Results 1 to 13 of 13

Thread: The dream is 'really higher up'... :P

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    just because.. :o

    OK so this is a 'blog' entry..what defines a blog?..usually its written by 1 person with some lore about something..sometimes it contains insight to the person writing it, and sometimes it's just nothing..well that isn't how I roll..The dark scowl, calculating eyes, and the 'fuck it I'll help' attitude. Sometimes it shortens, but I am not perfect..

    So google shellcoders handbook and find that code and review it the first chaps code available is the triangle function..

    and the rules changed.. o0

    1.no nulls
    2.api can be used, and only api's from kernel32,and ntdll.they should be accessed using 'funner' tactics then hashing the names,and not just signature finding..(think beside the box..)
    3.a console program is the aim..yea ..
    3. not malicious or insane(at least make it insanely understandable...)
    4. should use pic(position independent code) without a data or relocation section...(thats the 'fun' one..)
    5. the code should be able to 'modify itself'...

    avoid using PEB_LDR_DATA...unless you can 'peb link stack memory' in that case pass it on over..I want to see..

    So conceptually compiling the first chapters code to fastcall...(ie I didn't really do this 'yet').. This function would take width in ecx, and height in edx, then multiply them and divide by 2, and then return the result..I think I can get it to be able to get input from user into ecx edx and display result.

    Essentially I want to pillage data to find code..so all 'normal' programs' use relocations for the usage of data in code..now its just a simple measure of finding the proper signature around that data.. :d
    Last edited by BanMe; March 18th, 2011 at 18:17.

  2. #2
    It is bursting graph. Part of the instruction creates a new. Disasm's can not handle this.

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    I need more then that to decipher what you are say..

    Bursting graph? with instructions?

    Code:
    mov eax,ebx ;o0 
    call 0fffffffa
    more please
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    Quote Originally Posted by BanMe View Post
    I need more then that to decipher what you are say..

    Bursting graph? with instructions?
    Now you can feel what others feel when reading your posts.

  5. #5
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    what do you want?

    Because "I" feel like "I" am wanting 'more'..If that is what you want I can most certainly elaborate more...

    So I will dissect what I was 'requesting more of' to 'understand it better'..

    Bursting graph| still not overly sure what his meaning of 'bursting'..But read his posts to find what is usually referred to as the 'graph'...

    Part of Instruction makes new.|
    see code below 'COPY it in masm and compile and debug it'..then if you don't see it..congratulate yourself.

    Disasm's cannot handle this|
    olly and some others interpret this type of code wrongly...

    I still need to convert masm's stdin stdout from masm32.lib and convert ascii input to the numeric equivalents and then filter and limit input to prevent overflow and text entry..but this shouldn't be to hard..

    Thank you for answering..I was not wanting a flame war..

    So the above is still under heavy development and redevelopment, and I am striving to not have 'any' 0's or data in 'my' code..this doesn't yet apply to the 'code' from 'libs' I am using but I will slowly convert them as well..

    I found a great board game and a decent website for console IO..The game is called c-jump and there are numerous lectures and macros and exams..

    http://www.c-jump.com/CIS77/MLabs/M08console/lecture.html

    MLabs dir is access denied and so is CIS77..but there is a lot of other information available that you don't have to 'dig' out..
    Last edited by BanMe; March 17th, 2011 at 19:40.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  6. #6
    BanMe
    Code:
    $	8B
    $+1	C3
    [$]: mov eax,ebx
    [$ + 1]: ret

    - It's two flows(at this point the graph is bursting, disassembly is terminated because the address is already described). Such a code can consist of many instructions(eg. have 3 flows).
    Last edited by Indy; March 16th, 2011 at 01:40.

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Thank you for clarifying more..Sorry 'I' had to ask.. :/

    Do you have any examples of 3 or more instruction flows or any papers that discuss them, as that seems like a good 'defense' against people that don't completely understand assembly, as well as a great minimalistic tactic for including 'more' with less..
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  8. #8
    This code is very difficult to create. Especially if it consists of many flows. That a simple example:
    8D 54 08 04 8A 02 2A C3
    Flow1:
    Code:
    $	8D5408 04		lea edx,dword ptr ds:[eax+ecx+4]
    $+4	8A02			mov al,byte ptr ds:[edx]
    $+6	2AC3			sub al,bl
    Flow2:
    Code:
    $+2	08048A			or byte ptr ds:[edx+ecx*4],al
    $+5	022A			add ch,byte ptr ds:[edx]
    $+7	C3			ret
    Flow3:
    Code:
    $+3	04 8A			add al,8A
    $+5	022A			add ch,byte ptr ds:[edx]
    $+7	C3			ret

  9. #9
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Thank you again..my friend..your like a book of knowledge..I thank you for sharing as usual..

    it's working..I got a answer for calculating the area of a triangle in shellcode...lol! this and the manual is definitely the funnest way to learn..

    'fo tehm'..(for me?)w/e..if ya'll cant get this one.. read my sig repeat my sig to yourself....one of you will..'apply the thought'.. hint 'butterflys'... o0
    Code:
    .486
    .model flat,stdcall
    option casemap:none
    code SEGMENT DWORD flat PUBLIC  'text' ;name the code section flat and 'public'..
    include      \masm32\include\windows.inc
    ;include    \masm32\include\ntdll.inc
    include      \masm32\include\kernel32.inc
    include      \masm32\include\masm32.inc
    ;includelib  \masm32\lib\ntdll.lib
    includelib  \masm32\lib\kernel32.lib
    includelib  \masm32\lib\masm32.lib
    
    ScStart:
    assume fs:nothing;yea
    jmp fstart;skipjack over the 'data' 
    fix_end:
        dec esi;go back 1 to 'ff'
        xor dword ptr [esi],0f1f1f1f2h;fix the string..make 0d[carriage return] ,0a[new line],00,00[terminate string]
        pop esi\
            fix stack
        pop ecx/
        ret
    fix_string_code:
        push ecx'save this'
        push esi 'save this'
        xor ecx,ecx'zero ecx
        sub ecx,-21h 'make ecx '!'..
    @@:
        lodsb;read byte from [esi] to al esi after op is +1
        cmp al,cl;test byte for '!'...avoid those 0's
        jne @b;inc string string..
        dec cl;make ! into ' '(a space your cant 'see' it..lol)
        mov byte ptr [esi-1],cl;overwrite esi minus 1 with cl(space)
        inc cl;revert cl back to '!'
        lodsb;check if this ! terminates the string next byte should be ff..thats how I made it.. o0
        cmp al,0ffh
        je fix_end
        jmp @b;repeat remove ! and replace with ' '..
    stdin_stack:;yea..
        push esi
        xor ecx,ecx;0
        mov esi,ecx ;esi 0
        sub ecx,-8h;add 8 to 0..
        xor esi,fs:[ecx];read fs stack base address..
        sub ecx,-0fch;
        pop esi
        ret
    prep_atoi_string:
        xor ecx,ecx;clear
        xor ecx,eax;read eax
        add ecx,-2h;sub ecx 2 for the enter you 'have to hit' (crlf..)
    @@:
        inc esi;inc past 'data' input
        dec ecx;minus 1
        jnz @b
        mov word ptr [esi],cx;over that crlf    
        ret
    get_title:
        mov eax,ebx;..'this terminates disassembly..' next instruction is a call to the middle of this instruction(indy showed that..)
        db 0e8h;call
        dd 0fffffffah;back -1
        ret
        db 061h;a
        db 072h;r
        db 065h;e
        db 061h;a
        db 021h;!
        db 06Fh;o
        db 066h;f
        db 021h;!
        db 074h;t
        db 072h;r
        db 069h;i
        db 061h;a
        db 06Eh;n
        db 067h;g
        db 06Ch;l
        db 065h;e
        db 021h;!
        db 0ffh;cr 
        db 0fbh;lf
        db 0f1h;00
        db 0f1h;00
    fstart:
        jmp sstart
    get_width:
        mov eax,ebx
        db 0e8h
        dd 0fffffffah
        ret
        db 065h 
        db 06Eh
        db 074h
        db 065h
        db 072h
        db 021h
        db 06Ch
        db 065h
        db 06Eh
        db 067h
        db 074h
        db 068h
        db 03Ah
        db 021h
        db 0ffh 
        db 0fbh
        db 0f1h
        db 0f1h
    get_length:
        mov eax,ebx
        db 0e8h
        dd 0fffffffah
        ret
        db 065h 
        db 06Eh 
        db 074h 
        db 065h 
        db 072h 
        db 021h 
        db 077h 
        db 069h 
        db 064h 
        db 074h 
        db 068h 
        db 03Ah
        db 021h
        db 0ffh 
        db 0fbh
        db 0f1h
        db 0f1h
    sstart:
        call  get_title
        mov esi,dword ptr [esp-8h]
        inc esi
        call fix_string_code
        push esi
        call StdOut
        call get_width
        mov esi,dword ptr [esp-8h]
        inc esi
        call fix_string_code
        push esi
        call StdOut
        call stdin_stack
        push ecx
        push esi
        call StdIn
        push esi
        call prep_atoi_string
        call atodw
        push ecx
        call get_length
        mov esi,dword ptr [esp-8h]
        inc esi
        call fix_string_code
        push esi
        call StdOut
        call stdin_stack
        push ecx
        push esi
        call StdIn
        push esi
        call prep_atoi_string
        call atodw
        mov edx,ecx;store this entry
        pop ecx;get last entry
        mul ecx;mul the 2
        xor ecx, ecx;0
        inc ecx;add 1
        sar eax,cl;divide by 2
        dec ecx;0
        xor ecx,eax;read result
        dec esi;minus a 'word' to fix it up
        dec esi
        push esi;push buffer
        push ecx;push result
        call dwtoa;convert to ascii
        push esi;
        call StdOut;output result
        ret
    code ends
    end ScStart
    I guess the next question is who can make it faster and 'smaller'..(literally 'who' can?) I have a few idea's to make it smaller and 'better'.. but still not many for 'faster' yet...anyone?

    `!```radical thought```!`below caution'...
    the key to this..make code into action and understanding...I try to 'make' a game of it..do you as well?
    Last edited by BanMe; March 26th, 2011 at 10:51.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  10. #10
    One thread - one instruction

    In this sample in any given time is decrypted only one instruction:
    Name:  Cry.jpg
Views: 225
Size:  47.0 KB

    Cry.zip

  11. #11
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    no one 'laughs' enough....do it unto lucidity and then 'pull' the knives out of your own minds...one by one and 'display them'...for the fun of it?thanks for starting the fun :}.. 0's..no fun for you?

    I meant that as a complement to 'crying'...laugh more and play more for in your 'playing' you would learn more. :P
    and the other part was 'find the path of most resistance and walk it internally.'.

    Also 'try' to have the lowest amount of zeros.

    But yea I love your code...funny playful and so well presented...and utilized..
    Last edited by BanMe; March 23rd, 2011 at 09:34.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  12. #12
    I do not know what you mean

    Reading the stack memory outside of the stack - is prohibited and is a perversion

    'pull' the knives out of your own minds..
    Your tasks are solved long ago. It has long been known that the best defense against a disassembler is crypting and virtualization.
    Last edited by Indy; March 20th, 2011 at 16:01.

  13. #13
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Scared I am of the path I take...But I am willing to look and adapt to change.

    This is what I am trying to say to any who read my thoughts..Take the 'time' for yourself and find the things that hold you back(road blocks).. Then rip them out and face them, but not only 'face' them, air them out and rethink them..This will change anyone, as it would leave any who tried: open and 'thread'bare to the world, that is what 'I' am so afraid of 'the knowledge that we are so easily misunderstood'...That is a 'terrible thing' and I seem to stumble upon this 'factor' very often.. It always leaves me with a thought to find out 'why' and can it be adapted.

    So pick your own 'poison' and go 'after' it..never stop, falter often, and always question.
    Enjoy your life more and break the 'wheel', just to fix it again..
    Last edited by BanMe; March 26th, 2011 at 13:37.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. Ilfak has a dream, and wants your help to realize it
    By dELTA in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: June 25th, 2007, 04:02
  2. timeLOCK ver 3 or higher info needed
    By buttpir8 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: January 22nd, 2002, 09:10
  3. Looking for Unsafedisc 2.10 or higher that works ok!
    By Dweeb in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: July 2nd, 2001, 09:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •