RCE Messageboard's Regroupment

The color of flag register in Ollydbg

MathewMickle — Sat, 21 Nov 2009 08:39:05 GMT

I always have a trouble to remember jcc instructions(eg. JNLE,JNG) looking up which flag register, so I want to if there is an ollydbg plug-in,which has the following feature,

when the current instruction is a conditonal jump,
e.g. jz instruction
zero flag register(the letter 'z' in ollydbg) will be showed a special color to be distinguished from other flag registers .

Do someone know about this ? thx

Hex-Rays Plugin Contest

Hex Blog — Fri, 20 Nov 2009 15:17:18 GMT

We are glad to announce the results of our first plugin contest! For the contest rules, please check this page:

http://www.hex-rays.com/contest.shtml

Or you may directly go to the contest results and check out some cool plugins:

http://www.hex-rays.com/contest2009

It was our first contest, but we are happy with the results and will repeat it in the near future.
Have fun!

http://hexblog.com/2009/11/hexrays_plugin_contest.html

everytime I have to wait 1 hour to see the nag screen

bobzombie — Fri, 20 Nov 2009 11:48:02 GMT

i'm sorry for asking help in the first post, but i think this code is so advanced for a newbie like me,
i practiced RE in the far days like 1999 but my knowledge is so old for now, it's about 1 week that i'm reading and searching still no success with this one.

Here is the short story
-i have to run the code and wait for 1 hour, a window pops up after about 1 hour and says that i'm phucked :boo: with a message about 100 characters about "non genuine piece of hardware bla bla bla..." and i have to push "OK" and everything is gone.
-Also when softice comes up by "bpx CreateWindowExa" i cannot find the message in memory by using 'S' command.
-I tried the tool "PEEK" , but could not find the string in the program too .

DEP and debugging

Iwarez — Thu, 19 Nov 2009 20:32:53 GMT

Today I encountered a two strange things that are DEP related. Our application ran on our Terminal Server and this server has DEP turned on for Windows services only. A colleague of mine reported she had problems with one of the actions the wanted to perform with our program. Windows would show an 0xc0000409 crash every time she performed the action. When I googled it I saw it's a DEP exception.

Strange thing 1:
How can I get a DEP exception when DEP is turned off for normal applications?

To find out what was causing the exception I started my favourite debugger ollydbg. I ran the application, caused the error and the program terminated right away with all threads exiting with error 0xc0000409.

Strange thing 2:
Why did the application terminate instead of breaking on the instruction that caused the exception?

Offcourse I had turned off all automatic exception handling within olly. Only the Floating Point exceptions where passed on.

Can anybody shed some light on this?

Thanks, I-Warez

yoda cryptor help.

_genuine — Thu, 19 Nov 2009 08:25:54 GMT

Alright so ive read almost everything i can find on yoda cryptor 1.xx modified, and it all seemed to be easy enough to unpack..my target however seems to have something extra that i cant really understand in my initial analysis of it.

So here we go, just so i give enough information ill go thru the steps of how im 'supposed' to get to the oep.

Opened up the target (removed all exceptions in Olly except the ignore exceptions in kernel).

Here is my entry point.

Code:

00C1E060 bots.                    $  60              PUSHAD

00C1E061                                            .  E8 00000000     CALL bots.00C1E066

00C1E066                                            $  5D              POP EBP                                 ;  kernel32.7C817077

00C1E067                                            .  81ED 0F1E4000   SUB EBP,bots.00401E0F

00C1E06D                                            .  B9 57090000     MOV ECX,957

00C1E072                                            .  8DBD 571E4000   LEA EDI,DWORD PTR SS:[EBP+401E57]

00C1E078                                            .  8BF7            MOV ESI,EDI                             ;  ntdll.7C910228

00C1E07A                                            >  AC              LODS BYTE PTR DS:[ESI]

Using the ESP trick i single stepped over the PUSHAD and set a HW breakpoint on ESP.

I shift+f9 once and i reach the point where Yoda cryptor sets up its exception handler code to cause an exception. Right here. (To note, in another paper regarding this packer there is the technique of Shift+F9 until the program runs, then rerun the number of Shoft+f9 -1 times to reach this as well.).

Code:

00C1E739                                            .  50              PUSH EAX                                ;  bots.00C1E6E8

00C1E73A                                            ?  33C0            XOR EAX,EAX                             ;  OEP Or Next Shell To Get,Please dumped it,Enjoy!

00C1E73C                                            .  64:FF30         PUSH DWORD PTR FS:[EAX]

00C1E73F                                            ?  64:8920         MOV DWORD PTR FS:[EAX],ESP

00C1E742                                            ?  EB 01           JMP SHORT bots.00C1E745

00C1E744                                            ?  8700            XCHG DWORD PTR DS:[EAX],EAX             ;  bots.00C1E6E8

00C1E746                                            .  0000            ADD BYTE PTR DS:[EAX],AL

In the SEH chain in olly we will see where this SEH record lies in, after stepping into the code and raising the exception. Inm y case it is here, and i set a breakpoint on this exceptionhandler.

Code:

00C1E6E8                                           |.  55              PUSH EBP

00C1E6E9                                           |.  8BEC            MOV EBP,ESP

00C1E6EB                                           |.  57              PUSH EDI                                ;  ntdll.7C910228

00C1E6EC                                           |.  8B45 10         MOV EAX,[ARG.3]

00C1E6EF                                           |.  8BB8 C4000000   MOV EDI,DWORD PTR DS:[EAX+C4]

00C1E6F5                                           |.  FF37            PUSH DWORD PTR DS:[EDI]

00C1E6F7                                           |.  33FF            XOR EDI,EDI                             ;  ntdll.7C910228

00C1E6F9                                           |.  64:8F07         POP DWORD PTR FS:[EDI]                  ;  0012FFE0

00C1E6FC                                           |.  8380 C4000000 0>ADD DWORD PTR DS:[EAX+C4],8

00C1E703                                           |.  8BB8 A4000000   MOV EDI,DWORD PTR DS:[EAX+A4]

00C1E709                                           |.  C1C7 07         ROL EDI,7

00C1E70C                                           |.  89B8 B8000000   MOV DWORD PTR DS:[EAX+B8],EDI           ;  ntdll.7C910228

00C1E712                                           |.  B8 00000000     MOV EAX,0

00C1E717                                           |.  5F              POP EDI                                 ;  0012FFE0

00C1E718                                           |.  C9              LEAVE

00C1E719                                           \.  C3              RETN

In this code where the line
00C1E70C |. 89B8 B8000000 MOV DWORD PTR DS:[EAX+B8],EDI ; ntdll.7C910228

EDI will contain 00401000..which is supposed ! to be the OEP, but this is not the case in my target..According to popular papers. this should continue execution to the OEP. Wait for it...

After the bp is set there and we reach the exception handler code. We will ALT+F9 to return to code after the handler. which will be 00401000.

the code here is strange.

Code:

00401000                                             68 01A0C000       PUSH bots.00C0A001

00401005                                             E8 01000000       CALL bots.0040100B

0040100A                                             C3                RETN

0040100B                                             C3                RETN

it Calls this RETN, and the RETN just terminates the application..

This where that ends..now somewhere in all my analysis i thought i found a place where the OEP was, lying in some addresses in the 007XXXXXX range..when i remember how i got there ill update this thread but if anyone who does know about yoda cryptor and can realize some thing here id like some input or feedback, thanks.

Oscilloscope 'tweaking'

SteelWolf — Tue, 17 Nov 2009 14:53:58 GMT

Hello,

First of all, sry for my bad english
I did read the FAQ, got the tools and made myself halfway familiar with them. I've used ollydbg with lena151's tipps, IDA, and some api monitoring programs.
I watched some of lena tutorials but I'm still a noob in reversing but I'm working on that.
I know the basics of asm and c/c++

Story:

I'm planning to buy a used Digital Storage oscilloscope thats worth about 6000$
This scopes are normal PCs with motherboard, graphic card, usb and network ports etc,.(plus touchscreen) the scope itself is just a PCI card with connections to the acquisition boards and the front panel I guess

Problem:

The problem now is that I would need some of the math and matlab functions that you can add as an extra soft-option (requires a key) on the next higher class of oscilloscopes. Every scope has a serial and the key is linked to this serial

All scopes of the company use the same software, they just have different hardware (sampling rate, bandwith, bus, etc,..)
So also the low class scopes have all the dll's for the high-class features in their folder
The software can be downloaded free from the page of the company and runs on every pc.. it just gives a error message
that no hardware was dedected and that its noth authorized on the system

Goal:

My ideal goal now would be to let the software 'think' that its a better scope to allow me to add the options of this class of scopes (matlab compatibility for example)
If thats impossible then I would , at least, try to gain access to all the soft-option keys for my low-class scope

I don't know If anyone has experience with something like this
I would just want to know if it could be even possible before buying a scope for a few thousand $
Maybe someone could take a short look on the software or tell me what I should post to make it even possible for you to help

Thank you for reading this and I hope that my post didn't break the rules (I'm awaiting you punishment JMI::) )

KeyScramblers

.tom — Tue, 17 Nov 2009 12:01:47 GMT

My friend told me about this software (keyscrambler) and that it is a kernel mode technology to defeat key-loggers. Meaning, any key-logger operating in the kernel more is useless if you have this Keyscrambler installed too.

I was wondering if there's any reading material on the technologies this Keyscrambler uses, and if there's any papers on how to circumvent it. This is for pure learning purposes.

Thank you. :yay:

Debugging a DLL loaded by an EXE (and other beginner questions)

yang — Tue, 17 Nov 2009 06:36:51 GMT

I'm a systems programmer trying to educate myself on the nitty gritty of reverse engineering and low-level injection vulnerabilities. I'm currently studying this proof of concept http://milw0rm.com/exploits/9579 for Adobe Reader 9.0 http://www.oldapps.com/adobe_reader.php?old_reader=18. It didn't work when I applied the included dummy exploit PDF (Reader just crashes), so I'm using OllyDbg to figure out what's going on. (Yes, I cleared the ASLR and NX bits on AcroRd32.exe to make this whole operation feasible.)

The vulnerability is in Annots.api, but I can't figure out how to have OllyDbg load that, then execute AcroRd32.exe. I'm also not sure how to navigate to that basic block pointed out in the PoC's report so as to set a breakpoint there - the address is apparently 0x2210FCE8 (as shown by some version of IDA Pro), but the only addresses I see are 0x00404054.

Any other hints on what I should be doing to debug the exploit would be much appreciated. Thanks in advance.

Strong Name Helper 0.8beta By Whoknows

Kurapica — Mon, 16 Nov 2009 17:59:10 GMT

Quote:

here it is!! finally! thinking a lot time ago to create smthing like this...

Is pure no cecil used, pure .net (sn.exe / ildasm.exe / ilasm.exe)

Purpose of util is to help you with the boring EXE/DLL strong name validation tied....

give a try suggestions are welcome

What's new :

Quote:

+read/extract resources
*listview when file not found

http://rapidshare.com/files/307535639/StrongNameHelper08beta-whoknows.rar.html

:yay:

Help with palm debugging

TumTum — Mon, 16 Nov 2009 09:25:59 GMT

Hello everyone,

Does anyone knows good tutorials/howto's on windows mobile reversing?
Recommended tools(olly like, kidding )?
I want to reverse specific core executables on
my palm.

Thanks for your help,
TumTum

create sign for flex 10.8.0.10

kaydream — Mon, 16 Nov 2009 06:16:38 GMT

hello every one i have a license file with following line please help to create new sign with new mac address

Code:

FEATURE ES680_STARTMENU SIEMPGL 8.3 permanent uncounted \

        HOSTID=ETH=00005A72E0EF SIGN="00DE 48F5 38C4 C576 5389 1808 \

        CBA5 7400 6B08 9C97 593C B6F7 4C5A BC4A 5399"

FEATURE ES680_MMIEDITORS_1 SIEMPGL 8.3 permanent uncounted \

        HOSTID=ETH=00005A72E0EF SIGN="00F5 0BAA 2515 98D6 57E0 7CDE \

        7C4F 5900 656D A604 E641 76F4 F3EB 8864 7898"

FEATURE ES680_IO_MECOLOCM_10800 SIEMPGL 8.3 permanent uncounted \

        HOSTID=ETH=00005A72E0EF SIGN="00FD 488D 6374 2A0A 8E0A 6BA9 \

        E567 6D00 BA6D E50F 2120 CAFF 53A8 C560 7575"

getting Virtual Size of Section in PE

Vigual — Sat, 14 Nov 2009 07:28:57 GMT

The structure of the Section table is

Code:

typedef struct _IMAGE_SECTION_HEADER {

  BYTE  Name[IMAGE_SIZEOF_SHORT_NAME];

  union {

    DWORD PhysicalAddress;

    DWORD VirtualSize;

  } Misc;

  DWORD VirtualAddress;

  DWORD SizeOfRawData;

  DWORD PointerToRawData;

  DWORD PointerToRelocations;

  DWORD PointerToLinenumbers;

  WORD  NumberOfRelocations;

  WORD  NumberOfLinenumbers;

  DWORD Characteristics;

}IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

I'm trying to get the value for VirtualSize but I don't know how to write this in assembly because of the Union Structure. I currently have

Code:

add ecx, [eax.IMAGE_SECTION_HEADER.VirtualSize]

but masm says that it does not recognize the VirtualSize field. How do I get it's value

Big PE Graph for printing

comrade — Fri, 13 Nov 2009 08:01:35 GMT

I remember at one point a few years ago I got my hands on what must have been a PDF with a big layout of all the important PE structures, with arrows pointing to where links and references are. I printed this in A4 letter size and stuck it somewhere visible... it came in handy many a times.

I can't seem to find this big graph anywhere though. I've tried searching various forums to no avail.

Does this spark anyone's memory?

board.anticrack.de?

comrade — Fri, 13 Nov 2009 07:59:38 GMT

Does anyone know what happened to the http://board.anticrack.de/ message board?

What are some other well-known reverse-engineering message boards these days? this board? Is exetools forums still up?

howto bypass a serial with olly? - a real challenge!

fityazz — Thu, 12 Nov 2009 21:03:13 GMT

Hi All!!!

So many videos can be found on yutubee' what says how to bypass a serial request of a simple software.....(oh yeah it is very easy with olly!!)

But just in case I would 'crck' a software: a simple exe file what cooperates with a dll file (this dll contains the bad serial message) and somehow this two files make a third one, and the dll just generate a serial what will be compare with our bought serialkey.....

I really don't know how the softwaremaker fellas think out this trick, and should need somebody's appreciated help to find out about it!!

Is there any olly master who could help me???

ps: Im not a crcker' and it will be a really challenge

thanks for readin' this...