Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

our old friend LordPE

All-in-one reversing related discussions
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

I used them, all the 2052F asm files plus the updated equates and structures files from the RosAsm2053g master file, placed into /RosAsmFiles. Config paths and config.bin set.

Running Win7x64 on VMWare. I tried breaking into Rosasm with Olly1 directly, to find out why it's malforming the address at 008660C5, but it gave me repeated exceptions when selecting File/Open in Ros to open any exe under the debugger.

With Windbg and VirtualKD I can't get Ros to break remotely with >sxe ld. Would have to get more aggressive with break methods.


Important VirtualKD note:

There is a problem with the original version of VirtualKD from Sysprogs with the latest version 15.5 of VMWare Player. When trying to establish connection there is an error in finding the RPC Table and a message about the VMWare version.

There is a good port of VirtualKD here that is updated to support the latest VMWare version.

https://github.com/4d61726b/VirtualKD-Redux

https://sysprogs.com/legacy/virtualkd/
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

Kayaker wrote:I used them, all the 2052F asm files
you not need asm files. (they are for reviewing code update etc on gthb)

look, this error line indicates, you are not using my version:
RosAsm, The Bottom-Up Assembler -V.2.053g-

go to releases page and download
RosAsmFiles.7z, (Structures2018corrected.7z Equates2018sortedc.7z can replace olds in RosAsmFiles)
https://github.com/rosasmje/rosasm2052f ... s/tag/G_07

RosAsm latest
https://github.com/rosasmje/rosasm2052f/releases/

ps: I checked in VBox/W7_64, is OK (while OK=AC)
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

That's got it! My problem I think was that I couldn't d/l the full git package from your first /rosasm2052f link because a file was flagged by Avast/Firefox (see attached). And it wasn't obvious to me that I had to navigate to the Releases page and figure out what other files to pick up instead.

I had to d/l the RosAsmFiles.7z file with Wget (latest version to support SSL). If I run Avast on that it finds several files flagged as malware. HalfOOA1.exe, HalfOOA2.exe, HalfOOA4.exe, IVT205comcntrls.exe were all flagged as Win32:Malware-gen or Win32:Evo-gen and moved to the VirusChest. I know they're likely not infected, but it would be nice if they could be recompiled without whatever signature strings Avast is picking up. Any idea what that might be? Compiler specific, fasm?

I also had a weird problem when replacing the Equates.equ file, I renamed the old one but kept the .equ extension. Ros didn't like having 2 .equ files and gave a weird Arghhh!!!... message box about the equates, repeated so I had to kill the process. A bit unusual from a progamming point of view to use a required include file based on extension only and not filename, oh well.

All that said, the damned thing works! I was able to recompile LordPE and another little win32 app (without modifications) from the originals. Now let's see what it can really do...

Nice job Eval :)
Attachments
Ros_Vx2.jpg
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

note, I upgraded 'our' LordPE
>> 4. added code to prevent REALIGN of DRIVER files.

thats good Kayaker. also you can now compare SRC and see what I did.
(Can you appeal to Avast to whitelist files?)
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

nice to hear from this tool

shouldnt it be a word instead of dword ? dword ptr [eax], 4550h

that check might fails if the rest of 16 bits are not 0

only 7 functions are missing wax ? that sounds doable for me
then add those functions if there is a WRK like for 2003 that should be easier
if not you have to read out the function and fit those functions to xp



a other problem you might have with a dll is the loadtime if the missing function is called before the dll with all exports is done it wont work
but thats not a big deal either fixing a faster load of that dll or directly writing the missing functions to the ntoskrnl so they load in time
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:If I run Avast on that it finds several files flagged as malware.
I would not have an Internet security package on my system that did not give me the option of downloading a file. I use the free Comodo Internet Security package, which has the capability of locking down your entire system if required. It is highly configurable, but it always leaves the option to the user as to whether a file is safe.

Most of the security packages seem to use heuristic scanning which guesses at the state of malware based on probabilities. I have it turned off on mine because it's a damned nuisance. It goes off all the time on software I know is safe. Comodo goes nuts on the archive package from this site.

