It’s been a while since I wrote anything here. This is due to me being on holidays and moving to a new place right after coming back. I finally settled down in a new apartment and looking forward to play with some new ideas.

So, here is a short update:

• I fixed a silly bug in HAPI – I mixed up CR & LF characters in the output and it looked awkward to say the least, not to mention potential parsing issues; Thx to Pedro L. for spotting this and notifying me
• HAPI may occasionally print some strings that look like non-API, e.g. ‘version’; this is not a bug, but a feature it turns out that there is such an API exported by one of the Microsoft DLLs ; since I don’t want to miss any API, I made a trade off and include all of them; still… I use some little heuristics to prevent printing many of them, but some of them will sometimes go through; so, please always verify the output manually; and for the curious – some Microsoft programmers decided to name certain APIs using one, or two characters; I dunno why do you do stuff like this, but there are legitimate system DLLs exporting functions named ‘u’, ‘vo’, etc.

• Discovered recently that Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5; these files are still handled by DeXRAY since it relies on a XRAYS technique that searches and extracts encrypted executables without needing to know a specific key; but if you parse VBN files yourself, knowing that 0xA5 is being used may help you to save some time

Two days ago Yandex.ru listed hexacorn.com as malicious.

It was the only URL checker that highlighted it as malicious, but being on such list is always a serious concern:

I checked the web site, compared with the older backups and I didn’t see anything wrong. I then dropped Yandex.ru guys an email, and looks like they fixed their listing  – testing with VirusTotal shows it is all good now:

Not sure what caused this, but well… it’s all about heuristics and they are sometimes wrong.

Good to see Yandex.ru guys reacted so quickly.

Thanks!

And just in case you are wondering what the title means, this should provide you a context:

And no, I am not suggesting there were any mines on Hexacorn. Like everything, context has its scope and err… context

Image sources:

http://www.gazeta.lv/photos/5/Mina_4.jpg

http://www.gazeta.lv/photos/5/Mina_3.jpg

http://www.gazeta.lv/photos/5/Mina_8.jpg

Over last few days Hexacorn blog has received quite a few good comments from various people who reached out to me personally and praised the content as well as provided suggestions on how to improve the usability and accessibility of the site. This is very encouraging and I would like to take this opportunity and thank you all for your compliments and constructive criticism.

I also want to include special thanks to Colin who wrote a very nice review of Hexacorn on his forensic blog. In my opinion Colin writes in a way that is unique in terms of quality – he makes an effort to research, understand and document everything he comes across while on the case – this makes for a great tutoring material. Second big thanks goes to Ange - he created a fantastic repository of everything RCE and Portable Executable-related (if you are into reversing and never visited his site you are in for a real treat) - Ange provided a really great feedback that made me re-think a few things and flip a few switches in the blog engine settings

Thanks!

Hexacorn blog is about the pleasure of finding things out.

The title may sound familiar to you and you are right. ‘The Pleasure of Finding Things Out’ is a collection of short works from American physicist Richard Feynman.

Feynman was an extraordinary person, or at least he managed to made many people think this way. It doesn’t matter. What matters is that he was right about finding things out. It is a very satisfying activity that offers a lot intellectual pleasure. Just think about it for a second… If you ever solved a puzzle, or created one… if you managed to bypass some security protection like crack a game, or pick the lock, you know what I am talking about. There is that litttle craze, a drive that makes you work on the problem long hours, until you solve it.

At Hexacorn, we are fascinated by it. We just love to crack stuff. And we will be writing about it.

Every blog starts with a first post.