PDA

View Full Version : How to solve this trick ?

linhan
10-04-2007, 02:31 AM
Code can land the SEH Handle at here.
but, I set bp 41163f break point, it doesn't work.
why?

/*4116F0*/ enter 0, 0
/*4116F4*/ mov eax, dword ptr [ebp+8]
/*4116FD*/ cmp dword ptr [eax], C000001D
/*411709*/ jnz short 0041176D
/*411714*/ mov eax, dword ptr [ebp+10]
/*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f
/*411720*/ mov word ptr [edx], 0C033
/*411729*/ or dword ptr [eax+18], 13 ; DR7
/*411732*/ lea ecx, dword ptr [edx-1]
/*41173A*/ mov dword ptr [eax+8], ecx ; DR1
/*411740*/ inc edx
/*411744*/ inc ecx
/*41174A*/ mov dword ptr [eax+4], 0 ; DR0
/*411758*/ mov dword ptr [eax+10], edx ; DR3
/*411760*/ xor eax, eax
/*411767*/ leave
/*411768*/ retn
LLXX
10-04-2007, 02:59 AM
What do you mean "doesn't work?" ELABORATE!
linhan
10-04-2007, 04:38 AM
the point is the software must go through,
when I clear drx register, the break can happen,
but the software is Detect the DRX , Press the GO,
the resellt is wrong.

if I don't set break point, thenr GO
The result is right. why?

Quote:
[Originally Posted by LLXX;69096]What do you mean "doesn't work?" ELABORATE!
evlncrn8
10-04-2007, 05:48 AM
/*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f
/*411720*/ mov word ptr [edx], 0C033

maybe because the seh is designed to patch 33 C0 @ 41164F ?
blabberer
10-04-2007, 10:19 AM
Quote:
[Originally Posted by evlncrn8;69107]/*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f
/*411720*/ mov word ptr [edx], 0C033

maybe because the seh is designed to patch 33 C0 @ 41164F ?


it doesnt make a difference if the opcode is patched or not

if the op is talking about breaking on ThreadContext->Eip thats executed via NtContinue() Call from ExecuteSehhandler() return

if the op is using ollydbg then ollydbg is resistant to such patches it will break on the address with modified patched bytes intact

it will only complain when you try to delete the bp with a nag saying
the original byte it patched with 0xcc was 0x68 and now it contains 0x33
do you want to keep the modified byte or revert back to original byte that it patched

may be it is some thing else may be the resetiing of hbp in dr1 leads to another break and it enters the handler recursively which he is not able to notice
Maximus
10-04-2007, 11:43 AM
the fact is the that EIP of hw breakpoint is different than EIP of sw breakpoint. When he clears the hw breakpoint replacing it with a sw one (bp xxx), he actually displaces the EIP value and so the result is surely wrong.
evlncrn8
10-04-2007, 12:26 PM
assumption here...

/*4116F0*/ enter 0, 0 ; this is the seh handler
/*4116F4*/ mov eax, dword ptr [ebp+8] ; get the exception code
/*4116FD*/ cmp dword ptr [eax], C000001D ; is it 'illegal instruction'
/*411709*/ jnz short 0041176D
/*411714*/ mov eax, dword ptr [ebp+10] ; okay, it is illegal instruction, get pointer to the context information
/*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f ; get the exception address
/*411720*/ mov word ptr [edx], 0C033 ; patch 33 c0 at that address (41163f)
/*411729*/ or dword ptr [eax+18], 13 ; DR7 ; no idea
/*411732*/ lea ecx, dword ptr [edx-1] ; ecx = edx (41163f) - 1 = 41163e
/*41173A*/ mov dword ptr [eax+8], ecx ; DR1 ; patch in 41163e there
/*411740*/ inc edx ; incriment pointer? - edx = 411640
/*411744*/ inc ecx ; incriment pointer - ecx = 41163f
/*41174A*/ mov dword ptr [eax+4], 0 ; DR0 ; cant remember
/*411758*/ mov dword ptr [eax+10], edx ; DR3 ; set to 411640
/*411760*/ xor eax, eax ; return with exception continue exception
/*411767*/ leave
/*411768*/ retn

so it looks like its a cascading seh, crash happens one line, it fixes some opcodes, and sets a crash a little bit lower down...


isnt that what its doing?
Rachmaninoff
10-05-2007, 10:53 AM
Quick question. How to know which register that are used. Like:

/*411729*/ or dword ptr [eax+18], 13 ; DR7

and

/*41174A*/ mov dword ptr [eax+4], 0 ; DR0 ; cant remember
ZaiRoN
10-05-2007, 01:15 PM
Search for CONTEXT structure.
Rachmaninoff
10-05-2007, 02:14 PM
Quote:
[Originally Posted by ZaiRoN;69167]Search for CONTEXT structure.


