Flag: Tornado!
Hurricane!
|
|
Topic created on: December 2, 2008 18:43 CST by nezumi  .
1) take HELLO WORLD program by Jack Applin and Robert Heckendorn, 1985;
main(v,c)char**c;{for(v[c++]="Hello,world!\n)";(!!c)[*c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}
2) count the size of the source code - it's 128 bytes;
3) compile the program by MS VC 6 with /Ox key (max. opt.);
4) count the size of the machine code (w/o data) - it's 128 bytes;
5) subj.
P.S. how to debug it? I think the best solution - to inject breakpoints into exe file. do you have another idea to share?
is it a requirement that this be compiled with msvc and with /ox option only no other compilers acceptable ?
i used bcc 5.5 and it seem i have no problems breaking
00401150 nezhell.main PUSH EBP ; main(v,c)char**c;{for(v[c++]="Hello,world!\n)";(!!c)[*c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}
00401151 MOV EBP, ESP
00401153 PUSH EBX
00401154 PUSH ESI
00401155 MOV EBX, DWORD PTR SS:[EBP+C]
00401158 MOV ESI, DWORD PTR SS:[EBP+8]
0040115B MOV DWORD PTR DS:[EBX+ESI*4], nezhell.0040A128
00401162 ADD EBX, 4
00401165 JMP SHORT nezhell.0040119B
00401167 /MOV EAX, DWORD PTR DS:[EBX]
00401169 |MOVSX EDX, BYTE PTR DS:[EAX]
0040116C |CMP EDX, 1
0040116F |SBB ECX, ECX
00401171 |NEG ECX
00401173 |CMP ECX, 1
00401176 |SBB EAX, EAX
00401178 |NEG EAX
0040117A |PUSH EAX
0040117B |PUSH DWORD PTR DS:[EBX]
0040117D |CMP DWORD PTR DS:[EBX], 0
00401180 |SETNE DL
00401183 |AND EDX, 1
00401186 |PUSH EDX
00401187 |CALL nezhell.___org_write
0040118C |ADD ESP, 0C
0040118F |TEST EBX, EBX
00401191 |SETE CL
00401194 |AND ECX, 1
00401197 |MOV EAX, DWORD PTR DS:[EBX]
00401199 |MOV BYTE PTR DS:[EAX], CL
0040119B TEST EBX, EBX
0040119D |SETNE DL
004011A0 |AND EDX, 1
004011A3 |MOV ECX, DWORD PTR DS:[EBX]
004011A5 |CMP BYTE PTR DS:[ECX+EDX], 0
004011A9 |JE SHORT nezhell.004011EC
004011AB |MOV EAX, ESI
004011AD |ADD ESI, -1
004011B0 |TEST EAX, EAX
004011B2 |JNZ SHORT nezhell.00401167
004011B4 |SUB EBX, 4
004011B7 |JE SHORT nezhell.004011EC
004011B9 |TEST EBX, EBX
004011BB |SETE DL
004011BE |AND EDX, 1
004011C1 |PUSH EDX
004011C2 |TEST EBX, EBX
004011C4 |SETNE CL
004011C7 |AND ECX, 1
004011CA |MOV EAX, DWORD PTR DS:[EBX+ECX*4]
004011CD |TEST EBX, EBX
004011CF |SETNE DL
004011D2 |AND EDX, 1
004011D5 |ADD EAX, EDX
004011D7 |PUSH EAX
004011D8 |PUSH DWORD PTR DS:[EBX]
004011DA |PUSH DWORD PTR DS:[EBX]
004011DC |CALL nezhell.___org_execlp
004011E1 |ADD ESP, 10
004011E4 |TEST EAX, EAX
004011E6 \JNZ nezhell.00401167
004011EC POP ESI ; main(v,c)char**c;{for(v[c++]="Hello,world!\n)";(!!c)[*c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}
004011ED POP EBX
004011EE POP EBP
004011EF RETN
|
anonymouse:
> is it a requirement that this be compiled with msvc
> and with /ox option only no other compilers acceptable ?
