Articles

  Rust for closed-source projects
Date: 23/06/2019 Author: Erik Pistelli
Rust in relation to closed-source projects. In this article I’m showing how to modify and build the Rust compiler on Windows in order to avoid revealing metadata inside of Rust executables. The end-result of the article is a statically-linked executable with no dependencies, except kernel32.dll, which runs on Windows XP.

  Time Travel: Running Python 3.7 on XP
Date: 23/07/2018 Author: Erik Pistelli
Coming back from my technical writing hiatus with a light topic: running applications compiled with new versions of Visual Studio on Windows XP. This article explores the internals behind apisetschema forwarders, explains Universal CRT deployment and offers a possible solution to missing APIs on Windows XP.

  Raw File System Analysis (FAT32 File Recovery)
Date: 29/10/2013 Author: Erik Pistelli
How to import structures used for file system analysis from C/C++ sources in Cerbero Suite, use them to analyze raw hex data, create a script to do the layout work for us and how to create a little utility to recover deleted files. The file system used for this demonstration is FAT32. This article was originally published on cerbero-blog.com.

  Creating undetected malware for OS X
Date: 07/10/2013 Author: Erik Pistelli
Misuse of the internal mechanism provided in OS X to load encrypted Apple executables to defeat static analysis of current anti-malware solutions. This article was originally published on cerbero-blog.com.

  CFF Explorer’s Scripting Language V2
Date: 30/05/2009 Author: Erik Pistelli
A small update to the scripting language of the old CFF Explorer. The main news is that it now offers the capability of creating reports of .NET metadata tables.

  Dynamic C++ Proposal
Date: 18/12/2008 Author: Erik Pistelli
A proposal of how to introduce dynamism into the C++ language. This proposal tries to cover every aspect, introducing, besides dynamic objects, also dynamic enumerators, namespaces and templates. The proposal also shows possible applications of the presented features. Although the paper is purely theoretical, it covers how dynamism can be implemented at low level. The reader of this paper ought to have a good knowledge of the C++ language. This article was released on codeproject.com and won the competition in the C++/MFC category for December, 2008.

  Qt Internals & Reversing
Date: 28/11/2008 Author: Erik Pistelli
The first part of this article shows the dynamic internals of the Qt framework, which enable the signals and slots mechanism. The second part focuses on how to retrieve the metadata information generated by the Qt moc from binary files with an IDAPython script and how to use this information to analyze the disassembled code.

  .NET Internals and Native Compiling
Date: 25/05/2008 Author: Erik Pistelli
The second of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. In these articles the .NET internals are presented from the perspective of a reverser. In this article native compiling protections and all the methods to overcome them are analyzed in depth. Among other things it shows the inner workings of the JIT by introducing Native Injection. It also addresses the topic of .NET Virtual Machine Protections.

  .NET Internals and Code Injection
Date: 09/05/2008 Author: Erik Pistelli
The first of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. In these articles the .NET internals are presented from the perspective of a reverser. In this article code injection protections and all the methods to overcome them are analyzed in depth. Among other things it introduces how to take complete control over the JIT.

  DisasMSIL: a free MSIL disasm engine
Date: 30/04/2008 Author: Erik Pistelli
DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

  Rebel.NET Official Guide
Date: 25/04/2008 Author: Erik Pistelli
The official Rebel.NET guide. Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams. It’s possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.

  Microsoft’s Rich Signature (undocumented)
Date: 05/03/2008 Author: Erik Pistelli
Documentation and reverse engineering of Microsoft’s Rich Signature: until now an undocumented subject. The article comes with several scripts: one to decrypt the Rich Signatures and one little script to rebuild a PE without the header garbage. This article offers an insight into the library (and object) file format as well.

  CFF Explorer’s Scripting Language V1
Date: 17/01/2008 Author: Erik Pistelli
Documentation for the first version of the powerful scripting language embedded in the CFF Explorer (starting from version VII). The documentation contains a brief guide for Lua, the differences between standard Lua and the one implemented by the CFF Explorer, a brief how-to, code samples and the functions reference.

  Powerful x86/x64 Mini Hook-Engine
Date: 20/11/2007 Author: Erik Pistelli
Powerful x86/x64 hook-engine. This article is a part of a bigger project. This article was released on codeproject.com.

