aluigi wrote:
exist various ways to research vulnerabilities and various levels of complexity depending by the input to analyze.
the most common and which gives usually more results is fuzzing, which is just a "cool" word to define the trying of various different values of a protocol/format until an effect of the tested application (crash, directory traversal and so on), so after having seen the effect is possible to start with a deeper look to what caused it and if there are other more important security effects (for example a crash that in reality is a stack based buffer-overflow).
note that it's not needed to know the protocol/format of the input for testing it, if you are lucky you can get an effect even replacing a random byte in a pre-existent packet/file... blind fuzzing.
the other way instead is deeper and is the auditing of the target application, which means analyzing its source code if it's open source or debugging it almost step-by-step if it's closed.
in closed source application sometimes it's used encryption and proprietary protocols which means that you are forced to reverse them too, this can be looked as an obstacle depending by the complexity of the protocol/algorithm and your interest in it but you can consider it like an additional stand-alone research (personally it's the part that I like because allows me to release two or more projects instead of only one).
note that even with auditing some bugs can be missed for mistake or because they are very hard to see (imagine a long sequence of sub-functions), and this is the point where fuzzing fills the gap.
oh and the "luck" is not optional...
as said at the beginning the type of input is important too.
talking about network, personally I have ever looked to protocol related vulnerabilities due to my passion for them and they major impact (usually the protocol related vulnerabilities are pre-auth/join) but there are other inputs more easy to test, for example talking about games, the in-game commands are a joke to test since it's only needed to use the existent commands without C/assembly/reversing/bugs_researching skills
Very cool :D thanks for the long reply. I like programming a lot, i create programs all the time to shorten certain tasks etc. but when it comes to reversing it's so frustrating, earlier i opened up Ventrilo in ollydbg and poked around for about 2-3 hours trying to find how to change the value that is displayed beside "Ping: " after a lot of access violations i gave up on that then moved onto trying to disable the green light when talking, which failed too -.- but i wrote down some addresses which i think are correct but i'm not really sure
Code:
7C80B5AE - GREEN LIGHT BP ENTRY CALL (Beginning of function that starts the green light)
which brought me to a XOR EPB,EPB which i had no idea what it was there for but i noted it down anyway >.>
Code:
7C810659
but still no progress, I've just been desperately trying to get anything to work but anytime i change an address that i think is related, i get access violations etc. :(
