October 6, 2014 in Hexacorn
October marks the third anniversary of this blog. Since I am not a very nostalgic person I won’t be recalling all the highlights, blunders, mistakes, ups and downs of this piece of the interwebs, but want to take a second to thank all the readers for reading, providing feedback, corrections, suggestions, re-tweets and in general being really cool about this little experiment.
On a personal note writing blog is a great educational experience and I encourage anyone who never tried to actually do it and persist. It allows you to connect with lots of smart people sharing the very same passion & profession. You will be surprised how many of them are out there!
Thanks for reading!
April 15, 2012 in Hexacorn
It’s been a while since I wrote anything here. This is due to me being on holidays and moving to a new place right after coming back. I finally settled down in a new apartment and looking forward to play with some new ideas.
So, here is a short update:
- I fixed a silly bug in HAPI – I mixed up CR & LF characters in the output and it looked awkward to say the least, not to mention potential parsing issues; Thx to Pedro L. for spotting this and notifying me
- HAPI may occasionally print some strings that look like non-API, e.g. ‘version'; this is not a bug, but a feature 😉 it turns out that there is such an API exported by one of the Microsoft DLLs ; since I don’t want to miss any API, I made a trade off and include all of them; still… I use some little heuristics to prevent printing many of them, but some of them will sometimes go through; so, please always verify the output manually; and for the curious – some Microsoft programmers decided to name certain APIs using one, or two characters; I dunno why do you do stuff like this, but there are legitimate system DLLs exporting functions named ‘u’, ‘vo’, etc.
- Discovered recently that Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5; these files are still handled by DeXRAY since it relies on a XRAYS technique that searches and extracts encrypted executables without needing to know a specific key; but if you parse VBN files yourself, knowing that 0xA5 is being used may help you to save some time