Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Real LDE.

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
Locked
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Real LDE.

Post by Indy »

(Length Disassembler Engine).

Determining the length of instructions the processor means. For example the opcode 0xFF0F(0F FF) - has ModR/M byte:
0F FF 05 DISP32 - 7 byte's.

[ATTACH]2505[/ATTACH]

http://indy-vx.narod.ru/Bin/LDE.zip
http://rootkits.su/index.php/topic,60.15.html
Attachments
LDE.zip
(19.71 KiB) Downloaded 169 times
evlncrn8
Posts: 456
Joined: Mon Apr 22, 2002 12:38 pm

Post by evlncrn8 »

Whats the "real" part in the name for?
I saw some years ago, z0mbies in particular..i think theres a decent one with beaengine too. also for x64... they are quite useful things, wrote my own years ago and discovered how crazy intels encoding is, with exceptions to the 'rules' etc... Fun times
User avatar
bluebyrd
Junior Member
Posts: 4
Joined: Wed Oct 05, 2011 2:03 pm

Post by bluebyrd »

evlncrn8 wrote:Fun times
Pros start having fun when normal people start getting pissed off. It's the attitude that makes a great reverser.
:yay:
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

It determines the actual length, even for non-existent instructions. No tables, run the instruction on a page boundary. Even the privileged.

Other engines use a opcode tables. This makes it impossible to determine the lengths of instructions that are in the tables are not described. For the kernel this engine is unnecessary, there should just handle faults, without adjustment Ss/Esp ;)

To write to a different platform(eg. x64), no need composes new tables.

As example, determine(bea, z0mbie etc) the size 0F FF 05 =)
evlncrn8
Posts: 456
Joined: Mon Apr 22, 2002 12:38 pm

Post by evlncrn8 »

Hmm interesting, will have to check it out when i have a bit of time (probably monday).. totally agree about the tables etc... Damn wish i had time now, your post really got me curious now indy :-)
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

epic fail не ?
evlncrn8
Posts: 456
Joined: Mon Apr 22, 2002 12:38 pm

Post by evlncrn8 »

Hmm am i wrong or is it using tracing and seh to obtain the length..ie : executing the line (with some intelligence in its checking).. ? kinda dangerous if the opcode is unknown but can be dangerous...no?

Not sure what you meant by fail though...
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

The code is not dangerous, opcode does not matter. Code is reduced to the correction because of bugs in the kernel.

The problem with seh is only one - NX. Solved as follows: http://www.woodmann.com/forum/showthread.php?14007-PoC-Hiding-the-caller.&daysprune=365
evlncrn8
Posts: 456
Joined: Mon Apr 22, 2002 12:38 pm

Post by evlncrn8 »

my meaning for dangerous was simply that executing 'unknown' code can be dangerous (eg: sigt instruction that can run in ring 3 with a little help from a ring 0 driver) etc...

its two approaches. passive (tables) or non passive (tracing) etc....
im just a pacifist heh
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

evlncrn8
sidt fword ptr ss:[esp + eax + 0x100]
0F 01 8C 04 00 01 00 00, returns 8 :)
sgdt fword ptr ds:[edi + esi - 1]
0F 01 44 37 FF, returns 5.

Tracing is used to control the successful execution of instructions.
executing 'unknown' code can be dangerous
Really ? :devil:

Code: Select all

	mov Seed,2
Next:
	lea edi,Buffer
	lea ebx,[esi + MAX_INSTRUCTION_LENGTH]
	.repeat
		invoke RtlRandom, addr Seed
		mov eax,Seed
		stosd
	.until Edi >= Ebx
	inc Iters
	invoke LDE, RegionBase, Esi
Give an example of dangerous code.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

0F 50 E0 movmskps esp,xmm0 - dangerous instruction.
Locked