Care to give an example?

Best regards
fr33ke
10-05-2007, 04:08 PM
Quote:
[Originally Posted by Rachmaninoff;69175] Care to give an example?

Best regards

http://www.google.com/search?q=context+structure+windows
Rachmaninoff
10-05-2007, 04:11 PM
http://www.google.com/search?q=thank+you+fr33ke
shadz
11-09-2007, 10:30 PM
Firstly, the prototype for the exception handler helps:

Code:
EXCEPTION_DISPOSITION _except_handler(

     struct EXCEPTION_RECORD *ExceptionRecord,

     void *EstablisherFrame,

     struct _CONTEXT *ContextRecord,

     void *DispatcherContext);


Then, once inside the exception handler, we examine what exception was thrown and act upon it accordingly...

Code:


/*4116F0*/ enter 0, 0 ; this is the seh handler

/*4116F4*/ mov eax, dword ptr [ebp+8] ; get pointer to ExceptionRecord



;; check ExceptionRecord.ExceptionType for 'illegal instruction'

/*4116FD*/ cmp dword ptr [eax], C000001D



;; do some other handling if not illegal instruction

/*411709*/ jnz short 0041176D



;; otherwise, it is illegal instruction, so get pointer to the context

;; information and get saved EIP from context (EIP of faulting instruction)

/*411714*/ mov eax, dword ptr [ebp+10] 

/*411717*/ mov edx, dword ptr [eax+_CONTEXT.Eip]



;; patch 33 c0 ("xor eax,eax") at that address (41163f) effectively

;; dealing with the faulting instruction.

/*411720*/ mov word ptr [edx], 0C033 



;; DR7 is the DebugControlRegister which controls which breakpoints are

;; enabled and for what operations.

;; assuming decimal 13 => 0dh : Enable Global1,Local1 and Local0

;; assuming hex 13h : Enable Local2, Global0 and Local0

/*411729*/ or dword ptr [eax+_CONTEXT.Dr7], 13



;; ECX := ContextRecord->Eip -1

;; which is the address of the byte prior to the illegal instruction.

/*411732*/ lea ecx, dword ptr [edx-1] ; get ContextRecord->Eip-1



;; set linear address for HW breakpoint 1

/*41173A*/ mov dword ptr [eax+_CONTEXT.Dr1], ecx



/*411740*/ inc edx



;; incrementing ecx looks irrelevant since not used beyond here. Could this

;; be a typo for "inc edx" which would then make sense below (setting a

;; breakpoint just after the patched "xor eax,eax")

/*411744*/ inc ecx



;; set linear address for HW breakpoint 0 to zero, effectively disabling it

/*41174A*/ mov dword ptr [eax+_CONTEXT.Dr0], 0



;; set linear address for HW breakpoint 3

/*411758*/ mov dword ptr [eax+_CONTEXT.Dr3], edx



/*411760*/ xor eax, eax ; return with exception continue exception

/*411767*/ leave

/*411768*/ retn


The linear address for HW breakpoint 0 is cleared, rendering it disabled, and setting an address for HW breakpoint 3 does not gurantee anything since there isnt any explicit enabling of it in DR7.

Breakpoint 1 is enabled and its linear address is set so it points to the byte prior to the faulting instruction.

Because the illegal opcode exception is a "Fault" and thus restartable, upon successful return from the EH EIP should be at the same location (although the bytes there will be different.)

A hardware breakpoint is also set for the addrress prior to where the initial exception was generated however the HW breakpoint type isnt set (could be IO/read/write/exec!) Upon returning from the EH executtion should continue at the now "xor eax,eax" instruction.

Not exactly sure whether the DR7 bitmask is dec. or hex but either way there appear to be some weirdness wrt. enabling breakpoints without properly setting them up.

thats about as much detail as I can provide without seeing more code...

-shadz