> i used bcc 5.5 and it seem i have no problems breaking
feel free to use any compiler :-)
you can trace the program for a while, but you can't debug it. I mean, the program calls itself (004011DC: CALL nezhell.___org_execlp), thus execlp() is the last function executed under the debugger. software/hardware breakpoints don't work inside children calls and besides, children calls "escape" out of the debugger. system creates a new process w/o DEBUG flag, thus we lost the control. ops!
just try to trace the program to output the whole string (not only to execute a few commands). OllyDbg fails to do it. Soft-Ice for W2K remembers hardware breakpoints, so it works, but Soft-Ice for S2K3 does not support global hardware breakpoints, so it fails to debug the program.
I'm not sure that I found the best solution, maybe there is a plugin or something else to do it easier, but my solution works.
P.S. another example to demonstrate the problem:
main(c, v) char **v;{if (--c) printf(v[1]), execlp(v[0], v[0], &v[1][1], 0);}
|
well then you can try using the modified commandline plugin
get the latest from my repositary (i think the downloads doesnt hold the latest one)
and use its childdbg function to debug the childs in succession
you can also use windbg with its .childdbg command
here is a log of a session tracing this with ollydbg
Log data
Address Message
OllyDbg v1.10
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
Command line plugin v1.10
Written by Oleh Yuschuk
Loading function descriptions from 'common.arg'
Info: Simple .ARG file that decodes ZwSystemDebugControl
Console file ' nezhell\nezhell.exe'
New process with ID 000009E0 created
00401000 Main thread with ID 00000A28 created
7C901230 System startup breakpoint
hello Childdbg Enabled
00401000 Program entry point
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe ello,world!
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
called from cdbg
Event 00000003 from different process (ID 00000D8C)
Log data
Address Message
OllyDbg v1.10
Command line: -p 3468
Loading function descriptions from 'common.arg'
Info: Simple .ARG file that decodes ZwSystemDebugControl
New process with ID 00000D8C created
Main thread with ID 00000D90 created
00400000 Module nezhell\nezhell.exe
Debugging information (Borland format) available
7C95077B New thread with ID 00000DD8 created
Thread 00000DD8 terminated, exit code 0
hello Childdbg Enabled
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe llo,world!
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
called from cdbg
Event 00000003 from different process (ID 000002E8)
Log data
Address Message
OllyDbg v1.10
Command line: -p 744
Loading function descriptions from 'common.arg'
Info: Simple .ARG file that decodes ZwSystemDebugControl
New process with ID 000002E8 created
Main thread with ID 00000508 created
00400000 Module nezhell\nezhell.exe
Debugging information (Borland format) available
hello Childdbg Enabled
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe lo,world!
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
Log data, item 0
Message=Event 00000003 from different process (ID 00000CC4)
Log data
Address Message
OllyDbg v1.10
Command line: -p 3268
New process with ID 00000CC4 created
Main thread with ID 00000D54 created
hello Childdbg Enabled
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe o,world!
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
Log data, item 0
Message=Event 00000003 from different process (ID 00000ADC)
New process with ID 00000ADC created
Main thread with ID 00000704 created
hello Childdbg Enabled
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe ,world!
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
called from cdbg
Event 00000003 from different process (ID 000000BC)
New process with ID 000000BC created
Main thread with ID 000006CC created
hello Childdbg Enabled
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe world!
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
called from cdbg
Event 00000003 from different process (ID 00000C64)
hello Childdbg Enabled
7C802367 CALL to CreateProcessA from nezhell.00406E10
ModuleFileName = " nezhell\nezhell.exe"
CommandLine = " \nezhell\nezhell.exe !
)"
pProcessSecurity = 0012FE2C
pThreadSecurity = 0012FE2C
InheritHandles = TRUE
CreationFlags = 0
pEnvironment = NULL
CurrentDir = NULL
pStartupInfo = 0012FDE8
pProcessInfo = 0012FDD8
7C80238E Breakpoint at kernel32.7C80238E (CreateProcessA+27)
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
Log data, item 9
Message= CommandLine = " \nezhell\nezhell.exe
)"
ps,
there are syncro problems in this command if the child loads lots of dlls this command fails with dll_init_failure
c0000142 i havent yet found time to find out why
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,314 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}