Jump to content
Tuts 4 You

FAR CALL Anti-Debug (Inline Intel)


JMC31337

Recommended Posts

anyone care to add insight? and help me perfect far call return in a protected memory model OS??

placed as many anti-debug and red pill anti vmaware tricks i've come across

rogue bytes

impossible disassembly (thats what the books call some opcodes)


#include <windows.h>
//link with -masm=intel
asm(".intel_syntax noprefix");static long csx;asm("_farcall:");
asm("rdtsc");// (says how long has it been since LAST BOOT store value in eax)
asm("xor ecx,ecx"); // (clear that register to 0)
asm("add ecx,eax");// (place the value of eax into ecx [eax is the time]
asm("rdtsc"); //(run it again)
asm("sub eax,ecx");// (since the new timer value is in eax we subtract the new from the old)
asm("cmp eax,0x0FFF");
asm("jb beginning2+7");// (compare that, if its below the value of 0xFFF then NO DEBUG)
asm("rdtsc");
asm("push eax");
asm("lret");
asm("mov eax, fs:0x30");
asm("mov eax,dword ptr [eax+0x18]");
asm("cmp dword ptr ds:[eax+0x10],0");
asm("jne Debugged");
asm("mov edx,byte ptr [beginning2-12]");
asm("cmp byte ptr edx,0x90");
asm("jne beginning2+7");
asm("beginning2:");
asm("mov ax,0x05EB");
asm("xor eax,eax");
asm("jz beginning2");
asm("push ebp");
asm("mov ebp,esp");
asm("sub esp,8");
asm("push 0");
asm("push 0");
asm("push 0");
asm("push 0");
asm("call _MessageBoxA@16");
asm("pop ebp");
asm("pop ebp");
asm("pop ebp");
//RETURN FAR
asm("lret");int main(void)
{
OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
SetLastError(0x00012345);
OutputDebugString("~~~~~~");
if (GetLastError() == 0x00012345)
goto Debugged;
else
asm("rdtsc");// (says how long has it been since LAST BOOT store value in eax)
asm("xor ecx,ecx"); // (clear that register to 0)
asm("add ecx,eax");// (place the value of eax into ecx [eax is the time]
asm("rdtsc"); //(run it again)
asm("sub eax,ecx");// (since the new timer value is in eax we subtract the new from the old)
asm("cmp eax,0x0FFF");
asm("jb beginning+7");// (compare that, if its below the value of 0xFFF then NO DEBUG)
asm("rdtsc");
asm("push eax");
asm("lret");
asm("mov eax, fs:0x30");
asm("mov eax,dword ptr [eax+0x18]");
asm("cmp dword ptr ds:[eax+0x10],0");
asm("jne Debugged");
asm("mov edx,byte ptr [beginning-12]");
asm("cmp byte ptr edx,0x90");
asm("jne beginning+7");
asm("beginning:");
asm("mov ax,0x05EB");
asm("xor eax,eax");
asm("jz beginning");
asm("pop ebp");
asm("pop ebp");
asm("pop ebp");
asm("mov edx,[esp]");
asm("sub edx,0x3D");
asm("mov dword ptr [_csx],edx");
asm("push cs");
asm("mov edx,[esp]");
asm("mov [_csx+4],dx");
asm("push ds");
asm("lcall [_csx]");
asm("push 0");
asm("Debugged:");
Debugged:
asm("call _ExitProcess@4");
return 0;
}

and if i didnt place the exitprocess and started playin with the ebp i got this bang exploitable report:

(fe4.5bc): Unknown exception - code c0000096 (first chance)

(fe4.5bc): Unknown exception - code c0000096 (!!! second chance !!!)

eax=00000000 ebx=00004000 ecx=7c910060 edx=00240608 esi=00dcf73e edi=00dcf6ee eip=003e2dec esp=003e2cd5 ebp=003e2d90 iopl=0

nv up ei ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297

003e2dec 6f outs dx,dword ptr [esi] ds:0023:00dcf73e=????????

0:000> !load msec

0:000> !exploitable

Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - Privileged Instruction Violation starting at Unknown Symbol @ 0x00000000003e2dec (Hash=0x6e05193a.0x7505193a)

A privileged instruction exception indicates that the attacker controls execution flow.

Edited by JMC31337
Link to comment
if (GetLastError() == 0x00012345)
goto Debugged;

NO.

Please use

if(...)
{}
else
{}
beginning+7

NO.

use 2 labels.

It also makes no sense to jump to the label beginning directly, as eax will always be xored.

asm("pop ebp");

where do these pops come from?

Lastly, make sure to place all your inline asm in one area:

asm{
mov eax,1
mov ebx,2
mo esi,3
...
}

Os, compiler,...?

Edited by deepzero
Link to comment

The way they're broken into single lines and each line is wrapped with double quotation marks looks similar to GCC/GAS but there are no '%', which i've normally seen as well in that syntax. Also, it has at its header a mention to link it with MASM with something which looks like a commandline switch:

//link with -masm=intel

asm(".intel_syntax noprefix");

I know everybody has their own preferences but i do wonder why people insist on coding things in assembler via a higher language when they still make the assemblers and it is trivial to link object files to a project? It honestly seems more work sometimes than working with both assembler and compiler.

HR,

Ghandi

Link to comment

OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");<<<< this method is very old.almost all debugers(olly debugger different editions)fix it

Link to comment
asm("pop ebp");

where do these pops come from?

if i dont pop the base pointer 3 times it wont display the error messagebox i used to test the far call far return out...

before the call and after it...

everything else you mentioned i will work on....

Edited by JMC31337
Link to comment

OutputDebugString("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");<<<< this method is very old.almost all debugers(olly debugger different editions)fix it

yea, yea it is isnt it..

Link to comment

The way they're broken into single lines and each line is wrapped with double quotation marks looks similar to GCC/GAS but there are no '%', which i've normally seen as well in that syntax. Also, it has at its header a mention to link it with MASM with something which looks like a commandline switch:

I know everybody has their own preferences but i do wonder why people insist on coding things in assembler via a higher language when they still make the assemblers and it is trivial to link object files to a project? It honestly seems more work sometimes than working with both assembler and compiler.

HR,

Ghandi

because the public terminal wont allow me to access console, command.com 16 bit, thats different.. but no cmd 32 bit... and i am too lazy to write a C++ code to shellexecute tasm32 with parameters and try it... and the forum wouldnt lemme add backslash - n backslash - t to the end of all the asm lines... those were needed under Dev-C++

dunno.gif

Edited by JMC31337
Link to comment
Peter Ferrie

if i dont pop the base pointer 3 times it wont display the error messagebox i used to test the far call far return out...

before the call and after it...

That's because you create a stack frame inside the function (push ebp/mov ebp,esp/sub esp,8) which you don't really need.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...