7 replies to this topic

[JMC31337]

anyone care to add insight? and help me perfect far call return in a protected memory model OS??
placed as many anti-debug and red pill anti vmaware tricks i've come across
rogue bytes
impossible disassembly (thats what the books call some opcodes)

#include <windows.h>
//link with -masm=intel
asm(".intel_syntax noprefix");

static long csx;

asm("_farcall:");
asm("rdtsc");// (says how long has it been since LAST BOOT store value in eax)
asm("xor ecx,ecx"); //   (clear that register to 0)
asm("add ecx,eax");//  (place the value of eax into ecx [eax is the time]
asm("rdtsc");   //(run it again)
asm("sub eax,ecx");//   (since the new timer value is in eax we subtract the new from the old)
asm("cmp eax,0x0FFF");
asm("jb beginning2+7");// (compare that, if its below the value of 0xFFF then NO DEBUG)
asm("rdtsc");
asm("push eax");
asm("lret");
asm("mov eax, fs:0x30");
asm("mov eax,dword ptr [eax+0x18]");
asm("cmp dword ptr ds:[eax+0x10],0");
asm("jne Debugged");
asm("mov edx,byte ptr [beginning2-12]");
asm("cmp byte ptr edx,0x90");
asm("jne beginning2+7");
asm("beginning2:");
asm("mov ax,0x05EB");
asm("xor eax,eax");
asm("jz beginning2");
asm("push ebp");
asm("mov ebp,esp");
asm("sub esp,8");
asm("push 0");
asm("push 0");
asm("push 0");
asm("push 0");
asm("call _MessageBoxA@16");
asm("pop ebp");
asm("pop ebp");
asm("pop ebp");
//RETURN FAR
asm("lret");

int main(void)
{
OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
SetLastError(0x00012345);
OutputDebugString("~~~~~~");
if (GetLastError() == 0x00012345)
goto Debugged;
else
asm("rdtsc");// (says how long has it been since LAST BOOT store value in eax)
asm("xor ecx,ecx"); //   (clear that register to 0)
asm("add ecx,eax");//  (place the value of eax into ecx [eax is the time]
asm("rdtsc");   //(run it again)
asm("sub eax,ecx");//   (since the new timer value is in eax we subtract the new from the old)
asm("cmp eax,0x0FFF");
asm("jb beginning+7");// (compare that, if its below the value of 0xFFF then NO DEBUG)
asm("rdtsc");
asm("push eax");
asm("lret");
asm("mov eax, fs:0x30");
asm("mov eax,dword ptr [eax+0x18]");
asm("cmp dword ptr ds:[eax+0x10],0");
asm("jne Debugged");
asm("mov edx,byte ptr [beginning-12]");
asm("cmp byte ptr edx,0x90");
asm("jne beginning+7");
asm("beginning:");
asm("mov ax,0x05EB");
asm("xor eax,eax");
asm("jz beginning");
asm("pop ebp");
asm("pop ebp");
asm("pop ebp");
asm("mov edx,[esp]");
asm("sub edx,0x3D");
asm("mov dword ptr [_csx],edx");
asm("push cs");
asm("mov edx,[esp]");
asm("mov [_csx+4],dx");
asm("push ds");
asm("lcall [_csx]");
asm("push 0");
asm("Debugged:");
Debugged:
asm("call _ExitProcess@4");
return 0;
}

and if i didnt place the exitprocess and started playin with the ebp i got this bang exploitable report:

(fe4.5bc): Unknown exception - code c0000096 (first chance)
(fe4.5bc): Unknown exception - code c0000096 (!!! second chance !!!)
eax=00000000 ebx=00004000 ecx=7c910060 edx=00240608 esi=00dcf73e edi=00dcf6ee eip=003e2dec esp=003e2cd5 ebp=003e2d90 iopl=0
nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
003e2dec 6f outs dx,dword ptr [esi] ds:0023:00dcf73e=????????
0:000> !load msec
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Privileged Instruction Violation starting at Unknown Symbol @ 0x00000000003e2dec (Hash=0x6e05193a.0x7505193a)

A privileged instruction exception indicates that the attacker controls execution flow.

Edited by JMC31337, 25 April 2012 - 03:19 PM.

[deepzero]

if (GetLastError() == 0x00012345)
goto Debugged;

NO.
Please use

if(...)
{}
else
{}

beginning+7

NO.
use 2 labels.
It also makes no sense to jump to the label beginning directly, as eax will always be xored.

asm("pop ebp");

where do these pops come from?


Lastly, make sure to place all your inline asm in one area:

asm{
mov eax,1
mov ebx,2
mo esi,3
...
}

Os, compiler,...?

Edited by deepzero, 25 April 2012 - 11:19 PM.

[ghandi]

The way they're broken into single lines and each line is wrapped with double quotation marks looks similar to GCC/GAS but there are no '%', which i've normally seen as well in that syntax. Also, it has at its header a mention to link it with MASM with something which looks like a commandline switch:

//link with -masm=intel
asm(".intel_syntax noprefix");

I know everybody has their own preferences but i do wonder why people insist on coding things in assembler via a higher language when they still make the assemblers and it is trivial to link object files to a project? It honestly seems more work sometimes than working with both assembler and compiler.

HR,
Ghandi

[BLaCkViRuS]

OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");<<<< this method is very old.almost all debugers(olly debugger different editions)fix it

[JMC31337]

asm("pop ebp");

where do these pops come from?

if i dont pop the base pointer 3 times it wont display the error messagebox i used to test the far call far return out...
before the call and after it...

everything else you mentioned i will work on....

Edited by JMC31337, 26 April 2012 - 09:13 AM.

[JMC31337]

OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");<<<< this method is very old.almost all debugers(olly debugger different editions)fix it

yea, yea it is isnt it..

[JMC31337]

The way they're broken into single lines and each line is wrapped with double quotation marks looks similar to GCC/GAS but there are no '%', which i've normally seen as well in that syntax. Also, it has at its header a mention to link it with MASM with something which looks like a commandline switch:



I know everybody has their own preferences but i do wonder why people insist on coding things in assembler via a higher language when they still make the assemblers and it is trivial to link object files to a project? It honestly seems more work sometimes than working with both assembler and compiler.

HR,
Ghandi

because the public terminal wont allow me to access console, command.com 16 bit, thats different.. but no cmd 32 bit... and i am too lazy to write a C++ code to shellexecute tasm32 with parameters and try it... and the forum wouldnt lemme add backslash - n backslash - t to the end of all the asm lines... those were needed under Dev-C++

Edited by JMC31337, 26 April 2012 - 09:19 AM.

[Peter Ferrie]

if i dont pop the base pointer 3 times it wont display the error messagebox i used to test the far call far return out...
before the call and after it...

That's because you create a stack frame inside the function (push ebp/mov ebp,esp/sub esp,8) which you don't really need.