Elfread

This utility can process linux x86 ELF files and generate a report, what function may call what function with the list of possible arguments.

Ironically, so far, it is win32 command line utility.

For Oracle RDBMS, first extract object files (use linux ar or cygwin):

ar -x libserver11.a

About 4000 files will be extracted. Then run elfread utility:

elfread.exe *.o

There are two passes: first when the utility counting arguments number for each function and second when text report and GraphViz file is produced.
For better arguments number recognition, it is good to feed as many object files as possible at a time.

Almost for each object file, .txt file will be created here is an examples: kks1.o.txt, ain.o.txt.

What we can see here:

1) Trace log writings:

kksSetBindType() may call ksdwrf (" kksSetBindType: child not typechecked ci=%p check=%u\n", var_44, var_3C)

2) Memory allocations:

kksParseCommands() may call kksalc (0xc8, 1, "ctxcdef: kksParseCommands")
kksParseCommands() may call kksalx (0x24, 1, "unmdef: kksParseCommands")

(Often, first part of string-comment is structure name and second is the place where actual allocation has been made)

3) Internal SQL execution:

ausdrv() may call rpisplu (?, ?, ?, ?, "update sys.assembly$ set audit$ = :1 where obj# = :2", 0x35, ?, ?)

4) Dangerous sprintf calls where first argument is pointing to the local stack
(hexadecimal number in brackets is local array size):

zlkestp() may call sprintf (var_2F8[0x100], "%s \"%.*s.%.*s\"", "view", ?, var_B8, var_C8, var_BC)

By the way, var_XXX and arg_XXX names convention are the same as in IDA.

5) Errors may be raised by function:

aindrv() may call ksesec0 (0x373e)
aindrv() may call ksesec0 (0x378c)
aindrv() may call ksesec0 (0x3873)

(Numbers prefixed with "0x" are hexadecimal as in C/C++)

6) Events checked by function:

kksSetBindType() may call dbkdChkEventRdbmsErr (0x2733)

* Grep

All these reports are grepable of course.

For example, see which function may call X:

cat *.txt | grep "may call X"

Which function may raise error N?

cat *.txt | grep "may call ksesec (0x1234)"

* GraphViz output

It is also can produce function graph in GraphViz form.
Use:

elfread.exe *.o (function_name|regex)

Like:

elfread.exe *.o kks.*

You'll got a bunch of kks*.gv files, each is in GraphViz form.
http://www.graphviz.org/
Get it, install it and use to render it into PNG graphics:

dot -Tpng func.gv -ofunc.png

You'll get something like here in example:

(click it to enlarge)

Not as good as IDA, but nevertheless...

* TODO

Produce output files in such form so it is easy to import into MediaWiki

* NB:

This utility may (and most likely) contain error, so be prepared that its output may be erroneous unexpectedly.

Download:
http://conus.info/utils/elfread/elfread.exe

A reverse engineering example:

"Tracing connection between TDW_NOCOMPRESS SAPGUI environment variable to bothering window and actual data compression routine."

http://conus.info/RE-articles/sapgui.html

A reverse engineering example: "QR9": Rubik's cube inspired amateur crypto-algorithm.

http://conus.info/RE-articles/qr9.html

About Oracle PL/SQL undocumented "interface" pragma.

Sometimes, in PL/SQL libraries comes with Oracle RBMS, wrapped or not, we can see such statement (dbmsstdx.sql):

  function updating  return boolean;
    pragma interface (C, updating);

This is in fact a gateway to internal Oracle functions.
But how can we find what function exactly is called?

Not so much is googleable so far:
http://www.petefinnigan.com/weblog/archives/00000835.htm
http://awads.net/wp/2006/05/24/about-the-builtin-fipsflag-and-interface-...

One of the memory blocks function kkxnfy() allocating is marked as "KKX ICD VECTOR".
As of 11.2 win32, this block is 1488 bytes length and is capable to hold information about 93 package records.
Each record contain at least package name, package schema and function array.
For example, there is 3 functions for DBMS_SHARED_POOL package.
This mean, that three functions declared as a statement I mentioned will be tied together.
There probably much more information about data types, function number limits, etc.

So far, I fetched only what name mentioned in pragma statement is corresponding to which oracle function.
11.2 win32 used.

Full list:

While returning to my installed in VMware SAP IDES, I figured out that the installation is expired and I cannot login anymore.

First extremely good news is that full disp+work.pdb file is here, it contain almost everything: function names, structures, types, local variable and argument names, etc. What a lavish gift!

I got TYPEINFODUMP utility for converting PDB files into something readable and grepable.
Here is an example of function information + its arguments + its local variables:

FUNCTION ThVmcSysEvent 

New version of my win32 tracer tool is released.
Read here for changelog, downloads, etc...

It is known that by default, SAP network exchange is compressed rather than encrypted.

It is also known that on client side, it is possible to turn off compression in SAP GUI by setting TDW_NOCOMPRESS environment option to 1.

But what if client sending compressed packets anyway and we would like to see what is inside?

You may reveal compressed packets in network traffic by bytes 0x1f and 0x9d at positions 0x11 and 0x12 and, of course, these packets has such flaring property as high information entropy.

Here is my SAP network packets decompressor, readme file with username/password sniffing example, and win32/linux binaries:

http://conus.info/utils/#sap

Part three: http://blogs.conus.info/node/52

This kernel/driver-level Windows NT code:

void huh()
{
	LARGE_INTEGER a;
	KeQueryTickCount(&a);
	DbgPrint ("%d", a.QuadPart);
};

... is now translated in Windows 2003 DDK x64 environment into:

                 mov     rdx, 0FFFFF78000000320h
                 lea     rcx, Format     ; "%d"
                 mov     rdx, [rdx]
                 call    DbgPrint_0

Wow, some variable's address (KeTickCount) is now hardcoded just into driver's code during compilation.

Is not it just return to the PEEKs and POKEs?

http://en.wikipedia.org/wiki/PEEK_and_POKE

Is Microsoft promise to fix this variable to this address forever?

I just made Oracle (DES-based) passwords cracker for x86 utilizing SSE2 instruction set.
On my (relatively modest today) Intel Core 2 Duo E6600 (2.40 GHz) I got nearly 6M password/hashes per second.
On Quad-core Intel Xeon X3430 (2.4 GHz) I got 16M password/hashes per second.
The most powerful computer I had access to is Dual Six-Core AMD Opteron(tm) Processor 2427 (2.2 GHz) and I got there 36.5M password/hashes per second.

Win32 and Linux versions can be downloaded here, plus source code as well.
http://conus.info/utils/

I also made public all source code of FPGA-based Oracle passwords cracker:
http://conus.info/ops/

By the way, it is still connected and running (I hadn't any reason to turn it off yet) for more than 6 months:
http://ops.conus.info:669/

(A paper about SAP plain-text passwords in network packets).

From this paper I got information that, by default, all network packets between SAP server and SAPGUI are not encrypted, rather compressed. SAPGUI also contain an option (TDW_NOCOMPRESS) to turn compression off, then we can use wireshark to see user's plain-text password.

But what really amazed me is that a function which is in charge of data compression, contain call to rand() C stdlib function (in BitBufInit() function, which is, in turn, called from CsRComprLZH()). That is the reason, why SAP's server compressed answers are always different. This is true for at least version 701 patch 32.

They probably emulate encryption?

Almost all good computer programs contain at least one random-number generator. (fortune file in plan 9 OS)

Part two: http://blogs.conus.info/node/47