Hope you don't take my comment as a shot at you. I am simply becoming annoyed at the interference people like Avast and Firefox invoke without asking if the user wants that. That bs began with Norton/Symantec. Comodo always asks you if you want to allow a file, it never blocks it without user input.

I have written to Firefox and told them to butt out of my life. I have made it clear I don't want them making decisions for me as to where I can go on the Net and whether I want my version automatically updated. I finally found a way to bypass automatic updates.
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:only 7 functions are missing wax ?
Only 7, or so, in ntoskrnl. The problem is ndis.sys, where there are over 30 missing. I'll get back to you on that on the other thread but right now I'm working on getting a k-mode session going with Win XP.

Gives me an idea re RosAsm. Ndis.sys is 182,912 bytes, I wonder if eval would consider that too large to work with in RosAsm? I know there may be other problems involved with re-assembly like shifted offsets.

I guess what I'm asking is what eval means by small files.
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

WaxfordSqueers wrote:
Hope you don't take my comment as a shot at you. I am simply becoming annoyed at the interference people like Avast and Firefox invoke without asking if the user wants that. That bs began with Norton/Symantec. Comodo always asks you if you want to allow a file, it never blocks it without user input.
Not at all. I used to use Comodo as a firewall on Win7, it was very good but I had gotten annoyed with all its warning messages. I considered it more of a firewall than a Virus app, though the full version might have offered that.

On Win10 I decided to try Zone Alarm and Avast. My priority has always been to control apps phoning home type of thing over what files or websites might be infected. I like the ZA monitoring.

You can exempt websites and folders from Avast scans. It is quite annoying though, plus it's often popping up ad windows for its products. I wouldn't mind an alternative.
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:I used to use Comodo as a firewall on Win7.... My priority has always been to control apps phoning home type of thing
That's exactly what I do with Comodo. You can use Comodo as just a firewall but you can change that to add Internet security, which includes a virus scanner which is quite configurable. You can also control the way notifications flash up. It has a learning mode as well where it will learn your preferences and once it does it hardly ever puts up a notification.

It also has a paranoid mode in the Defense settings. I turn that on while I'm doing Internet banking since it is highly sensitive to changes. If I mess with my printer while it's on it flashes up a notification that the printer is trying to do such and such. Don't know if it will detect a kernel mode rootkit/keylogger. It does check for rootkits during a virus scan.

If I don't want an app to call home I go into Firewall/Define a New Blocked App. If the app is running, I just select 'Running app' and select the app. Otherwise, I select browse and go to the app's directory.

They put out a browser called Dragon which is apparently based on Firefox. Looks a lot like it.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

>> Elenil
>> shouldnt it be a word instead of dword ? dword ptr [eax], 4550h

no, it is defined by definers as dword.

>>Kayaker
>> All that said, the damned thing works! I was able to recompile LordPE ... Now let's see what it can really do...


yep. you are all fired up!? :)
I already planned to ask: "What next tool want we to revive!?"
dumn, only right now looked at siwwid.sys ~:0
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

evaluator wrote: :) I already planned to ask: "What next tool want we to revive!?"
dumn, only right now looked at siwwid.sys ~:0
Good man!! I like it. :D
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

yooo, it wooo rks!?!? yep.
however, when I switched display size & tried DS configuration utility to 'test' new mode I got oossomm error!
Attachments
Clipboard06.png
VirtualBox_XPsp0_13_04_2020_23_14_44.png
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

fixed disasm, there was few pointers instead of constant. woot now? upgrade/fix? but howto debug? or only blind try?
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

evaluator wrote:fixed disasm, there was few pointers instead of constant. woot now? upgrade/fix? but howto debug? or only blind try?
What kind of motherboard/chipset are you using? My problems have been with a newer generation Intel B360 chipset which is a 300 series. I want to get sice running on that chipset but it's hard enough getting XP to run on it. Can you run sice live on your mobo without a VM?
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

? can't you see screenshots?? inside VirtualBox. btw, I have my old PC from 2001 :)
Post Reply