View Full Version : [Plugin] Polymorphic Breakpoint
Mattwood
10-12-2005, 12:19 PM
Hi,
I just released a new plugin for set special breakpoint.
http://reverseengineering.online.fr/spip/article.php3?id_article=50 (Source are included)
Cheers.
Mattwood^FRET
blabberer
10-12-2005, 12:43 PM
nice to see it here
Ricardo Narvaja
10-12-2005, 01:44 PM
i try but don´t work for me, i don´t know if i use well, but i try with any polimorphic bp, put run, stop in a ACCESS VIOLATION , but when i pres shift +f9 for skip the exception and continue the program generate a error and crash.
A little explanation of the method of use i think is necesary
Ricardo Narvaja
Ricardo Narvaja
10-12-2005, 01:47 PM
i try but don´t work for me, i don´t know if i use well, but i try with any polimorphic bp, put run, stop in a ACCESS VIOLATION , but when i pres shift +f9 for skip the exception and continue the program generate a error and crash.
A little explanation of the method of use i think is necesary
Ricardo Narvaja
Mattwood
10-12-2005, 01:58 PM
lol ricardo of course, look:
With the first version of breakpoint we have :
CALL unpatche.01006381
FSUB ST(5),ST
XOR DWORD PTR SS:[ESP],1337 ; <= EXCEPTION
JMP NEAR DWORD PTR SS:[ESP] ; kernel32.7C816D4F
Here the program crash because you need special caracteristic as WRITABLE
So i created a second version of breakpoint
The Stack Polymorphic breakpoint
CALL unpatche.01006398
PUSH 0FE21
XOR BYTE PTR SS:[ESP],0CA
JMP NEAR ESP
The stack is writable and executable so i use it, it 's a better way.
Mattwood^FRET
Ricardo Narvaja
10-12-2005, 02:56 PM
yes i see, when loop, pause, press minus to return to the bp adress, new origin here, quit bp and RUN.
With this sequence pause and you can continue.
Ricardo
Mattwood
10-12-2005, 03:08 PM
Yes for remove a breakpoint you need to pause ollydbg. And after go to the Polymorphic breakpoint manager
Mattwood^FRET
odshell
10-18-2005, 08:55 PM
To Mattwood:
From your readme.txt:
[I]
The way of the plugin is to set a polymorphic EBFE likes :
00DE321C . E8 02000000 CALL 0x90f.00DE3223
00DE3221 . DCED FSUB ST(5),ST
00DE3223 $ 813424 371300>XOR DWORD PTR SS:[ESP],1337
00DE322A .- FF2424 JMP NEAR DWORD PTR SS:[ESP]
Here the routine decrypt DCED with 1337 and the word at [00DE3221] = EBFE, but this way need to special right : the section must be writable.
/[I]
Did you test it?Your code is wrong.
[ESP]=00DE3221,
[[ESP]]=[00DE3221]=EDDC
So "XOR DWORD PTR SS:[ESP],1337" is what meaning?Doesn't worked.
Mattwood
10-21-2005, 06:46 AM
OMFG Thanks you odshell
I corrected it
You can download the news version at http://reverseengineering.online.fr/spip/article.php3?id_article=50
vBulletin® v3.7.2, Copyright ©2000-2008, Jelsoft Enterprises Ltd.