Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: Different paths in different Computers

  1. #1
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    Different paths in different Computers

    The problem.
    I have an application protected by what I thought was a rather primitive protection: It stores the state "registered" or "not registered" in a global bool variable. I changed the code that sets the variable so I am "registered". the modif works OK on a pentium 4 Windows XP professional OS.
    I copied the altered file to a AMD 64 running Windows XP OS. The program complains "not regtistered" I debugged it in the new system: the altered code is still altered, but it is never run.
    I traced a little bit, and the symptom is, in this different but very similar computer, the app code flow takes a different path that bypasses my modification. Of course I can fix the problem, but I am somewhat puzzled by this behavoir.

    My questions to the public are why? and how?
    The OS is the same, as far as I can tell: XP professional sp1 (Installed from from the same CD actually), the CPU is different but this should not be an issue for a ring3 running app, right?


    Any suggestions on how I can figure out where or how the execution path diverges between the two machines?

    It is out of curiosity, for the most part...

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    One random idea for a method:
    Maybe you can set a breakpoint in your patched code in the first machine, and then write down the callstack when it breaks. In the second machine, set breakpoints on all levels of this callstack (shouldn't be too many to handle), and see at which level it stops breaking. The difference in execution flow most likely resorts in this function, and using manual tracing will most likely not be overly bothersome to find the final spot once you know this.

    Let us know what it was when you find it anyway.

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    reminds me of bleem (the first crack released didn't quite work 100% for amd)

  4. #4
    Someone please call M$ and report that "nobody" has installed their copy of M$ from "the same CD" on more than one machine. Oh the shame of it all.

    Regards,
    JMI

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Quote Originally Posted by naides
    Any suggestions on how I can figure out where or how the execution path diverges between the two machines?
    An API monitor might pick up the differences. If not, I know a more generic call function (as opposed to strictly API) monitor which might, but it hasn't been released yet..

  6. #6
    Wow. Kayaker knows a secret. Now we'll have to kill him so he can't tell.

    Regards,
    JMI

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Aah, no beta-testing for JMI then...
    Trying to encourage development with a real world scenario, not play "I've got a secret and you don't nyaah"

    Cheers

  8. #8
    Uh? Is that there Beta testing anything like them there drug tests where you gots to pee in one of them there little bottles?? Or is it some other kind of dang test?

    Regards,
    JMI

  9. #9
    Hi guys,

    Been a while since I've had much time for RCE... but I have the tool that Kayaker is referring to... It is currently a very "alpha" version. Real life has gotten in the way of me finishing it up and releasing a beta, but I hope to do so now that I'll have a bit of time over the holidays My tool traces at the procedure level granularity and captures all calls realated to local functions, statically compiled library functions, and API funtions. It is similar to an API monitor, but generic in the sense that it can capture the entire call tree of an application. I know that you guys are all skilled reversers / programmers and the implementation for such a handy little tool like this isn't really that difficult if you don't want to wait for my release Mine is implemented as an IDA plugin. Basically, I just query the IDA database for all of the local function start addresses and then use a debugger to place breakpoints on them. When the debugee process starts running, my debugger gets called when one of the bpx's hit and I log the arguments from the stack (I combine this with IDA's static analysis of the stack frame to get argument sizes, names, and such). At this point I can also automatically trace the arguments on the stack for pointers to user defined strings and integer values. I'm sure you can think of lots of uses for this ability ranging from automated serial sniffing to vulnerability discovery. The API's are monitored using IAT hooking and all of this information is logged into a GUI interface. I hope to eventually port this to ring 0, but right now it is limited to ring 3 tracing. It is also incapable of handling obsfucation or dynamically generated code (SMC) since it relies upon the accuracy of IDA's static disassembly for the breakpoint list.

    Cheers,
    Clandestiny

  10. #10
    Sounds really interesting and we look forward to your eventual release, as we have for all of your contributions to the craft.

    Regards,
    JMI

  11. #11
    Clandestiny, are you kidding? I would kill for this sort of app. I've always wanted to do something like this but the amount of work scares me away. All right, I'll admit I am lazy.

    Back to the original poster, AMD64 is a different beast when it comes to debugging etc. If you copied a native 32bit program onto it I can imagine why it behave differently. If you have a 64bit version of the same program and you alter some code I think it'll probably behave as you have expected.

  12. #12
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by homersux
    Back to the original poster, AMD64 is a different beast when it comes to debugging etc. If you copied a native 32bit program onto it I can imagine why it behave differently.
    You are right Homersux, 64 cpu shuld be different from pentium, or they are not worth the extra money you pay for them, but in this situation I am using the same 32 bit OS, the same 32 bit program and the action is taking place at ring3, application level, which, in theory, is several abstraction levels away from the cpu intrinsic operation perversities.
    Formally, AMD 64 should emulate perfectly the win32 operation, but apparently it does not. If that were the case, not only cracks, but whole programs would have to be specifically coded/compiled/linked for this CPU strain in order to work!
    Last edited by naides; December 5th, 2004 at 15:11. Reason: typo

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ok, we've all been waiting long enough now to hear the interesting solution for this naides, so I'd say it's about time you get to it and make use of the tips in this thread and then let us all know what it was.

  14. #14
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    There is not a smiley for blushed face, but it belongs here. . .

    I certainly want to use the kind suggestions all of you guys have given me.
    The problem is logistics. . .
    The AMD64 belongs to my girlfriend and I have not been able to run the app side by side because we are in a fight, so the AMD64 computer and other resources are temporarily out of reach

    As soon as I patch the situation, I will duly report back to the board.
    OK?

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    That was the best excuse I've heard in a long time, good luck with the patching (good breakpoints for these kind of patches are often the APIs GiveFlowers or SubmitExcuse btw, but sometimes if you've got the balls, it may just be a simple matter of not responding to anything in the message queue until the remote peer calls SubmitExcuse themself).

Similar Threads

  1. PE Import Table and custom DLL paths
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 1
    Last Post: July 26th, 2011, 07:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •