JMC31337 Posted April 25, 2012 Posted April 25, 2012 (edited) anyone care to add insight? and help me perfect far call return in a protected memory model OS??placed as many anti-debug and red pill anti vmaware tricks i've come acrossrogue bytesimpossible disassembly (thats what the books call some opcodes)#include <windows.h>//link with -masm=intelasm(".intel_syntax noprefix");static long csx;asm("_farcall:");asm("rdtsc");// (says how long has it been since LAST BOOT store value in eax)asm("xor ecx,ecx"); // (clear that register to 0)asm("add ecx,eax");// (place the value of eax into ecx [eax is the time]asm("rdtsc"); //(run it again)asm("sub eax,ecx");// (since the new timer value is in eax we subtract the new from the old)asm("cmp eax,0x0FFF");asm("jb beginning2+7");// (compare that, if its below the value of 0xFFF then NO DEBUG)asm("rdtsc");asm("push eax");asm("lret");asm("mov eax, fs:0x30");asm("mov eax,dword ptr [eax+0x18]");asm("cmp dword ptr ds:[eax+0x10],0");asm("jne Debugged");asm("mov edx,byte ptr [beginning2-12]");asm("cmp byte ptr edx,0x90");asm("jne beginning2+7");asm("beginning2:");asm("mov ax,0x05EB");asm("xor eax,eax");asm("jz beginning2");asm("push ebp");asm("mov ebp,esp");asm("sub esp,8");asm("push 0");asm("push 0");asm("push 0");asm("push 0");asm("call _MessageBoxA@16");asm("pop ebp");asm("pop ebp");asm("pop ebp");//RETURN FARasm("lret");int main(void){OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");SetLastError(0x00012345);OutputDebugString("~~~~~~");if (GetLastError() == 0x00012345)goto Debugged;elseasm("rdtsc");// (says how long has it been since LAST BOOT store value in eax)asm("xor ecx,ecx"); // (clear that register to 0)asm("add ecx,eax");// (place the value of eax into ecx [eax is the time]asm("rdtsc"); //(run it again)asm("sub eax,ecx");// (since the new timer value is in eax we subtract the new from the old)asm("cmp eax,0x0FFF");asm("jb beginning+7");// (compare that, if its below the value of 0xFFF then NO DEBUG)asm("rdtsc");asm("push eax");asm("lret");asm("mov eax, fs:0x30");asm("mov eax,dword ptr [eax+0x18]");asm("cmp dword ptr ds:[eax+0x10],0");asm("jne Debugged");asm("mov edx,byte ptr [beginning-12]");asm("cmp byte ptr edx,0x90");asm("jne beginning+7");asm("beginning:");asm("mov ax,0x05EB");asm("xor eax,eax");asm("jz beginning");asm("pop ebp");asm("pop ebp");asm("pop ebp");asm("mov edx,[esp]");asm("sub edx,0x3D");asm("mov dword ptr [_csx],edx");asm("push cs");asm("mov edx,[esp]");asm("mov [_csx+4],dx");asm("push ds");asm("lcall [_csx]");asm("push 0");asm("Debugged:");Debugged:asm("call _ExitProcess@4");return 0;}and if i didnt place the exitprocess and started playin with the ebp i got this bang exploitable report:(fe4.5bc): Unknown exception - code c0000096 (first chance)(fe4.5bc): Unknown exception - code c0000096 (!!! second chance !!!)eax=00000000 ebx=00004000 ecx=7c910060 edx=00240608 esi=00dcf73e edi=00dcf6ee eip=003e2dec esp=003e2cd5 ebp=003e2d90 iopl=0 nv up ei ng nz ac pe cycs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297003e2dec 6f outs dx,dword ptr [esi] ds:0023:00dcf73e=????????0:000> !load msec0:000> !exploitableExploitability Classification: EXPLOITABLERecommended Bug Title: Exploitable - Privileged Instruction Violation starting at Unknown Symbol @ 0x00000000003e2dec (Hash=0x6e05193a.0x7505193a)A privileged instruction exception indicates that the attacker controls execution flow. Edited April 25, 2012 by JMC31337
deepzero Posted April 26, 2012 Posted April 26, 2012 (edited) if (GetLastError() == 0x00012345)goto Debugged;NO.Please useif(...){}else{}beginning+7NO.use 2 labels.It also makes no sense to jump to the label beginning directly, as eax will always be xored.asm("pop ebp");where do these pops come from?Lastly, make sure to place all your inline asm in one area:asm{mov eax,1mov ebx,2mo esi,3...}Os, compiler,...? Edited April 26, 2012 by deepzero
ghandi Posted April 26, 2012 Posted April 26, 2012 The way they're broken into single lines and each line is wrapped with double quotation marks looks similar to GCC/GAS but there are no '%', which i've normally seen as well in that syntax. Also, it has at its header a mention to link it with MASM with something which looks like a commandline switch://link with -masm=intelasm(".intel_syntax noprefix");I know everybody has their own preferences but i do wonder why people insist on coding things in assembler via a higher language when they still make the assemblers and it is trivial to link object files to a project? It honestly seems more work sometimes than working with both assembler and compiler.HR,Ghandi
BLaCkViRuS Posted April 26, 2012 Posted April 26, 2012 OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");<<<< this method is very old.almost all debugers(olly debugger different editions)fix it
JMC31337 Posted April 26, 2012 Author Posted April 26, 2012 (edited) asm("pop ebp");where do these pops come from?if i dont pop the base pointer 3 times it wont display the error messagebox i used to test the far call far return out...before the call and after it...everything else you mentioned i will work on.... Edited April 26, 2012 by JMC31337
JMC31337 Posted April 26, 2012 Author Posted April 26, 2012 OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");<<<< this method is very old.almost all debugers(olly debugger different editions)fix ityea, yea it is isnt it..
JMC31337 Posted April 26, 2012 Author Posted April 26, 2012 (edited) The way they're broken into single lines and each line is wrapped with double quotation marks looks similar to GCC/GAS but there are no '%', which i've normally seen as well in that syntax. Also, it has at its header a mention to link it with MASM with something which looks like a commandline switch: I know everybody has their own preferences but i do wonder why people insist on coding things in assembler via a higher language when they still make the assemblers and it is trivial to link object files to a project? It honestly seems more work sometimes than working with both assembler and compiler. HR, Ghandi because the public terminal wont allow me to access console, command.com 16 bit, thats different.. but no cmd 32 bit... and i am too lazy to write a C++ code to shellexecute tasm32 with parameters and try it... and the forum wouldnt lemme add backslash - n backslash - t to the end of all the asm lines... those were needed under Dev-C++ Edited April 26, 2012 by JMC31337
Peter Ferrie Posted April 28, 2012 Posted April 28, 2012 if i dont pop the base pointer 3 times it wont display the error messagebox i used to test the far call far return out...before the call and after it...That's because you create a stack frame inside the function (push ebp/mov ebp,esp/sub esp,8) which you don't really need.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now