers based on this first class.

Tomorrow starts is the start of the second class, hopefully it will be just as fun as the first.

Thanks to everyone who signed up!

A big thanks to Chris Clark who found the second patch worthy bug. This is a gnarly bug in the Mutator code that would sometimes cause a mutator to get skipped.  Chris is also the first to submit a new custom mutator that will be included in next release Peach 2.1.  Thanks Chris!

See this mail list post to correct the problem.

This new beta includes a lot of changes and makes Peach feature complete for the 2.1 release coming in the next month or so.  Many of the changes were internal clean ups.  The internal DOM is now much cleaner and easier to use, as is the API to the engine and parser.  Additionally, this release include a new GUI application called Peach Validation.  This application allows testing of your data model and also mutators.  A screen shot has been included.

Additional features include Hints, Fixups, new “calc” length types, ability to specify a file to Data elements, etc.  To much to talk about in this post.  However, keep an eye on this blog for additional articles over the next few days exploring the new features of Peach 2.1 BETA3.

Peach

Peach Release Notes

Peach Downloads

The first beta release of pygdb has been posted up. This is a pure python wrapper around GDB using the machine interface (MI). This allows control of GDB from python and was created as part of the effort to get Peach 2.1 running nice on Linux and OS X. Additionally, a new monitor UnixGdb has been checked into the 2.1 code tree for the brave.

pygdb can be found here

Peach 2.0 development is blazing along, at some point I needed a python module to control a vmware server to allow for automatic start, stop and reverting.  I figured I’d release this useful bit of code as a python module.

Available here

from vix import Vix
import time
vm = Vix()

print "Connecting"
vm.Connect()

print "Opening vm"
vm.Open("E:\\VMs\\Windows XP\\Windows XP Professional.vmx")

#print "Powering On vm"
#vm.PowerOn()
#print "Waiting a bit..."
#time.sleep(10)
#print "Powering off vm"
#vm.PowerOff()

print "Reverting to snapshot 0"
vm.GetRootSnapshot()
vm.RevertToSnapshot()

print "Sleeping"
time.sleep(10)

print "Disconnecting"
vm.Disconnect()