Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25

Thread: CSP patching problem

  1. #16
    this reminded something funny about DLLs at runtime with delphi:
    http://www.reversing.be/article.php?story=20050804204446290&query=BPL
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  2. #17
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    A little clarification, that article has nothing to do with "normal" DLL's in Delphi programs, but rather with cracking/reversing Delphi components, which happen to be packaged in a DLL-like way before being compiled (statically linked) into the main exe file during compilation/build of the program.

    Nice article though.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #18
    Quote Originally Posted by dELTA View Post
    Hero, if there were originally a relocated address at the position where you have written your patch, your patched-in code will be messed up during runtime since it is referenced from the relocation table. That is the most common problem with relocations, rather than your own instructions needing relocation to work.

    And did you try a full NOP of your patch yet, and all other suggestions above?
    hi dELTA
    the command that i patched to insert my code was a CMP command,and i think it was this command:
    cmp byte ptr [ebp+220],1
    so it has no relocations.

    i haven't tried nop yet,but i will try it too...

    regards
    I should look out my posts,Or JMI will get mad at me! ;)

  4. #19
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Not sure about what you have done yet,
    but wouldn't it a possible solution to use a debugger. i slighly remember such products like numega softice and a newer one called syser ? )))

    in my opinion it's rather better than guessing around in the wild. break at the first loading of the dll and there you are...

    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  5. #20
    Quote Originally Posted by OHPen View Post
    Not sure about what you have done yet,
    but wouldn't it a possible solution to use a debugger. i slighly remember such products like numega softice and a newer one called syser ? )))

    in my opinion it's rather better than guessing around in the wild. break at the first loading of the dll and there you are...

    OHPen
    hi
    I know that both debuggers can be used for kernel debugging,but the problem is that i have never done kernel debugging till now...

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  6. #21
    well its kinda the same as ring 3 debugging, just you see ring 0 api's... in your case though the dll is a ring 3 dll, so you shouldn't have that many problems... and there's no real 'fear' coming from kernel debugging .. jump in, get your feet wet.. whats the worst that can happen... ? bsod... and worst worst case.. hosing the system, so maybe use vmware or something first...

  7. #22
    popierdulka
    Guest
    i try use ida to your advapi32.dll vresion 2 - as you can see :

    77DE880C FF 15 A8 11 DD 77 call ds:NtQuerySystemInformation
    77DE8812 E9 E9 CA 05 00 jmp loc_77E45300 ==>

    -------------------------------
    77E45300 loc_77E45300: ; CODE XREF: SystemFunction035+35j
    77E45300 68 20 00 00 00 push 20h
    77E45305 E8 22 00 00 00 call sub_77E4532C
    77E4530A 54 push esp
    77E4530B db 65h
    77E4530B 65 73 74 jnb short near ptr word_77E45382
    77E4530E 5F pop edi
    77E4530F 43 inc ebx
    77E45310 53 push ebx
    77E45311 50 push eax
    77E45312 db 2Eh, 64h
    77E45312 2E 64 6C insb

    its looks (imho) like something is not OK with this code ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    if you take a look in memeory dump to this piece of code,you can find out what is that.
    As i rememebr,i used that CALL technic to push address of a string in stack....
    i mean something like this(only a sample):
    ----
    CALL loadinging
    db "123.dll",0
    loading:
    CALL LoadLibraryA
    ----

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  9. #24
    popierdulka
    Guest
    Quote Originally Posted by Hero View Post
    if you take a look in memeory dump to this piece of code,you can find out what is that.
    ....
    Regards
    You are right - i was too lazy (quick) :-)
    Just for clear , i have done it again and now it looks OK .

    --------------------------------
    xor edi, edi
    call ds:NtQuerySystemInformation
    jmp for_Heros_only ==>
    SystemFunction035 endp ; sp-analysis failed

    ; --------------------------------------------------------------------------
    db 2 dup(90h)
    ; --------------------------------------------------------------------------
    ; START OF FUNCTION CHUNK FOR Chek_if_i_am_hero

    SystemFunction035_ret1: ; CODE XREF: Chek_if_i_am_hero+18j
    jnz short loc_77DE8827
    cmp [ebp-21Fh], bl
    jz SystemFunction035_ret_OK

    loc_77DE8827: ; CODE XREF:


    ; START OF FUNCTION CHUNK FOR SystemFunction035

    for_Heros_only: ; CODE XREF: SystemFunction035+35j
    push 20h ; strings length
    call Chek_if_i_am_hero ; push name_of_Hero_dll
    ; --------------------------------------------------------------------------
    +name_of_Hero_dll db 'Test_CSP.dll',0
    ; END OF FUNCTION CHUNK FOR SystemFunction035
    db 0
    + dd 5 dup(0)

    ; =============== S U B R O U T I N E ======================================


    Chek_if_i_am_hero proc near ; CODE XREF: SystemFunction035+5CB28

    arg_8 = dword ptr 0Ch

    ; FUNCTION CHUNK AT .text:77DE8819 SIZE 000000DC BYTES

    mov eax, [esp+arg_8]
    push eax ; actual dll name
    call near ptr 7C919F6Bh ; ntdll!_strnicmp:
    or eax, eax
    jz short hero_was_there
    add esp, 0Ch
    cmp byte ptr [ebp-220h], 1
    jmp SystemFunction035_ret1
    ; --------------------------------------------------------------------------

    hero_was_there: ; CODE XREF: Chek_if_i_am_hero+Cj
    add esp, 0Ch
    jmp SystemFunction035_ret_OK
    Chek_if_i_am_hero endp ; sp-analysis failed

    ---------------------------------------------------

    So maybe there are problems with stack ? advapi32 uses so called
    "security_check_cookie" on stack and if somethig is wrong stops the process.

    Maybe somethig with call ntdll!_strnicmp ? ( stack, registres ?)
    For check you can 'nop' this call and see what happen then ?

    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    popierdulka
    Guest
    Quote Originally Posted by popierdulka View Post
    You are right - i was too lazy (quick) :-)
    /...../
    Maybe somethig with call ntdll!_strnicmp ? ( stack, registres ?)
    For check you can 'nop' this call and see what happen then ?

    regards
    I am interested in this cos i am digging in this problem too :-)
    The possible explenation is that some address are hard coded in boot proces
    and if you extend advapi32 other thing have to move => this problem ?
    So i have another idea for you - if you are still interested in this ?
    As we know there are now two public keys in advapi32.dll so
    why not use one of them for your propuse ?

    If you are crazy (like I am) - you me try to signe your dll youself :-)
    But my idea for you is to use space used by public key no 2 ( it is about
    0x88 bytes). We do not need this key (IMO) . So we have place
    ( about 100 bytes) inside dll without changing length of any section.

    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. patching win32k.sys
    By tlgspk in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 13th, 2012, 00:55
  2. Run-time patching
    By LOPAN in forum The Newbie Forum
    Replies: 11
    Last Post: March 7th, 2010, 06:30
  3. patching problem!!
    By duggydiggy in forum OllyDbg Support Forums
    Replies: 0
    Last Post: August 28th, 2009, 06:39
  4. patching
    By iFreaker in forum The Newbie Forum
    Replies: 6
    Last Post: October 5th, 2007, 01:17
  5. AOP in Java patching
    By SHaG in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: April 29th, 2006, 16:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •