Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: our old friend LordPE

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,521
    Blog Entries
    1

    our old friend LordPE

    as I noted, our old friend tool LordPE poorly works on W10. so I disas/reas/emdlet it and fixed hTings :)

    1. so there are too many processes on W10, so PID's buffer increased for 256 / module count for 512
    2. PROCS.DLL tries to use PSAPI.DLL, no more
    3. fixed icon loading in upper panel
    changes '<<<' in source marked
    4. added code to prevent REALIGN of DRIVER files.
    5. fixed unwanted behavior, when LP silently updates PEheader, which is bad for signed files.

    checked systems under VBOX: W98SE, XPsp3, W7_64, W10_32.

    remarks:
    1. if you see process base & size is null > access denied. also on 64bit Win all 64bit processes will so.
    2. but on 32bit Win you also can see many access denied processes. here you can try start LP with Admin privilege, so much more procs will accessible.
    Attached Files Attached Files
    Last edited by evaluator; April 21st, 2020 at 03:54. Reason: update

  2. #2
    Quote Originally Posted by evaluator View Post
    as I noted, our old friend tool LordPE poorly works on W10. so I disas/reas/emdlet it and fixed hTings
    Thanks eval.

    W10 has some uses. When I was trying to set up a kernel mode session between a laptop with W7 via a serial port, I needed to get it running in W10 first, then it worked on W7. Now I am trying to get the same session going with XP so I can check out softice and why it is having trouble running with modern video cards.

    Got a serial connection established with hyperterminal on both ends between latop and desktop running XP. Remember Z-modem?

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,149
    Blog Entries
    5
    Trickeries huh? <src> is creation of dll exports for naming?

    I'm more interested in how RosAsm is used to recompile an existing exe.
    Did you parse out the asm text and use it at rebuilding a complete .ASM file?
    If so what did you use to extract the source asm code? IDA? other?

    I see where you increased the buffer sizes in BuildProcessList, BuildModuleHandleList. Did you create named dll exports just for convenience and to highlight the modified code?

    It seems to run fine on Win7x64. So, improvements? yeah for sure. x64 support for at least the main window in displaying image base/size values for all processes, and also traversing the export directories.


    As an aside, Detect It Easy (github) packer detector produces asm disassembly like this, plus other source info:

    Code:
    Code0401000: A0:    37351    10
        push ebp    37363    c
        mov ebp esp    37371    f
        sub esp 08    37382    e
        call 'KERNEL32.GetCurrentProcessId'    37392    27
        mov D$ebp-04 eax    373bb    14
        mov eax D$fs:030    373d1    14
        xor eax D$ebp-04    373e7    14
        mov D$ebp-08 eax    373fd    14
        mov eax D$ebp-08    37413    14
        mov esp ebp    37429    f
        pop ebp    3743a    b
        ret    37447    7
    ALIGN 16    37452    8
    Code0401030: E8:    3745e    10
        push ebp    37470    c

    MASM 64 is alive and well

    http://masm32.com/board/index.php?board=53.0

  4. #4
    Quote Originally Posted by Kayaker View Post
    MASM 64 is alive and well
    Thanks for the link K. There's a good link on there to an excellent article on x64 code and Vista by Daniel Pistelli. Maybe you have seen it.

    https://www.codeproject.com/Articles/17263/Moving-to-Windows-Vista-x64

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,521
    Blog Entries
    1
    Kayaker,

    >>Trickeries huh? <src> is creation of dll exports for naming?
    not understood Q

    >>I'm more interested in how RosAsm is used to recompile an existing exe.
    it has builtin disassembler, so when you open not_Rosasm_exe, it will try disasm. then very few things should be corrected manually for simple executables. RSRC will be included in output except some info(named rsrc, big icon), it can be fixed. i am lazy.
    so I made small LP icon, then included.

    >>Did you create named dll exports just for convenience and to highlight the modified code?
    exports in Exe? yes, it is good for Olly!

    now LP need some fix for icon loading.
    edit:
    So, LP tries to get icon from only exe name, while we need full path. lets add some code.
    edit:
    ok, done tricky code inserting. newer second attachement
    Now we need check systems, where it will run properly.
    checked systems under VBOX: W98SE, XPsp3, W7_64, W10_32.
    Last edited by evaluator; April 7th, 2020 at 02:02. Reason: update

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,521
    Blog Entries
    1
    well, removed exports, relocs & re_uploaded attachment. btw, we can play with other toy :)

  7. #7
    Quote Originally Posted by evaluator View Post
    Kayaker, >>I'm more interested in how RosAsm is used to recompile an existing exe.
    I am more interested in how to download the damned app. I went to their site at tapatalk and spent 15 minutes trying to find the down load link. When I pressed the link I was stopped by a window saying "Pardon the interuption'...they want me to use my email account to sign in.

    Well, sorry, that is not an interruption it is a downright blockade. In other words, if you don't sign up you can't d/l the app. In that case, I'm not interested. VMware asks for an email addy but they are a large, well known outfit I think is trustworthy. I am not going to hand out personal info to anyone on the Net who demands it. If I d/l their app, and like it, I might go back and join their forum. I could use a fake email account and make up a password but I'm so loaded down with passwords it's not worth it in this case. Besides, they are so loaded down with ads they are likely trying to use me as a target for their ad-driven revenue.

    As to kayaker's question, I am pondering that myself considering the amount of work it takes with a great disassembler like IDA to get a large disassembly back to the state where an assembler could re-assemble it. Evaluator revealed it is good with smaller apps but what about with larger apps?

    Nevertheless, I appreciate evaluator fixing LordPE to work on W10. Thanks again.

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,149
    Blog Entries
    5
    Lol, I had the same annoyance with tapatalk. Tried d/l an older version from github and once again Avast/Firefox wouldn't let me because it thinks one of the files in the rar archive is malware.

    Hell of a way to promote rosasm use. I remember the flame wars with rosasm from way back, I avoided it then, not sure if I'd like it now, but the potential for modifying programs with it is still interesting.

  9. #9
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,521
    Blog Entries
    1
    heyy, for Rosasm you can go to 'my' branch release page at github https://github.com/rosasmje/rosasm2052f which is mentioned by meself on http://www.woodmann.com/collaborative/tools/index.php/RosAsm :)

    btw, does 16Edit.exe from LordPE folder has problems to show window?? it hides window and hanging..
    edit: ah, problem was from old 16Edit.ini file, just delete
    Last edited by evaluator; April 7th, 2020 at 22:22.

  10. #10
    Quote Originally Posted by evaluator View Post
    heyy, for Rosasm you can go to 'my' branch release page at github
    Thanks, eval, appreciate it.

    I'll check it out. Have a question about whether I can use Rosasm to help with the following problem.

    In one of my posts I'm looking at adding LAN functionality to XP. Problem is, I have a newer mobo with an Intel 300-series chipset B360 and only W7 driver INF files list the i219-v LAN driver. There is so much more information in the W7 INF file than what is in the XP INF file and it does not seem such a good idea to simply mod the XP INF by adding the i219-v hardware ID.

    The W7 LAN driver is not compatible with XP because it has at least 7 functions that are missing in XP ntoskrnl and about 30 missing from XP ndis.sys. Several methods have been suggested to fix this, the most appealing one being to create a dll with the missing functions and call them as required for XP ntoskrnl and XP ndis. Some of the functions may not be required.

    Some guys on another site have claimed to disassemble XP system files and add the missing functions. Not sure how they are doing that but it has something to do with converting a binary to C++ then somehow recompiling it using assembler.

    Would Rosasm have such capabilities?

    ps. if you wonder why I'm messing around with an old OS like XP, there is a method in my madness. I can run sice in a VM but there are times when I need to trace through the drivers of real hardware, like on this new mobo. I'd like to run sice on XP in the new mobo. Right now I can't because the universal driver won't work on the new hardware. I use an NVidia GT-730 and I'd like to setup a kernel mode debug session with windbg on W7 on a host machine and start sice on the target so I can trace into it and see what's happening. That's if I ever get the k-mode session going between host and target.

    I can use windbg but I've had no luck single-stepping into ring 0 with it. When I try to step into sysenter it kicks me out the other end. I could use a BP, if I knew where to BP. Sometimes I brute force my way through using single-stepping, trying to make sense of the code as I go. For example, I once used sice to BP on a mouse click then traced through the mouse driver and ring 0 to get into a DirectX app from the back end. I got in the front door by normal means, from OEP, till just after ShowWindow where the DX app was initialized. You can put it in window mode during initialization then it acts just like another window.

    Besides, it's fun getting XP running on modern hardware. It's currently very stable and is so fast it's hard to tell the difference at times between XP, W7, and W10. I know the difference and the limitations of XP, but used within its limits it's running pretty well for an old OS.
    Last edited by WaxfordSqueers; April 8th, 2020 at 22:17.

  11. #11
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,521
    Blog Entries
    1
    from other your posts i somehow understood what you want.. so about dis-re-assembly of whole ntoskrnl, better forget, bcos you cant be sure if reassembly is correct. this is why i wrote about little files: you can easily review little code and correct. but.. yes, you can also review and correct big code.. but in what time?? :) and how you can check correctness if you cant debug??
    and those claimants of reassembly of system.. what if they just have src/of/xp ?..
    i recommend to seek other ways. what if.. (can W7 ntoskrnl+reqfiles run on xp?)..
    also, if you seek fast, lets cut-down new system instead to jumping back.
    is not better reassemble/patch game than system?
    Last edited by evaluator; April 9th, 2020 at 02:42.

  12. #12
    Quote Originally Posted by evaluator View Post
    ...you can also review and correct big code.. but in what time?? and how you can check correctness if you cant debug??
    I am currently trying to get XP running as a target for windbg using a W7 host via a COM port. When I run W7 as target, the process breaks early in the boot processes so theoretically I could debug from there since ntoskrnl is the first module loaded. There would be no need to interfere with the boot code part of ntoskrnl.

    When I disassemble ntoskrnl in IDA then reference each export to ntoskrnl in a hex editor, I can see that each export code set follows the export code before with no spaces between. I have not checked yet how the exports are referenced. I have worked with import tables...not a lot...but I got a good idea of how the imports are referenced and how you can manipulate the import table. Don't know about ntoskrnl and its exports.

    Elenil has suggested creating an external dll with all the exports in it. We have not taken it further because I have been busy cleaning up the XP installation. I would like to be able to debug it with windbg so I can see what is going right or going wrong. It is taking time. Ntos is not the main problem, it is ndis.sys, which has about 30 missing exports. If I can use the W7 drivers it creates another headache since with W7, ndis.sys calls another module that XP does not have.

    So, if ntos is disassembled, and only about 7 missing functions from W7 are added to the code, could it be re-assembled? I have checked with Depends to see which exports are missing from ntos and they are fairly minor, like a variation of _memcpy that deals with buffers. I am concerned about any function calling out within the export but according to depends there are no calls to other exports or imports other than what is expected.

    Of course, I understand that if a reassembly changes the ordinals/offsets, I am in trouble. However, going into that might help with the sice files (OSINFO????)that were issued after each XP service pack to adjust for changes in the ordinals/offsets. I have always wanted to figure out what those files did.

    BTW...there a source code for ntoskrnl floating around the Net but I have no idea which OS it comes from. I think it's in C, if I remember correctly.

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,149
    Blog Entries
    5
    Quote Originally Posted by evaluator View Post
    changes '<<<' in source marked
    I see what you mean now, I think, when Rosasm recompiles it embeds the source code in the file. That's why it's so big.

    So I get this error when I try to open the original last version LordPE

    RosAsm, The Bottom-Up Assembler -V.2.053g-
    Service Pack 1 Build 7601 Home Edition

    Exception occurred at address 008660C5.
    Access Violation! Attempt to read from address 36F06957.

    EAX=36F06957
    EBX=00509868
    ECX=00000002
    EDX=00000002
    ESI=03820020
    EDI=00444488
    EBP=0018FDF8
    ESP=0018FDEC
    which might be here in RosAsm2053g.exe

    Code:
    .text:008660A7                   sub_8660A7      proc near 
    .text:008660A7
    .text:008660A7                   arg_0           = dword ptr  8
    ...
    .text:008660C5                  cmp     dword ptr [eax], 4550h
    On another 32 bit app open but no modifications it recompiles a new file prefixed with "My", but the program crashes on a C0000005.

    I don't know how to use this yet but it looks interesting.

  14. #14
    Quote Originally Posted by Kayaker View Post
    Code:
    .text:008660C5                  cmp     dword ptr [eax], 4550h
    May be a stupid, obvious question but why is it trying to read the PE header, 4550h, at address EAX=36F06957? Is that address in a system file containing address 36F06957? Doesn't sound like an address for an app loaded in user mode.

  15. #15
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,521
    Blog Entries
    1
    Quote Originally Posted by Kayaker View Post
    So I get this error when I try to open the original last version LordPE
    lets sync , did you miss my 'writings' about my branch of RosAsm? go there. I corrected lot things in RosAsm.
    if recompilation is successful, it not means code is correct; next step is audit.
    edit: my branch's first click recompile runs
    Last edited by evaluator; April 10th, 2020 at 07:51.

Similar Threads

  1. Any friend can provide IDA signatures: FLEXnet v11.6.0 for Windows i86?
    By joyung in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: June 8th, 2011, 08:42
  2. LordPE problem
    By nick_name in forum OllyDbg Support Forums
    Replies: 6
    Last Post: November 9th, 2005, 10:05
  3. LordPE dumper vs. Icedump vs Procdump etc
    By Lbolt99 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: November 6th, 2002, 21:11
  4. LordPE Deluxe
    By yoda in forum Tools of Our Trade (TOT) Messageboard
    Replies: 16
    Last Post: September 2nd, 2002, 21:42
  5. LordPE goes freeware :>!!!!
    By crUsAdEr in forum Tools of Our Trade (TOT) Messageboard
    Replies: 8
    Last Post: April 2nd, 2002, 08:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •