http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Sun, 16 Jan 2011 09:08:46 -0600 https://www.openrce.org/blog/view/1644/Generic_tracer_0.5_beta modest <email-suppressed@example.com> Generic Tracer 0.5 beta is published for testing.<br /> <br /> Among fixes and one small feature (see <a href="http://conus.info/gt/gt05beta/manual/changelog.txt">changelog.txt</a> file), major feature I added is TRACE.<br /> <br /> <b>TRACE</b>: trace each instruction in function and collect all interesting values from registers and memory. After execution, all that information is saved to process.exe.idc, process.exe.txt, process.exe_clear.idc files. .idc-files are IDA scripts, .txt file is grepable by grep, awk and sed.<br /> <br /> For example, let's take add_member function from <a href="http://research.swtch.com/2008/03/using-uninitialized-memory-for-fun-and.html">Using Uninitialized Memory for Fun and Profit</a> article:<br /> <br /> <code><br /> int dense[256];<br /> int dense_next=0;<br /> int sparse[256];<br /> <br /> void add_member(int i)<br /> {<br /> dense[dense_next]=i;<br /> sparse[ i ]=dense_next;<br /> dense_next++;<br /> <br /> };<br /> <br /> int main ()<br /> {<br /> add_member(123);<br /> add_member(5);<br /> add_member(71);<br /> add_member(99);<br /> }<br /> </code><br /> <br /> Let's compile it and run tracing on add_member function (determine function address in IDA before):<br /> <br /> <code>gt -l:trace_test4.exe bpf=0x00401000,trace</code><br /> <br /> We'll get trace_test4.exe.txt file:<br /> <br /> <code><br /> 0x401000, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4<br /> 0x401001, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4<br /> 0x401003, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, [0x403818]=0..3<br /> 0x401008, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, [EBP+8]=5, 0x47('G'), 0x63('c'), 0x7b('{')<br /> 0x40100b, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, ECX=5, 0x47('G'), 0x63('c'), 0x7b('{')<br /> 0x401012, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, [EBP+8]=5, 0x47('G'), 0x63('c'), 0x7b('{')<br /> 0x401015, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, [0x403818]=0..3<br /> 0x40101a, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, EAX=0..3<br /> 0x401021, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, [0x403818]=0..3<br /> 0x401027, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, ECX=0..3<br /> 0x40102a, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, ECX=1..4<br /> 0x401030, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4<br /> 0x401031, e=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4, EAX=0..3<br /> </code><br /> <br /> <i>e</i> field in how many times was executed this instruction.<br /> <br /> Let's execute trace_test4.exe.idc script in IDA and we'll see:<br /> <br /> <img src="http://conus.info/gt/gt05beta/manual/trace_test4.png" border=0 align=""><br /> <br /> Now it is much simpler to understand how this function work during execution.<br /> <br /> Executed instructions are highlighed by blue color. Not-executed instructions are leaved white.<br /> <br /> If you need to clear all comments and highlight, execute trace_test4.exe_clear.idc script.<br /> <br /> All collected information in IDA-script may be reduced to shorten form like <i>EAX=[ 64 unique items. min=0xbca6eb7, max=0xffffffed ]</i> (because IDA has comment size limitation). On contrary, everything is saved to text file without shortening, that is why resulting text file may be sometimes pretty big.<br /> <br /> One problem of TRACE feature that it is slow, however, functions from system DLLs are skipped (system DLL is that DLL residing in %SystemRoot%) Another problem is that things like exceptions, setjmp/longjmp and other unexpected codeflow alterations are not correctly handled so far.<br /> <br /> One more problem is that this feature is only available in x86 (because only x86-disassembler currently present in gt project)<br /> <br /> <a href="http://conus.info/gt/gt05beta/manual/gt.html#bpf_ex_trace">More examples</a><br /> <br /> <a href="http://conus.info/gt/gt05beta/gt05beta.rar">Download gt executables, source code and manuals.</a><br /> Tue, 07 Dec 2010 08:55:43 -0600 https://www.openrce.org/blog/view/1632/Making_C_compiler_generate_obfuscated_code modest <email-suppressed@example.com> A customer of mine asked whether it is possible to protect his software from reverse engineering. I <a href="http://stackoverflow.com/questions/4111808/c-c-compiler-generating-obfuscated-code">didn't found</a> any C/C++ compiler which was able to produce obfuscated code making it hard to reverse engineer and complicate the use of such tools as <a href="http://www.hex-rays.com/decompiler.shtml">Hex-Rays Decompiler</a>, so I made a little attempt to hack <a href="http://bellard.org/tcc/">Tiny C</a> compiler's codegenerator.<br /> <br /> I patched it so it produces a lot of random noise code between effective code. Of course, resulting code will work much slower. But in real life, we can obfuscate only critical parts of code containing algorithms we don't want to be easily leaked. Of course, it is virtually impossible to protect any code from reverse engineering, but it is possible to make it much more difficult.<br /> <br /> Example: simple function:<br /> <br /> <code><br /> int a (int a, int b)<br /> {<br /> return a + b * 4;<br /> };<br /> </code><br /> <br /> On output...<br /> <br /> <code><br /> a&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proc near<br /> <br /> var_CD500B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;= byte ptr -0CD500Bh<br /> arg_0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = dword ptr&nbsp;&nbsp;8<br /> arg_4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = dword ptr&nbsp;&nbsp;0Ch<br /> arg_1D364BDE&nbsp;&nbsp;&nbsp;&nbsp;= byte ptr&nbsp;&nbsp;1D364BE6h<br /> <br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nop<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;push&nbsp;&nbsp;&nbsp;&nbsp;ebp<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebp, esp<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sub&nbsp;&nbsp;&nbsp;&nbsp; esp, 0<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nop<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;xor&nbsp;&nbsp;&nbsp;&nbsp; eax, ebx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; eax, 99B7A34Ah<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; eax, 0EC06E7ACh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; edx, [esi+63h]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, [ebp+arg_0]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;and&nbsp;&nbsp;&nbsp;&nbsp; ebx, ebx<br /> <br /> loc_800001F:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; ebx, [ebp+arg_1D364BDE]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 9EF81F3Eh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; eax, [ebx+3Eh]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; ecx, [esi]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; eax, 0FD6D5D47h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sub&nbsp;&nbsp;&nbsp;&nbsp; ebx, edx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; ecx, [ebp+var_CD500B]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; ecx, [eax]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; eax, [ebp+arg_4] ; *<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;shl&nbsp;&nbsp;&nbsp;&nbsp; eax, 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;; *<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, eax<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;adc&nbsp;&nbsp;&nbsp;&nbsp; ecx, edx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, [ebp+arg_0]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;adc&nbsp;&nbsp;&nbsp;&nbsp; ecx, ecx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sub&nbsp;&nbsp;&nbsp;&nbsp; edx, ecx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sub&nbsp;&nbsp;&nbsp;&nbsp; edx, eax<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; ebx, [esp+ecx*8]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, 29262C66h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 0CC18D2C4h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 0FDB56490h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, 9E709D5Eh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, 73805EBFh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, eax<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;or&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ecx, eax<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 7339AD0Eh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; edx, 2CA8725Ah<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; edx, [edi+esi*8]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 87684A89h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 52A74759h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;xor&nbsp;&nbsp;&nbsp;&nbsp; edx, edx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;jnz&nbsp;&nbsp;&nbsp;&nbsp; short loc_800001F<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 0CCA90613h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sub&nbsp;&nbsp;&nbsp;&nbsp; ecx, eax<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, 0C6699FDh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 0A8B272A1h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, eax<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sbb&nbsp;&nbsp;&nbsp;&nbsp; ebx, ebx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ecx, [ebp+arg_0] ; *<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;add&nbsp;&nbsp;&nbsp;&nbsp; ecx, eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;; *<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;or&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;edx, ebx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; edx, 47257B14h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; edx, ecx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;add&nbsp;&nbsp;&nbsp;&nbsp; edx, edx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; eax, 9E3E878Ah<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, 0DAB5E429h<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; edx, 