jackall
June 7th, 2009, 12:49
Could I get an explanation to …
- Delta Offset Routine -
relevant to assembly language.
Thank you.
- Delta Offset Routine -
relevant to assembly language.
Thank you.
View Full Version : Delta Offset Routine
tHE mUTABLE
June 7th, 2009, 16:04
Search before you post.
JMI
June 7th, 2009, 16:04
Have you actually attempted to put "Delta Offset Routine" (without the quotes) into your favorite search engine and then read anything which you will find? I got 479,000 entries. How about you try that first!
One of our rules is that you attempt to find your own answers to questions before you ask here. If you have actually done any searching and/or read anything about it among the many available ariticle, it is not possible to determine that from your post.
Regards,
One of our rules is that you attempt to find your own answers to questions before you ask here. If you have actually done any searching and/or read anything about it among the many available ariticle, it is not possible to determine that from your post.
Regards,
jackall
June 7th, 2009, 21:07
Code:
.code
Start:
call Delta
Delta:
pop ebp
mov ebx, ebp ;ebx=ebp
sub ebp, offset Delta
sub ebx, RubbishSize ;ebx=ImageBase
sub ebx, 1000h
mov dword ptr [ebp+offset ModuleAddress], ebx ;save
mov esi, [esp] ;get the current Address
and esi, 0FFFF0000h
call GetK32
Any reply that put in plain words the use and purpose of the above lines(call Delta); a response little more inspirational and functional than the barren, customary retort, would be appreciated.
Thank you.
JMI
June 7th, 2009, 21:20
If you do not want this Thread to disappear, you need to respond to MY question and state what YOU have done to attempt to find the answer to your own question.
If you thinks I wasn't serious, you were mistaken. Show us some of the results of your own searches or expect to have this Thread removed to the Junk Forum!
Regards,
If you thinks I wasn't serious, you were mistaken. Show us some of the results of your own searches or expect to have this Thread removed to the Junk Forum!
Regards,
jackall
June 8th, 2009, 11:55
Do you suffer from any selective vision mutilation or any power of comprehension due to the age-related mascular degeneration close to the retina or in conscious where the ego processes take place?
What i have assimilated using my level of perceptiveness, and what i need an answer for in the context, is right before your eyes, assuming you have that faculty still at least moderately operational.
As for the supposed intimidation ‘expect to have this Thread removed to the Junk Forum’, i wish you single out some other soft target to gratify your ego trip with such comical but pathetic and disgraceful act of cowardliness.
au revoir...
What i have assimilated using my level of perceptiveness, and what i need an answer for in the context, is right before your eyes, assuming you have that faculty still at least moderately operational.
As for the supposed intimidation ‘expect to have this Thread removed to the Junk Forum’, i wish you single out some other soft target to gratify your ego trip with such comical but pathetic and disgraceful act of cowardliness.
au revoir...
Aimless
June 8th, 2009, 12:33
I think you need to calm down Jackall... Obviously you've written this when you were upset. Not with JMI's retort but the fact that you may have missed a deadline?
I'll give you a hint. What you are looking at is possibly a virus code... more closely, a wrapper. You'll find it necessary to use the "delta offset routines" because when wrappers attach themselves to a program (like a virus) they are unable to access their own variable because the compiler hardcodes all offsets to an absolute address.
You might actually want to compile and DISASSEMBLE the program. It will make more sense then rather than looking at the source which is difficult to comprehend if you don't know what is being done.
Having said that, let me tell you that it's quite disappointing for a person like you, who has been here for almost a year, and has posted so many messages, could get so caustic. You know how we operate here. And yet you have commented in the most acidic manner. No amount of desperation amounts to justifying the use of this kind of a message.
I know you probably don't really care, but I am disappointed.
Have Phun
I'll give you a hint. What you are looking at is possibly a virus code... more closely, a wrapper. You'll find it necessary to use the "delta offset routines" because when wrappers attach themselves to a program (like a virus) they are unable to access their own variable because the compiler hardcodes all offsets to an absolute address.
You might actually want to compile and DISASSEMBLE the program. It will make more sense then rather than looking at the source which is difficult to comprehend if you don't know what is being done.
Having said that, let me tell you that it's quite disappointing for a person like you, who has been here for almost a year, and has posted so many messages, could get so caustic. You know how we operate here. And yet you have commented in the most acidic manner. No amount of desperation amounts to justifying the use of this kind of a message.
I know you probably don't really care, but I am disappointed.
Have Phun
jackall
June 8th, 2009, 14:17
Aimless…Thank you
The answer is simple because you understand the question. ( i need more reading to grasp the idea properly).
Those who do not identify with a query indulge in verbal and statistical jugglery driven by a compulsion that they must somehow respond to, may be hoping to have their presence felt while trying to cover their lack of acquaintance in a particular field. It is no use to me nor to anyone else. A similar situation had cropped up in the past, and i remember you intervened, of course with an answer to the question. And that makes all the difference to me.
Well, i do care and hold at high esteem quite a number of people who use to visit this forum, like personmans, naides ,blabberer and so on to name a few. They contributed to and improved my understanding of computer in general with useful suggestions and directions.
So, the last part of your observation is not quite true.
Regards…
Quote:
| ... more closely, a wrapper. You'll find it necessary to use the "delta offset routines" because when wrappers attach themselves to a program (like a virus) they are unable to access their own variable because the compiler hardcodes all offsets to an absolute address. |
The answer is simple because you understand the question. ( i need more reading to grasp the idea properly).
Those who do not identify with a query indulge in verbal and statistical jugglery driven by a compulsion that they must somehow respond to, may be hoping to have their presence felt while trying to cover their lack of acquaintance in a particular field. It is no use to me nor to anyone else. A similar situation had cropped up in the past, and i remember you intervened, of course with an answer to the question. And that makes all the difference to me.
Well, i do care and hold at high esteem quite a number of people who use to visit this forum, like personmans, naides ,blabberer and so on to name a few. They contributed to and improved my understanding of computer in general with useful suggestions and directions.
So, the last part of your observation is not quite true.
Regards…
JMI
June 8th, 2009, 15:01
And Aimless' response is what YOU would have easily found if you had done what I suggested, and put "Delta Offset Routine" (without the quotes) into your favorite search engine and actually read some of the information you would have found. These are just two of the first listed:
http://vx.netlux.org/lib/static/vdat/tudelta1.htm
http://www.codebreakers-journal.com/content/view/174/27/
This latter contains the following information, easily accessible to YOU:
"When you're programming a virus that will always be placed at a fixed location, like overwriting and prepending viruses, you won't have to worry about any of this, but if you're writing a virus that relocates part of its code to a random location, such as appending and midfile infectors, you'll have to account for the displacement. This doesn't affect most jumps and calls, since they are relative, but data on the other hand is refered by an absolute offset. Things would work fine the first time you assembled and run the virus, but not after the first infection when all memory addresses would then be changed.
To account for this all one has to do is:
--8<---------------------------------------------------------------------------
Delta_Offset:
call Find_Displacement
Find_Displacement:
pop bp
sub bp, offset Find_Displacement
---------------------------------------------------------------------------8<--
"What this piece of code does is, first issue a CALL to the next instruction, so the IP (Instruction Pointer) for it will (be) pushed into the stack, next we POP it to the register BP (it is good programming to use BP, which stands for Base Pointer), and finally we SUBtract the original OFFSET determined when the virus was compiled. Of course the first time the virus is run, the displacement will be zero, only on subsequent runs will it change according to the host size."
..........................
Those who are simply too lazy to "think for themselves" often engage in sophistry in a useless effort to attempt to conceal their own inadequacies.
Regards,
http://vx.netlux.org/lib/static/vdat/tudelta1.htm
http://www.codebreakers-journal.com/content/view/174/27/
This latter contains the following information, easily accessible to YOU:
"When you're programming a virus that will always be placed at a fixed location, like overwriting and prepending viruses, you won't have to worry about any of this, but if you're writing a virus that relocates part of its code to a random location, such as appending and midfile infectors, you'll have to account for the displacement. This doesn't affect most jumps and calls, since they are relative, but data on the other hand is refered by an absolute offset. Things would work fine the first time you assembled and run the virus, but not after the first infection when all memory addresses would then be changed.
To account for this all one has to do is:
--8<---------------------------------------------------------------------------
Delta_Offset:
call Find_Displacement
Find_Displacement:
pop bp
sub bp, offset Find_Displacement
---------------------------------------------------------------------------8<--
"What this piece of code does is, first issue a CALL to the next instruction, so the IP (Instruction Pointer) for it will (be) pushed into the stack, next we POP it to the register BP (it is good programming to use BP, which stands for Base Pointer), and finally we SUBtract the original OFFSET determined when the virus was compiled. Of course the first time the virus is run, the displacement will be zero, only on subsequent runs will it change according to the host size."
..........................
Those who are simply too lazy to "think for themselves" often engage in sophistry in a useless effort to attempt to conceal their own inadequacies.
Regards,
Woodmann
June 8th, 2009, 20:51
Enough.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.