  How to write an extension for the CFF Explorer
Date: 15/07/2007 Author: Erik Pistelli
With the CFF Explorer VI (deployed with the Explorer Suite II) the possibility to write extensions has been introduced. Extension literally extend the functionalities of the CFF Explorer, integrating external software parts in its GUI. I wrote a little upx extension which I’m going to explain in this article.

  Moving to Windows x64
Date: 01/01/2007 Author: Erik Pistelli
Released one month before the official release of Windows Vista, this article is about all the news brought by Vista and the x64 technology. Some of the subjects are: x64 assembly, WOW, exception handling, UAC, ASLR, registry filtering, .NET 3.

  Small Application Wizard
Date: 21/08/2006 Author: Erik Pistelli
A wizard designed for Visual Studio .NET (2005) to build small applications with just a few clicks. The package includes a small libc. This article was released on codeproject.com.

  Remotesoft’s Salamander 1.1.6.0 (Native Compiling)
Date: 28/06/2006 Author: Erik Pistelli
A very brief essay about the .NET native compiling technique and the specific case of Salamander protected application. It’s the first essay about the .NET native compiling technique which relies upon the Global Assembly Cache (GAC).

  The .NET File Format
Date: 11/12/2005 Author: Erik Pistelli
This article describes the internal .NET File Format. The standards of the .NET format are public, you can find them on Microsoft and in your .NET SDK (look after “Partition II Metadata.doc”), but they are intended to be a more like a reference, not really a guide. So this is what you need if you want a simple guide to understand this subject. This article was released on codeproject.com and won the competition in the C# category for January, 2006.

  .NET Manifest Resources
Date: 28/10/2005 Author: Erik Pistelli
This article is about the internal format of .NET Manifest Resources (or better the “.resources” files contained in it). I don’t know if the code can be useful to you or not (probably not), but I like to write about undocumented stuff. In fact, this article is nothing sensational, I just wrote it ’cause I haven’t found any documentation about this subject on the net, not even in the .NET MetaData specifics: Partition II MetaData.doc. This article was released on codeproject.com.

  AntiMida 1.0
Date: 10/04/2005 Author: Erik Pistelli
This article is just a general overview about protections who play with system structures like the SDT. It has nothing to do with reversing and no debugger or disassembler was used to write it. In addition TheMida will not implement a kernel-mode part in the near future. This is just a tool to bypass SDT hooking protections.

  La Nuova Guida Al Cracking (.NET)
Date: 01/01/2005 Author: Erik Pistelli
A general overview about .NET Software Security. The paragraphs are: MicroSoft Intermediate Language, Cracking, Debugging, Decompilers, Code Obfuscation, Protection Theory. It’s a quite complete introduction.

  Windows File Protection: How To Disable It On The Fly
Date: 09/11/2004 Author: Erik Pistelli
In this article it’s shown how to deactivate the Windows File Protection without rebooting to safe mode or recovery console. The articles shows you how to change system files without the system noticing it and replacing the original files. This article was originally released on rootkit.com.

  Tutto (o quasi) sul Portable Executable
Date: 20/08/2003 Author: Erik Pistelli
An Italian guide about the Portable Executable file format. A bit dated, but perhaps still useful.

  Introducing The Windows Driver Foundation
Date: 01/01/2003 Author: Erik Pistelli
A little introduction to the Windows Driver Foundation before its actual release. This article was written when this technology was still in beta testing.

Short Guides and Insights

  Porting a CHIP-8 emulator to Rust
Date: 15/02/2019 Author: Erik Pistelli
A port of a simple CHIP-8 emulator from C++ to Rust. Currently learning the Rust language and considered this a simple and quick project to start developing in it.

  Batch image manipulation using Python and GIMP
Date: 03/08/2018 Author: Erik Pistelli
This covers the initial gotchas when trying to do batch image manipulation using GIMP. Includes an elegant self-contained Python script skeleton at the end of the guide.

  Ctor conflicts
Date: 29/11/2013 Author: Erik Pistelli
You know what could happen when you define a C++ constructor inside the declaration of a class in a C++ source file? Something extremely evil, straight out of the Necronomicon…

  MUI files under the hood
Date: 14/11/2012 Author: Erik Pistelli
Have you ever copied after Windows Vista a system file like notepad.exe onto the desktop and tried to execute it? Have you ever tried after Vista to modify the resources of a system file like regedit.exe? It’s most likely that neither of the two was a successful operation.