0ABFDB94Eh<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;adc&nbsp;&nbsp;&nbsp;&nbsp; eax, ebx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;add&nbsp;&nbsp;&nbsp;&nbsp; edx, ebx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lea&nbsp;&nbsp;&nbsp;&nbsp; edx, [ebx+75A1EF29h]<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;or&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;edx, edx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; eax, ecx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;; *<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;jmp&nbsp;&nbsp;&nbsp;&nbsp; $+5<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;leave<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pop&nbsp;&nbsp;&nbsp;&nbsp; ebx<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;jmp&nbsp;&nbsp;&nbsp;&nbsp; ebx<br /> a&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; endp<br /> </code><br /> <br /> (effective code marked with asterisk)<br /> <br /> One funny thing is that now the compiler uses random number generator. <i>Almost all good computer programs contain at least one random-number generator.</i> (<a href="http://fortunes.cat-v.org/plan_9/">fortune file</a> in plan 9 OS).<br /> <br /> Here is also my <a href="http://crackmes.de/users/yonkie/yonkies_keygenme_4/">crackme</a> I created for testing. It was eventually reversed, though.<br /> <br /> For those who are interested:<br /> <a href="http://conus.info/stuff/tcc-obfuscate/tcc-0.9.25-diff">Patch for Tiny C version 0.9.25</a><br /> <a href="http://conus.info/stuff/tcc-obfuscate/tcc-0.9.25-my-src.rar">Full source code patched</a><br /> <a href="http://conus.info/stuff/tcc-obfuscate/tcc-0.9.25-my-win32-bin.zip">Tiny C 0.9.25 patched win32 executables</a> Sat, 12 Jun 2010 16:44:34 -0500 https://www.openrce.org/blog/view/1561/Generic_tracer_0.4 modest <email-suppressed@example.com> New version is out.<br /> <br /> changelog:<br /> <br /> * FPU registers support at BPX breakpoint <br /> new command line options: <br /> -fpu_always - always show FPU registers at BPX breakpoint <br /> -fpu_never&nbsp;&nbsp;- never show FPU registers at BPX breakpoint <br /> In SET option of BPX command now it is possible to use FPU registers: <br /> ST0..ST7, for example: <br /> bpx=program.exe!address,set(st0,123.4) <br /> Remember: gt never modify FPU tag word registor as well as not modify <br /> TOP register, so, if some register was marked as &quot;empty&quot; and gt set <br /> some value there, it will remain marked &quot;empty&quot;. <br /> if the float-point number is also NaN, MMX register contents will be <br /> dumped too <br /> new command line option: <br /> -dump_xmm - dump XMM registers state at BPX breakpoint <br /> * now we attach to all processes with process name specified <br /> * symbol defined in address can also contain &quot;+ofs&quot; suffix, where <br /> &quot;ofs&quot; is decimal or hexadecimal number with &quot;0x&quot; prefix <br /> for example: &quot;bpx=kernel32.dll!writefile+0x5&quot; or &quot;bpx=file.exe!base <br /> +0x1234&quot; where base is PE file base. <br /> * PDB files support. <br /> compile your program with /Zi option in MSVC and get PDB debug file <br /> for it <br /> <br /> ===<br /> <br /> gt is command-line utility for performing simple debugging tasks.<br /> <br /> Major features:<br /> <br /> *Set breakpoint on function execution, track function arguments and result.<br /> *Set breakpoint on arbitrary point, track CPU registers state and alter them.<br /> *Set breakpoint on memory cell access and track all accesses to it.<br /> Minor features:<br /> <br /> *Set breakpoint by address, symbol name or bytemask.<br /> *Unicode string detection in function arguments.<br /> *Both x86 and x64 support.<br /> *Oracle RDBMS .SYM files support.<br /> *Source code included.<br /> <br /> Homepage (manual, downloads..)<br /> <a href="http://conus.info/gt/">http://conus.info/gt/</a> Sat, 05 Dec 2009 02:56:40 -0600 https://www.openrce.org/blog/view/1526/Generitc_tracer_0.3 modest <email-suppressed@example.com> New version is out.<br /> <br /> gt is command-line utility for performing simple debugging tasks.<br /> <br /> Major features:<br /> <br /> *Set breakpoint on function execution, track function arguments and result.<br /> *Set breakpoint on arbitrary point, track CPU registers state and alter them.<br /> *Set breakpoint on memory cell access and track all accesses to it.<br /> Minor features:<br /> <br /> *Set breakpoint by address, symbol name or bytemask.<br /> *Unicode string detection in function arguments.<br /> *Both x86 and x64 support.<br /> *Oracle RDBMS .SYM files support.<br /> *Source code included.<br /> <br /> Homepage (manual, downloads..)<br /> <a href="http://conus.info/gt/">http://conus.info/gt/</a> Sun, 24 May 2009 08:54:29 -0500 https://www.openrce.org/blog/view/1456/generic_tracer modest <email-suppressed@example.com> generic tracer - extremely simple win32 tracer<br /> <br /> * Main features:<br /> <br /> 1) Setting breakpoint at any function, monitoring its arguments and return value.<br /> 2) Monitoring global variables access.<br /> <br /> In a way, it is a kind strace utility.<br /> <br /> Significant differences vs strace are:<br /> <br /> 1) gt is Win32 only.<br /> 2) Breakpoints not just system calls, but any function.<br /> 3) Only 4 breakpoints, because of x86 architecture limitation.<br /> 4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.<br /> <br /> Homepage:<br /> <a href="http://conus.info/gt/">http://conus.info/gt/</a><br /> Readme file:<br /> <a href="http://conus.info/gt/gt.txt">http://conus.info/gt/gt.txt</a><br />