Results 1 to 13 of 13

Thread: How to solve this trick ?

  1. #1
    linhan
    Guest

    How to solve this trick ?

    Code can land the SEH Handle at here.
    but, I set bp 41163f break point, it doesn't work.
    why?

    /*4116F0*/ enter 0, 0
    /*4116F4*/ mov eax, dword ptr [ebp+8]
    /*4116FD*/ cmp dword ptr [eax], C000001D
    /*411709*/ jnz short 0041176D
    /*411714*/ mov eax, dword ptr [ebp+10]
    /*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f
    /*411720*/ mov word ptr [edx], 0C033
    /*411729*/ or dword ptr [eax+18], 13 ; DR7
    /*411732*/ lea ecx, dword ptr [edx-1]
    /*41173A*/ mov dword ptr [eax+8], ecx ; DR1
    /*411740*/ inc edx
    /*411744*/ inc ecx
    /*41174A*/ mov dword ptr [eax+4], 0 ; DR0
    /*411758*/ mov dword ptr [eax+10], edx ; DR3
    /*411760*/ xor eax, eax
    /*411767*/ leave
    /*411768*/ retn
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    sage

    What do you mean "doesn't work?" ELABORATE!

  3. #3
    linhan
    Guest

    The break can't happen

    the point is the software must go through,
    when I clear drx register, the break can happen,
    but the software is Detect the DRX , Press the GO,
    the resellt is wrong.

    if I don't set break point, thenr GO
    The result is right. why?

    Quote Originally Posted by LLXX View Post
    What do you mean "doesn't work?" ELABORATE!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    /*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f
    /*411720*/ mov word ptr [edx], 0C033

    maybe because the seh is designed to patch 33 C0 @ 41164F ?

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    Quote Originally Posted by evlncrn8 View Post
    /*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f
    /*411720*/ mov word ptr [edx], 0C033

    maybe because the seh is designed to patch 33 C0 @ 41164F ?
    it doesnt make a difference if the opcode is patched or not

    if the op is talking about breaking on ThreadContext->Eip thats executed via NtContinue() Call from ExecuteSehhandler() return

    if the op is using ollydbg then ollydbg is resistant to such patches it will break on the address with modified patched bytes intact

    it will only complain when you try to delete the bp with a nag saying
    the original byte it patched with 0xcc was 0x68 and now it contains 0x33
    do you want to keep the modified byte or revert back to original byte that it patched

    may be it is some thing else may be the resetiing of hbp in dr1 leads to another break and it enters the handler recursively which he is not able to notice

  6. #6
    the fact is the that EIP of hw breakpoint is different than EIP of sw breakpoint. When he clears the hw breakpoint replacing it with a sw one (bp xxx), he actually displaces the EIP value and so the result is surely wrong.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  7. #7
    assumption here...

    /*4116F0*/ enter 0, 0 ; this is the seh handler
    /*4116F4*/ mov eax, dword ptr [ebp+8] ; get the exception code
    /*4116FD*/ cmp dword ptr [eax], C000001D ; is it 'illegal instruction'
    /*411709*/ jnz short 0041176D
    /*411714*/ mov eax, dword ptr [ebp+10] ; okay, it is illegal instruction, get pointer to the context information
    /*411717*/ mov edx, dword ptr [eax+B8] ; edx is EXCEPTION IP = 41163f ; get the exception address
    /*411720*/ mov word ptr [edx], 0C033 ; patch 33 c0 at that address (41163f)
    /*411729*/ or dword ptr [eax+18], 13 ; DR7 ; no idea
    /*411732*/ lea ecx, dword ptr [edx-1] ; ecx = edx (41163f) - 1 = 41163e
    /*41173A*/ mov dword ptr [eax+8], ecx ; DR1 ; patch in 41163e there
    /*411740*/ inc edx ; incriment pointer? - edx = 411640
    /*411744*/ inc ecx ; incriment pointer - ecx = 41163f
    /*41174A*/ mov dword ptr [eax+4], 0 ; DR0 ; cant remember
    /*411758*/ mov dword ptr [eax+10], edx ; DR3 ; set to 411640
    /*411760*/ xor eax, eax ; return with exception continue exception
    /*411767*/ leave
    /*411768*/ retn

    so it looks like its a cascading seh, crash happens one line, it fixes some opcodes, and sets a crash a little bit lower down...


    isnt that what its doing?

  8. #8
    Rachmaninoff
    Guest
    Quick question. How to know which register that are used. Like:

    /*411729*/ or dword ptr [eax+18], 13 ; DR7

    and

    /*41174A*/ mov dword ptr [eax+4], 0 ; DR0 ; cant remember
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Search for CONTEXT structure.

  10. #10
    Rachmaninoff
    Guest
    Quote Originally Posted by ZaiRoN View Post
    Search for CONTEXT structure.
    Care to give an example?

    Best regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Quote Originally Posted by Rachmaninoff View Post
    Care to give an example?

    Best regards
    http://www.google.com/search?q=context+structure+windows
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  12. #12
    Rachmaninoff
    Guest
    http://www.google.com/search?q=thank+you+fr33ke
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Firstly, the prototype for the exception handler helps:

    Code:
    EXCEPTION_DISPOSITION _except_handler(
         struct EXCEPTION_RECORD *ExceptionRecord,
         void *EstablisherFrame,
         struct _CONTEXT *ContextRecord,
         void *DispatcherContext);
    Then, once inside the exception handler, we examine what exception was thrown and act upon it accordingly...

    Code:
    /*4116F0*/ enter 0, 0 ; this is the seh handler
    /*4116F4*/ mov eax, dword ptr [ebp+8] ; get pointer to ExceptionRecord
    
    ;; check ExceptionRecord.ExceptionType for 'illegal instruction'
    /*4116FD*/ cmp dword ptr [eax], C000001D
    
    ;; do some other handling if not illegal instruction
    /*411709*/ jnz short 0041176D
    
    ;; otherwise, it is illegal instruction, so get pointer to the context
    ;; information and get saved EIP from context (EIP of faulting instruction)
    /*411714*/ mov eax, dword ptr [ebp+10] 
    /*411717*/ mov edx, dword ptr [eax+_CONTEXT.Eip]
    
    ;; patch 33 c0 ("xor eax,eax") at that address (41163f) effectively
    ;; dealing with the faulting instruction.
    /*411720*/ mov word ptr [edx], 0C033 
    
    ;; DR7 is the DebugControlRegister which controls which breakpoints are
    ;; enabled and for what operations.
    ;; assuming decimal 13 => 0dh : Enable Global1,Local1 and Local0
    ;; assuming hex 13h : Enable Local2, Global0 and Local0
    /*411729*/ or dword ptr [eax+_CONTEXT.Dr7], 13
    
    ;; ECX := ContextRecord->Eip -1
    ;; which is the address of the byte prior to the illegal instruction.
    /*411732*/ lea ecx, dword ptr [edx-1] ; get ContextRecord->Eip-1
    
    ;; set linear address for HW breakpoint 1
    /*41173A*/ mov dword ptr [eax+_CONTEXT.Dr1], ecx
    
    /*411740*/ inc edx
    
    ;; incrementing ecx looks irrelevant since not used beyond here. Could this
    ;; be a typo for "inc edx" which would then make sense below (setting a
    ;; breakpoint just after the patched "xor eax,eax")
    /*411744*/ inc ecx
    
    ;; set linear address for HW breakpoint 0 to zero, effectively disabling it
    /*41174A*/ mov dword ptr [eax+_CONTEXT.Dr0], 0
    
    ;; set linear address for HW breakpoint 3
    /*411758*/ mov dword ptr [eax+_CONTEXT.Dr3], edx
    
    /*411760*/ xor eax, eax ; return with exception continue exception
    /*411767*/ leave
    /*411768*/ retn
    The linear address for HW breakpoint 0 is cleared, rendering it disabled, and setting an address for HW breakpoint 3 does not gurantee anything since there isnt any explicit enabling of it in DR7.

    Breakpoint 1 is enabled and its linear address is set so it points to the byte prior to the faulting instruction.

    Because the illegal opcode exception is a "Fault" and thus restartable, upon successful return from the EH EIP should be at the same location (although the bytes there will be different.)

    A hardware breakpoint is also set for the addrress prior to where the initial exception was generated however the HW breakpoint type isnt set (could be IO/read/write/exec!) Upon returning from the EH executtion should continue at the now "xor eax,eax" instruction.

    Not exactly sure whether the DR7 bitmask is dec. or hex but either way there appear to be some weirdness wrt. enabling breakpoints without properly setting them up.

    thats about as much detail as I can provide without seeing more code...

    -shadz
    Last edited by shadz; November 10th, 2007 at 18:12.

Similar Threads

  1. A and B = C how can I solve for B?
    By databus in forum The Newbie Forum
    Replies: 7
    Last Post: January 11th, 2013, 16:58
  2. don't know how to solve this one...
    By simonzack in forum Mini Project Area
    Replies: 7
    Last Post: March 3rd, 2009, 07:42
  3. For you guys to solve out
    By naides in forum Malware Analysis and Unpacking Forum
    Replies: 24
    Last Post: August 25th, 2008, 17:25
  4. It seems that only softice can solve this problem,
    By peak in forum OllyDbg Support Forums
    Replies: 6
    Last Post: March 24th, 2004, 22:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •