I (probably) have a long term reverse engineering gig coming up shortly. Therefore, I’ve been working to beef up my RE skills. I recently saw a blog posting that MS09-002 would likely be turned into an exploit. MS09-002 is actually a couple of vulnerabilities in IE7. I probably should have looked for something slightly less difficult, but it’s what has interested me.
Finding the patch and which files it updated was relatively trivial. Unfortunately, there were several DLLs modified. But given the bug description I took a few educated guesses. I grabbed those files and the unpatched equivalents. I loaded them in IDA and used Tenable’s patchdiff2 to find the differences. Here’s where I really ran into difficulties.
The first difficulty was that I had over 600 unmatched functions. I believe this is because my version of the DLL was out of date — I use VMware Server and therefore have limited snapshot ability. I searched around my VMs and found another few versions of the DLL. The most promising version had only 60 unmatched functions. I started digging into that version. Several hours of comparing lines of assembly I get frustrated at there being no differences. I look a little harder at patchdiff and while the functions are “unmatched” the CRC/hashes are the same. Some weird parsing quirk only separated them. I check the details on the DLL and unfortunately, it’s the same build — ie I wasted my time comparing two versions of the same file.
Now, I am again looking through my systems for a proper DLL, one that is sufficiently patched but not patched against MS09-002. For such a minor thing, this is a fairly difficult problem as I can’t find any resources that help. Any ideas?