📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> Mattwood's Blog

Created: Wednesday, November 9 2005 08:13.20 CST Modified: Sunday, November 13 2005 05:49.52 CST
Direct Link, View / Make / Edit Comments
How to hook a SEH?
Author: Mattwood # Views: 532

I writed a tutorial wich explain how to hook a SEH to give answer to the people who wanna know how i worked.

http://www.pastapolis.info/?eax=00000002
http://www.pastapolis.info/tutorials/Bypass%20Hardware%20Breakpoint%20Protection.pdf

I writed a program which hook hiself :

http://www.pastapolis.info/misc/standalone_hooker.c

Created: Wednesday, November 9 2005 08:11.28 CST Modified: Wednesday, November 9 2005 08:11.28 CST
Direct Link, View / Make / Edit Comments
Anti Anti Hardware Breakpoint plugin [ollydbg]
Author: Mattwood # Views: 1117

Ollydbg Anti Anti Hardware Breakpoint
Copyright (c) 2005 - Mattwood^FRET - [email protected] - www.pastapolis.info - http://reverseengineering.online.fr/spip/

- *How install it?

set olly_hardware_breakpoint.dll in the ollydbg dir.

And if you want to use the user32.dll global loadlibrary add ravioli.dll in the System32 directory and ravioli.dll to the registery.
else set ravioli.dll in the same dir as olly_hardware_breakpoint.dll.

- * What does this plugin?

It hook ntdll i writed a tutorial about it.
http://reverseengineering.online.fr/spip/article.php3?id_article=53

- * How to use it?

If the target doesn't use user32.dll :
When you load a program do a F7 or F8 and in the menu and Force to load the dll.

Else it's good :)

If you wanna remove the hook in ntdll goto the menu and Remove the hook :].

- * Note?

Yep, it's a simple version. I load the dll like a pig :]

Cheers,

Mattwood^FRET

Created: Wednesday, November 9 2005 08:06.46 CST Modified: Wednesday, November 9 2005 08:06.46 CST
Direct Link, View / Make / Edit Comments
Ooops sorry !
Author: Mattwood # Views: 650

I just see i forgotten to alert you that my polymorphic breakpoint got a bug :] a dumb bug :]

http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=2&topic=1516

The new version can be found here :

http://reverseengineering.online.fr/spip/article.php3?id_article=50

Created: Saturday, October 15 2005 07:30.13 CDT Modified: Friday, October 21 2005 06:36.42 CDT
Direct Link, View / Make / Edit Comments
Polymorphic Breakpoint For Ollydbg
Author: Mattwood # Views: 989

It's a newplugin for ollydbg i have coded.


You can download it at : http://reverseengineering.online.fr/spip/article.php3?id_article=50

README:
Ollydbg Polymorphic Breakpoint Manager
Copyright (c) 2005 - Mattwood^FRET - [email protected] - http://reverseengineering.online.fr/spip/

- * What does this plugin do?

Classical breakpoint like 0CCh or 0EBh,0FEh are very easy to find just with a little antibreakpoint tricks likes :

00DE31FA  |.  B8 60060000   MOV     EAX,660
00DE31FF  |.  C1E8 03       SHR     EAX,3
00DE3202  |.  F2:AE         REPNE   SCAS BYTE PTR ES:[EDI]
00DE3204  |.  85C9          TEST    ECX,ECX
00DE3206  |.  74 04         JE      SHORT <0x90f.badboy>

The common way was to set a 0EBh,0FEh for bypass this little protection, but it's not very efficient.

The way of the plugin is to set a polymorphic EBFE likes :

00DE321C   .  E8 02000000   CALL    0x90f.00DE3223
00DE3221   .  DCED          FSUB    ST(5),ST
00DE3223   $  813424 371300>XOR     DWORD PTR SS:[ESP],1337
00DE322A   .- FF2424        JMP     NEAR DWORD PTR SS:[ESP]

Here the routine decrypt DCED with 1337 and the word at [00DE3221] = EBFE, but this way need to special right : the section must be writable.

So i have created a second way wich use the stack :

00DE320C   > \E8 00000000   CALL    0x90f.00DE3211
00DE3211   $  66:68 21FE    PUSH    0FE21
00DE3215   .  803424 CA     XOR     BYTE PTR SS:[ESP],0CA
00DE3219   .- FFE4          JMP     NEAR ESP
This way is universal.

- * The Polymorphic isn't to big for small function?

I already look at function likes GetCommandLineA :), they have a very nice padding :)

GetCommand>  A1 F435887C     MOV     EAX,DWORD PTR DS:[7C8835F4]
7C812C92     C3              RETN
7C812C93     90              NOP
7C812C94     90              NOP
7C812C95     90              NOP
7C812C96     90              NOP
7C812C97     90              NOP
7C812C98     FFFF            ???                                      ; Unknown command
7C812C9A     FFFF            ???                                      ; Unknown command
7C812C9C     0000            ADD     BYTE PTR DS:[EAX],AL
7C812C9E     0000            ADD     BYTE PTR DS:[EAX],AL

nice no? :)

- * How to delete this breakpoint?

I coded a manager for this plugin who can delete breakpoint.

- * Note?

Yep, it's a concept of the polymorphic breakpoint so i suggest you to change the default breakpoint wich i added.

Cheers,

Mattwood^FRET


Archived Entries for Mattwood
Subject # Views Created On
No archived blog entries found.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit