Results 1 to 11 of 11

Thread: Softice: Hide and Seek

  1. #1

    Softice: Hide and Seek

    Hi all,

    Manual unpacking is of quiet interesting. But aspr is one of the best. While tracing the packed code with the softice the opcodes just change while tracing. Like

    xxxx:345677 JMP 345679
    xxxx:345681 POP ESI

    if the code look like this where this jump takes me? they r hiding there codes from softice. how can we tackle such problem.


    Dipesh
    Still Newbie
    DONT UPLOAD ON EXETOOLS :boo: :boo: ... Upload anywhere else so that everyone can download it... :yay:

  2. #2
    chlankboot
    Guest
    this appears in the entry point (right?), try 2 change eip to 345679.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    While tracing the packed code with the softice the opcodes just change while tracing
    they appear to be changing, they are not, the obfuscation tricks like that have been discussed many many times before.
    type CODE ON in sice, the code is always the same.

    xxxx:345677 JMP 345679
    xxxx:345681 POP ESI

    hum.. is pop esi directly after the jmp? (didn't know of a 0xA jump opcode)
    You posted so little information, that I'm not even sure what your problem is.

    Do as chlankboot said, or just trace into (f8), you'll realize what's happening.

    Dipesh
    Still Newbie
    then use the newbie section

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by dipeshrestha
    Hi all,

    Manual unpacking is of quiet interesting. But aspr is one of the best. While tracing the packed code with the softice the opcodes just change while tracing. Like

    xxxx:345677 JMP 345679
    xxxx:345681 POP ESI

    if the code look like this where this jump takes me? they r hiding there codes from softice. how can we tackle such problem.


    Dipesh
    Still Newbie

    As doug said below it is typical obfuscated code. The trick here is that the instruction xxxx:345677 JMP 345679 jumps to the middle of some instruction so it changes the assembler reading frame, meaining the next instruction it will execute is NOT POP ESI but wahtever instruction happens to be at position xxxx:345679. when you trace it with F8 or F10, you see the code window of Sice automagically change to the new instruction frame.

    Read here.
    http://www.cs.arizona.edu/solar/papers/CCS2003.pdf

  5. #5
    dipeshrestha:

    You may also try entering "obfuscation" in the search window at the top of the Forums and you will find a number of threads, going back to the last two years discussing this issue here.

    Regards,
    JMI

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5

    One might even find this

    Simply stated, it is sagacious to eschew obfuscation.
    - Norman Augustine

  7. #7
    And if you will enter "code obfuscation" in your favorite search engine, you will find many. many articles and discussion about obfuscation issue for a great many languages.

    Regards,
    JMI

  8. #8
    thank you all for giving me idea about code obfuscation. will be learning about it now...

    thank you
    dipesh
    DONT UPLOAD ON EXETOOLS :boo: :boo: ... Upload anywhere else so that everyone can download it... :yay:

  9. #9
    chlankboot
    Guest

    "obfuscation" disassembling

    most packers/encrypters use obfuscation, so that it is not possible for disassemblers to do their job correclty even IDA shows invalid instructions (in red) due to the linear treatment it uses to disassemble the file).
    if the obfuscated code appears in the beginng u can trace with ice till u reach the real begenning of code, note the adress and change the entry point of your program to that address.
    doing so u can disassemble great part of the file until the next obfuscated block, trace it with ice again, find out exit address, patch the file so that u bypass or nopp it. i know this seems to be so theorical but it works, sometimes u have to correct CRC ...
    finally u'll be able 2 disassemble the file and analyse the effective code.
    hope this will help.

    still newbie toooo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10

    Nice tool

    Dear All,

    i have just got a new tool 'TRACEDUMP' which remove code obsucation. it is really nice program that remove code obscufation and work in junction with softice.

    But still learning to work with it.
    DONT UPLOAD ON EXETOOLS :boo: :boo: ... Upload anywhere else so that everyone can download it... :yay:

  11. #11
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by dipeshrestha
    Dear All,

    i have just got a new tool 'TRACEDUMP' which remove code obsucation. it is really nice program that remove code obscufation and work in junction with softice.

    But still learning to work with it.

    Is that Kayaker's TraceDump?

    In that case you are in trouble because I have exclusive rights for Advertisement and marketing, see here: http://www.woodmann.com/forum/showthread.php?t=5201&highlight=Tracedump



    So that is the real use for Kker tool! that is remarkable.

Similar Threads

  1. Softice Hide Tool
    By Elenil in forum Tools of Our Trade (TOT) Messageboard
    Replies: 39
    Last Post: July 22nd, 2009, 16:02
  2. CodeProject: Driver to Hide Processes and Files
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 23rd, 2009, 12:57
  3. Searching for Hide Debugger plugin to download !!!!
    By tim mactroy in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 29th, 2005, 03:20
  4. Can Someone Post a link For Hide Debugger that Actually works?
    By dm47 in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 23rd, 2005, 20:44
  5. Hide Debugger fails to provide protection against Terminate Process
    By mcnorth in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 23rd, 2005, 14:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •