Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Help Me About Plugin Importrec, And Converting Asm Source...

Apakekdah
Apakekdah
in Programming and Coding

Featured Replies

Posted

hi, is there anyone will help me, how to

i was convert asm source...

original source :

; NTkrnl protector 0.1 plugin tracer for impREC
; bpx^2k7
format PE GUI 4.0 DLL
entry e
include 'c:fasm32includewin32a.inc'
section '.code' code readable executable
e:; DLL Entrypoint
xor eax,eax
inc eax
ret 12
Trace:
push ebp
mov ebp,esp
push ebx
push esi
invoke MapViewOfFile, dword [ebp+4+4] , FILE_MAP_READ or FILE_MAP_WRITE, 0, 0, 0
mov esi, eax; We put our found proc in this map
mov ebx, dword [ebp+16+4]
invoke IsBadReadPtr, ebx, 4; Is this a valid thunk we are tracing ?
test eax, eax
jz ptr_ok1
jmp end2
ptr_ok1:
cmp dword [ebx],0000E860h; Look for ntkrnl signature
je ptr_ok2
jmp end2
ptr_ok2:
mov word [ebx+35h],9090h; nop jmp eax
call ebx; call redirector proc [eax now contains real API!]
mov ebx, esi
mov dword [ebx], eax
end2:
invoke UnmapViewOfFile, esi; Write changes
invoke CloseHandle, dword [ebp+4+4]
pop esi
pop ebx
mov eax,200
leave
ret 20
section '.idata' import data readable writeable
library kernel,'KERNEL32.DLL'
import kernel,
MapViewOfFile,'MapViewOfFile',
UnmapViewOfFile,'UnmapViewOfFile',
CloseHandle,'CloseHandle',
IsBadReadPtr,'IsBadReadPtr'
section '.edata' export data readable
export 'nt_krnlprotect_0_1.dll',
Trace,'Trace'
section '.reloc' fixups data discardable

mysouce :

.486				   ; set processor model
.model flat, stdcall   ; default STDCALL calling convention
option casemap :none   ; always use the case sensitive optioninclude e:\masm32\include\windows.inc
include e:\masm32\include\kernel32.inc
include e:\masm32\macros\macros.asmincludelib e:\masm32\lib\kernel32.libTrace PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD,:DWORD.data?
	hInstance dd ?.codeLibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD 	xor eax, eax
	inc eax	ret LibMain endpTrace proc hFileMap:DWORD, dwSizeMap:DWORD, dwTimeOut:DWORD, dwToTrace:DWORD, dwExactCall:DWORD	invoke MapViewOfFile, hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, dwSizeMap
	test eax, eax
	je error1
	mov esi, eax	mov ebx, dwToTrace
	invoke IsBadReadPtr, ebx, 4
	test eax, eax
	jne error2	mov esi, eax
	cmp dword ptr [ebx], 0E860h
	jne error3	mov word ptr [ebx+35h],9090h	call ebx	mov ebx, esi	
	mov dword ptr [ebx], eax	
	mov eax, 200
	jmp abiserror1:
	mov eax, 201
	jmp abiserror2:
	mov eax, 202
	jmp abiserror3:
	mov eax, 203
abis:
	invoke UnmapViewOfFile, hFileMap; Write changes
	invoke CloseHandle, hFileMap	ret
Trace endpend LibMain

the problem is, original code, can run (maybe, i'd never test it before, cause don't have that compiler :teehee: ) and my code, always send an error...

i'm sure i was following that direction... where is my mistake ? :2:

-

and how to debug ImportRec, when Trace function is called, so i can debug where i'm make a mistake ?

sorry for my bad english :D

:wub:

where have you lost push ebx esi, but real problem is you dont think? mov eax,200 jmp abis? and then closehandle and unmapview that change eax. man think again

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.