OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, January 16 2011 09:08.46 CST Modified: Sunday, January 16 2011 09:11.41 CST

Direct Link, View / Make / Edit Comments

Generic tracer 0.5 beta

Author:

modest

# Views: 6384

Generic Tracer 0.5 beta is published for testing.

Among fixes and one small feature (see changelog.txt file), major feature I added is TRACE.

TRACE: trace each instruction in function and collect all interesting values from registers and memory. After execution, all that information is saved to process.exe.idc, process.exe.txt, process.exe_clear.idc files. .idc-files are IDA scripts, .txt file is grepable by grep, awk and sed.

For example, let's take add_member function from Using Uninitialized Memory for Fun and Profit article:



int dense[256];

int dense_next=0;

int sparse[256];



void add_member(int i)

{

	dense[dense_next]=i;

	sparse[ i ]=dense_next;

	dense_next++;



};



int main ()

{

	add_member(123);

	add_member(5);

	add_member(71);

	add_member(99);

}

Let's compile it and run tracing on add_member function (determine function address in IDA before):

gt -l:trace_test4.exe bpf=0x00401000,trace

We'll get trace_test4.exe.txt file:



0x401000, e=       4

0x401001, e=       4

0x401003, e=       4, [0x403818]=0..3

0x401008, e=       4, [EBP+8]=5, 0x47('G'), 0x63('c'), 0x7b('{')

0x40100b, e=       4, ECX=5, 0x47('G'), 0x63('c'), 0x7b('{')

0x401012, e=       4, [EBP+8]=5, 0x47('G'), 0x63('c'), 0x7b('{')

0x401015, e=       4, [0x403818]=0..3

0x40101a, e=       4, EAX=0..3

0x401021, e=       4, [0x403818]=0..3

0x401027, e=       4, ECX=0..3

0x40102a, e=       4, ECX=1..4

0x401030, e=       4

0x401031, e=       4, EAX=0..3

e field in how many times was executed this instruction.

Let's execute trace_test4.exe.idc script in IDA and we'll see:

Now it is much simpler to understand how this function work during execution.

Executed instructions are highlighed by blue color. Not-executed instructions are leaved white.

If you need to clear all comments and highlight, execute trace_test4.exe_clear.idc script.

All collected information in IDA-script may be reduced to shorten form like EAX=[ 64 unique items. min=0xbca6eb7, max=0xffffffed ] (because IDA has comment size limitation). On contrary, everything is saved to text file without shortening, that is why resulting text file may be sometimes pretty big.

One problem of TRACE feature that it is slow, however, functions from system DLLs are skipped (system DLL is that DLL residing in %SystemRoot%) Another problem is that things like exceptions, setjmp/longjmp and other unexpected codeflow alterations are not correctly handled so far.

One more problem is that this feature is only available in x86 (because only x86-disassembler currently present in gt project)

More examples

Download gt executables, source code and manuals.

Created: Tuesday, December 7 2010 08:55.43 CST Modified: Tuesday, December 7 2010 16:50.16 CST

Direct Link, View / Make / Edit Comments

Making C compiler generate obfuscated code

Author:

modest

# Views: 11181

A customer of mine asked whether it is possible to protect his software from reverse engineering. I didn't found any C/C++ compiler which was able to produce obfuscated code making it hard to reverse engineer and complicate the use of such tools as Hex-Rays Decompiler, so I made a little attempt to hack Tiny C compiler's codegenerator.

I patched it so it produces a lot of random noise code between effective code. Of course, resulting code will work much slower. But in real life, we can obfuscate only critical parts of code containing algorithms we don't want to be easily leaked. Of course, it is virtually impossible to protect any code from reverse engineering, but it is possible to make it much more difficult.

Example: simple function:



int a (int a, int b)

{

	return a + b * 4;

};

On output...



a               proc near



var_CD500B      = byte ptr -0CD500Bh

arg_0           = dword ptr  8

arg_4           = dword ptr  0Ch

arg_1D364BDE    = byte ptr  1D364BE6h



                nop

                push    ebp

                mov     ebp, esp

                sub     esp, 0

                nop

                xor     eax, ebx

                mov     eax, 99B7A34Ah

                mov     eax, 0EC06E7ACh

                lea     edx, [esi+63h]

                mov     ebx, [ebp+arg_0]

                and     ebx, ebx



loc_800001F:

                lea     ebx, [ebp+arg_1D364BDE]

                mov     ebx, 9EF81F3Eh

                lea     eax, [ebx+3Eh]

                lea     ecx, [esi]

                mov     eax, 0FD6D5D47h

                sub     ebx, edx

                lea     ecx, [ebp+var_CD500B]

                lea     ecx, [eax]

                mov     eax, [ebp+arg_4] ; *

                shl     eax, 2          ; *

                mov     ecx, eax

                adc     ecx, edx

                mov     ecx, [ebp+arg_0]

                adc     ecx, ecx

                sub     edx, ecx

                sub     edx, eax

                lea     ebx, [esp+ecx*8]

                mov     ecx, 29262C66h

                mov     ebx, 0CC18D2C4h

                mov     ebx, 0FDB56490h

                mov     ecx, 9E709D5Eh

                mov     ecx, 73805EBFh

                mov     ecx, eax

                or      ecx, eax

                mov     ebx, 7339AD0Eh

                mov     edx, 2CA8725Ah

                lea     edx, [edi+esi*8]

                mov     ebx, 87684A89h

                mov     ebx, 52A74759h

                xor     edx, edx

                jnz     short loc_800001F

                mov     ebx, 0CCA90613h

                sub     ecx, eax

                mov     ecx, 0C6699FDh

                mov     ebx, 0A8B272A1h

                mov     ebx, eax

                sbb     ebx, ebx

                mov     ecx, [ebp+arg_0] ; *

                add     ecx, eax        ; *

                or      edx, ebx

                mov     edx, 47257B14h

                mov     edx, ecx

                add     edx, edx

                mov     eax, 9E3E878Ah

                mov     ebx, 0DAB5E429h

                mov     edx, 0ABFDB94Eh

                adc     eax, ebx

                add     edx, ebx

                lea     edx, [ebx+75A1EF29h]

                or      edx, edx

                mov     eax, ecx        ; *

                jmp     $+5

                leave

                pop     ebx

                jmp     ebx

a               endp

(effective code marked with asterisk)

One funny thing is that now the compiler uses random number generator. Almost all good computer programs contain at least one random-number generator. (fortune file in plan 9 OS).

Here is also my crackme I created for testing. It was eventually reversed, though.

For those who are interested:
Patch for Tiny C version 0.9.25
Full source code patched
Tiny C 0.9.25 patched win32 executables

Created: Saturday, June 12 2010 16:44.34 CDT

Direct Link, View / Make / Edit Comments

Generic tracer 0.4

Author:

modest

# Views: 4689

New version is out.

changelog:

* FPU registers support at BPX breakpoint
new command line options:
-fpu_always - always show FPU registers at BPX breakpoint
-fpu_never - never show FPU registers at BPX breakpoint
In SET option of BPX command now it is possible to use FPU registers:
ST0..ST7, for example:
bpx=program.exe!address,set(st0,123.4)
Remember: gt never modify FPU tag word registor as well as not modify
TOP register, so, if some register was marked as "empty" and gt set
some value there, it will remain marked "empty".
if the float-point number is also NaN, MMX register contents will be
dumped too
new command line option:
-dump_xmm - dump XMM registers state at BPX breakpoint
* now we attach to all processes with process name specified
* symbol defined in address can also contain "+ofs" suffix, where
"ofs" is decimal or hexadecimal number with "0x" prefix
for example: "bpx=kernel32.dll!writefile+0x5" or "bpx=file.exe!base
+0x1234" where base is PE file base.
* PDB files support.
compile your program with /Zi option in MSVC and get PDB debug file
for it

===

gt is command-line utility for performing simple debugging tasks.

Major features:

*Set breakpoint on function execution, track function arguments and result.
*Set breakpoint on arbitrary point, track CPU registers state and alter them.
*Set breakpoint on memory cell access and track all accesses to it.
Minor features:

*Set breakpoint by address, symbol name or bytemask.
*Unicode string detection in function arguments.
*Both x86 and x64 support.
*Oracle RDBMS .SYM files support.
*Source code included.

Homepage (manual, downloads..)
http://conus.info/gt/

Created: Saturday, December 5 2009 02:56.40 CST

Modified: Saturday, December 5 2009 02:57.42 CST

Direct Link, View / Make / Edit Comments

Generitc tracer 0.3

Author:

modest

# Views: 4850

New version is out.

gt is command-line utility for performing simple debugging tasks.

Major features:

*Set breakpoint on function execution, track function arguments and result.
*Set breakpoint on arbitrary point, track CPU registers state and alter them.
*Set breakpoint on memory cell access and track all accesses to it.
Minor features:

*Set breakpoint by address, symbol name or bytemask.
*Unicode string detection in function arguments.
*Both x86 and x64 support.
*Oracle RDBMS .SYM files support.
*Source code included.

Homepage (manual, downloads..)
http://conus.info/gt/

Created: Sunday, May 24 2009 08:54.29 CDT

Modified: Sunday, May 24 2009 08:56.48 CDT

Direct Link, View / Make / Edit Comments

generic tracer

Author:

modest

# Views: 5316

generic tracer - extremely simple win32 tracer

* Main features:

1) Setting breakpoint at any function, monitoring its arguments and return value.
2) Monitoring global variables access.

In a way, it is a kind strace utility.

Significant differences vs strace are:

1) gt is Win32 only.
2) Breakpoints not just system calls, but any function.
3) Only 4 breakpoints, because of x86 architecture limitation.
4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.

Homepage:
http://conus.info/gt/
Readme file:
http://conus.info/gt/gt.txt

Archived Entries for modest

Subject	# Views	Created On
No archived blog entries found.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit