======================================================== +HCU Maillist Issue: 121 01/20/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Assembly #2 Subject: finding program entry points ARTICLES: -----#1------------------------------------------------- Subject: Assembly > -----#2------------------------------------------------- > Subject: Assembly > > I'm still learning assembly and there is something that I'm not > sure of. The TEST command. It compares two things bit by > bit and sets Z to 1 if it's the same right? I see this line in programs > all the time, > > TEST AL, AL > > and sometimes Z = 1 and sometimes not. Can someone explain this > to me? > > Joe Dark The test instruction performs a logical AND, and set the flags accordingly. E.g. test al,al or test ebx,ebx will set the Z flag if and only if ebx/al = 0 - more generally the Z flag will be set only if the operands share no common bits. I suppose this is why this instruction is often used by highlevel languages to test for error when exiting a call. Then you can let EAX/AL/whatever carry an error code and be 0 if no error occured. On a totally different note - there was a discussion a while back on wrapping on the PE-executable. To those of you who don't keep up with the "warez scene" my PE-encrypter was released in sourcecode back in decemeber and it can still be found on my webnote along with an example of how you can patch packaged PE-files without having to go thru the agony of unpacking them. While this isn't a direct answer of how you can remove such a wrapper it does contain atleast half the answer. On a totally different note - can anyone think of a reason why ExitProcess sometimes chrashes if the Direction flag has been changed during a program on windows NT 4.0 workstation and not on a windows 95? Can a stack imbalance be the reason for the chrash and the STD flag change the offsettting factor? Stone - United Cracking Force ************************ -----#2------------------------------------------------- Subject: finding program entry points [repost: first message got mangled] You can get the entry point info from the EXE / PE header. Though, if you are lazy (like me) you can use HIEW (my favourite cracking tool). Load the file into Hiew and then switch to code mode. Then press F8. i.e. press F4, F3, F8. Pressing F5 after F8 will jump to the code position. Using IDA Pro 3.7 may also help as it can usually find entry points whereas Wdasm is quite poor. Also, I find ver. 8.9 very buggy and personally use 8.5. ~~ Ghiribizzo =====End of Issue 121=================================== ======================================================== +HCU Maillist Issue: 122 01/21/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Assembly #2 Subject: Re: finding program entry points ARTICLES: -----#1------------------------------------------------- Subject: Assembly The TEST command is identical to the AND command except that the result is NOT stored. The flags are however changed as if an AND command were used. Summary of flags changed (taken from Art of Assembly): It clears the carry flag. It clears the overflow flag. It sets the zero flag if the result is zero, they clear it otherwise. It copies the H.O. bit of the result into the sign flag. It sets the parity flag according to the parity (number of one bits) in the L.O. byte of the result. It scrambles the auxiliary carry flag. For crackers the TEST command is useful because it is often used as the compare part of a compare/jump if good type of checking. In Win32 this usually manifests itself as a TEST EAX,EAX. This means the zero flag will be set IF AND ONLY IF EAX contains a non-zero BIT. Note: TEST is to AND as CMP is to SUB. I recommend you buy yourself a book on 80486 programming which will have useful references to all the opcodes and other useful info. If you're short of cash, there are useful free internet alternatives such as the Art of Assembly I quoted from above. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: Re: finding program entry points [repost2: 2nd message did not make it] [repost: first message got mangled] You can get the entry point info from the EXE / PE header. Though, if you are lazy (like me) you can use HIEW (my favourite cracking tool). Load the file into Hiew and then switch to code mode. Then press F8. i.e. press F4, F3, F8. Pressing F5 after F8 will jump to the code position. Using IDA Pro 3.7 may also help as it can usually find entry points whereas Wdasm is quite poor. Also, I find ver. 8.9 very buggy and personally use 8.5. ~~ Ghiribizzo =====End of Issue 122=================================== ======================================================== +HCU Maillist Issue: 123 01/23/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Sorry #2 Subject: re:hacker trouble and outlook excrement #3 Subject: Netscape Source Code ! ARTICLES: -----#1------------------------------------------------- Subject: Sorry Sorry about the repost and the late reply to the question about TEST. It seems that the digest script does it's thing sometime around midnight GMT (+/- 2 hours) rather than just before the current issue is sent. The result being that items posted after the digest but before the sending of the issue are stuck in a sort of limbo and will arrive a day late. I've discovered also that some of my postings are being bounced back by the remailer (probably due to the anti-replay-attack mechanism employed), I think I've got it solved now. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: re:hacker trouble and outlook excrement FORWARDED by fravia+ fravia+ send a message on each of the mailing lists referring to this matter and that my email should go to ******************* (the site i mentioned in a newsletter so noone gets really confused) i think that people would be suspicious of anyone claiming to be me on the lists unless the email came from the right place (ie tallahassee) but if you send a letter confirming the new email it will be accepted properly since you know me ....i am a little worried about the fbi poking around reading people's email as well, so i am not sure i should use it again unless encrypted with pgp... (i am really getting tired of servers going down due to irresponsible hackers) this really sucks. +gthorne ----------- END FORWARDED BY FRAVIA -----#3------------------------------------------------- Subject: Netscape Source Code ! O.K., from Netscapes Homepage: Netscape plans to make Netscape Communicator 5.0 source code available for modification and redistribution beginning later this quarter with the first developer release of the product. The company will handle free source distribution with a license which allows source code modification and redistribution and provides for free availability of source code versions, building on the heritage of the GNU Public License (GPL), familiar to developers on the Net. Netscape intends to create a special Web site service where all interested parties can download the source code, post their enhancements, take part in newsgroup discussions, and obtain and share Communicator-related information with others in the Internet community. Netscape will also continue to develop new technologies and offer periodic certified, high-quality, supported releases of its Netscape Communicator and Navigator products, incorporating some of the best features created by this dynamic community. ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 123=================================== ======================================================== +HCU Maillist Issue: 124 01/24/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: repository #2 Subject: hackers and hassles #3 Subject: PGP ARTICLES: -----#1------------------------------------------------- Subject: repository Hi +Alt-f4! :) > If someone had told me sooner, I could have made the fix in a few > seconds.(Only needed to change a couple of lines) My fault. Sorry. I gave a look at it immediately after you sent your previous message, but I didn't answer... O:-) > I can only assume > 1) No-one cares > 2) No one checked the page > 3) Every one assumes I am a terrible programmer :( 4) I thought it was MY fault, so I was waiting someone other's response... But I assure you I care, I checked the page and I think you're a good programmer... especially after my last visit to the page: it really works fine and it seems to be really faster than the old applet I use... > Please send comments, EVEN IF IT DOESN'T WORK! It works :) To be honest, I didn't try to make it crash, I just made some simple searches, but it seems to work fine and fast... now some questions: Does it need all those single issues? Is it possible for me to continue using groups of 10 issues together? It's a lot easier to maintain... as you can see from my page, I sometimes forget to put online the 10-packs, think about all those single issues! Can I put it on my page? O:-)) byez, .+MaLaTTiA. -----#2------------------------------------------------- Subject: hackers and hassles Thank God (or Sharp...) for cracking.net and alternate emails i wanted to say hello to you all since this last week has meant my emails have been beouncing from my old email address at freenet.fsu.edu - if you emailed me, and i did not respond, that is what happened (hoping no-one sent any nice juicy electronic mailings directly to the fbi via that address..) maybe we should start using pgp a little more frequently? i noticed that fravia forwarded my message properly to the list - so i wont bore you with restating myself i have however made the articles available if you would like to read the newsfeed about it - just for interest's sake anyway **************************************** as you can see i have had to streamline my sig a little this week... +gthorne /**************************************************\ Greythorne The Technomancer WebSite: ********************* OrcPaks: ****************************************** \**************************************************/ -----#3------------------------------------------------- Subject: PGP Greetings All, With all the e-mail privacy discussions going about I decided to get PGP(bout time huh?)Anyway,my question is that there is a new version of PGP and it uses the DSS/Diffie-Hellman encryption instead of RSA..Was just wondering what type the majority in here use and if one was more secure than the other?Newer versions don't necessarily mean better do they :-).Oh an thanks for the healthy dose of paranoia,lol Warlord =====End of Issue 124=================================== ======================================================== +HCU Maillist Issue: 125 01/25/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re:Repository #2 Subject: pgp ARTICLES: -----#1------------------------------------------------- Subject: Re:Repository Hi .+MaLaTTiA. >Does it need all those single issues? Is it possible for me to continue using >groups of 10 issues together? It's a lot easier to maintain... as you can see >from my page, I sometimes forget to put online the 10-packs, think about all >those single issues! Any size groups you want! :) All you have to do, is put the individual files you want in the zip, and also on the server. When searching it uses the zip, and for displaying it uses the server(I did this because browsers can't directly read from a zip), but I can search in a zip much quicker... I am working on another version that doesn't need files on the server. With a combination of javascript and frames, I could make it so the Java can update the display straight from the zip. This means you could keep the individual issues, and only have to upload the new zip... If this works, I could then add html tags to the page, so that it automatically goes to the line with the word you were searching for. The possibilities are endless... Of course. all this is only worthwhile if other people want it. So far, it seems only you and I are intersted .+MaLaTTiA. ! >Can I put it on my page? O:-)) Yeah, of course! I'll document the way it is used, so they you can add it easily... +Alt-F4 -----#2------------------------------------------------- Subject: pgp I like to stick with PGP 2.62g, the one with the "bug fix" that enables it up to 1024-bit keys. I've heard than newer versions such as 5.0 have this feature now, but with the NSA and all I really only trust the cypherphunk's "g" version. mammon_ ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 125=================================== ======================================================== +HCU Maillist Issue: 126 01/27/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Advanced Javascript page... #2 Subject: re: Repository #3 Subject: DSS/Diffie-Hellman vs. RSA ARTICLES: -----#1------------------------------------------------- Subject: Advanced Javascript page... Hi +all.. Has anyone managed to get through to the Advanced javascript page? I managed to get a valid password(Through brute force), but the program doesn't seem to use the first letter.. I tried all letters and numbers as the first character, with no luck..... So has anyone got through? +Alt-F4 -----#2------------------------------------------------- Subject: re: Repository >Of course. all this is only worthwhile if other people want it. So far, it >seems only you and I are intersted .+MaLaTTiA. ! +Alt-F4, I am interested in your repository idea. I think that it will have wide-ranging application, once people really grasp what it can do. Likely there is commercial value there for you. I would be most interested in using it on my page. A question to all: I am relatively "unanointed" regarding +HCU. Is there a certain requirement for using the "+" before ones name? zinger -----#3------------------------------------------------- Subject: DSS/Diffie-Hellman vs. RSA [repost: mix up] Personally, I have both types of keys. I try to use D-H as much as I can, but often use RSA to maintain backwards compatibility with 3.x users. I think that PGP offer a 'free' personal version of PGP5 which means that anyone with windows 95 will be able to use the newer keys. However, I'm not sure if the newer versions have been ported to other platforms. As to the pros and cons of the algorithms: 1. D-H is much faster at encryption/decryption than RSA 2. The discrete logarithm (D-H) is thought to be a more difficult problem to solve than factoring (RSA). 3. RSA has some 'quirks' which may compromise security if the user is not aware of them. 4. PGP uses MD5 to hash for RSA whereas it uses SHA for D-H. MD5 was broken (partially) in 1996 - I haven't kept up with the area and it may well have been completely broken by now. If you intend to use PGP for signing, you should go for D-H. 5. While writing this, I decided to take a look at the PGP manual and found that it had new symmetric algorithms. Previous versions used only IDEA, but now PGP offers CAST (default on D-H keys), IDEA (only option for RSA keys) and Triple-DES. I haven't heard of CAST before but the manual says it's new. I'm surprised that it was chosen in favour of IDEA (well, maybe not - the patent holders of IDEA want royalties [at least on commmercial versions]). I'll take a look into CAST. There's information in the user manual and also there's a wealth of information on the web. ~~ Ghiribizzo =====End of Issue 126=================================== ======================================================== +HCU Maillist Issue: 127 01/28/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: advanced javascript #2 Subject: erratums & appendix ARTICLES: -----#1------------------------------------------------- Subject: advanced javascript +Alt-F4, I've managed to get through on the fravia.org site. Are you sure you've got the correct password? ~~ Ghiribizzo -----#2------------------------------------------------- Subject: erratums & appendix --------------- Erratum and appendix for: Encoded selfmodifying targets the Power Desk suite from Mijenix an essay by Uncle Van ------ QUOTE As we can see it has 572A bytes initialized data (data we should NOT touch!) and is at offset 6A8000 in the file. With our piece of code the size increases to: 572A+0E8A=65B4h what we round up to 6600h (must be so for systems reason) for both virtual and raw size. The offset in the EXE where we should place our code is calculated so: 6A800+572A=6FF2Ah ---- Unquote The reason behind rounding up these values - is a concept Microsoft introduced because of among other things - speed of loading. Rounding up the ObjectSize(part in a PE-file is called an Object - not a segment - segment is a term used in realmode memory management :) ) should be done in accordance to the File Alignment which can be found in the PE-Header. This would normally be 200h - but it need not be. (Quine is bailed out by this fact in his great essay on HASP) When rounding up it should be done so that the Physical Size (Microsoft denotation for Rawdata size) is a multiple of this - any excess should be zeropadded (according to MS documentation on PE files - however this is a place where MS's loaders are not too uptight ;) ). Normally the Object's VirtualSize should be aligned in accordance with the ObjectAlignment (which also can be found in the PE-header) however for the last object it's not a problem. Further - we can touch the data in the reloctions. They are not used unless the program should be relocated for some reason. It does however involve a problem a general compatability - because should it be relocated it would chrash had we touched the relocs. However it's worth noting that that you patch-in the memory address to the read function in Hardcode without adding this address to the relocation table - thus if the program are relocated you chrash anyways. The program isn't relocated normally because it has an ImageBase of 400000h which is the default for WinNT 3.50+ and 95. Another problem with your patching is the ImageSize field in the PE-Header. You do not update it as you add to the virtual size of the .reloc object. I don't know if you tested your crack on a windows NT - because it it's much more rigorous in it's incosistency checks than windows95. Without having actually tried it - it is my best guess that you'll get an AccessDenied notice if you try. If you are curious how to append code/or data to PE-files I suggest you take a look at my PE-crypter at ******************************** IMHO the crack would've been more elegant if you had taken out the write-memory and the checking the original zero's and had just patched in the right bytes at the right address straight away. But ofcause you wouldn't have to venture into the fashinating field of appending stuff ;) ------ Quote But as you walk to the higher ring number more and more restrictions appears: several opcodes get disabled, you are not allowed to acces memory regions you not own, IN and OUT instructions are getting "controlled", and at least, you can't even write to your own code segments because it is write protected too. (Here I'm not so sure!) You can "jump" from a ring with higher privilege to code in rings with lower privilege, but not vice versa. In the windo$e world applications run of course in the ring 3 mode ;-(, while the main part of the OS itself AND the drivers (Vxd!) operate at ring 0. And as we already know from Fravias page, overwriting the own code is essential for a good protection. The most cool protections BTW were made in DOS real-mode times, some of them are not cracked yet! ----- Unquote It is true that your own code can be write protected. However this is something that you choose (or most likely your linker) at compile time. In the part of the PE-header refered to as the object table - each object is assigned flags - these flags determine among other things weather a GPF should be produced by writting in the memory space occupied (defined in the object table entry too) by the object. Overridding this protection microsoft supplied some API functions - which we in this essay rampage amongst. It is true you cannot directly jump from a lower ring to a higher But there is ways. Pietrek noted that you could setup your own call gates and obtain ring 0 that way. Others noted that MS left a undocumented VXD function in one of their VxD's for ring switching. Further it's not entirely true that the major part of the OS operates at ring 0. Infact MS went thru great lengths to ensure this wasn't the case. Memory management, IO management and such ofcause requires ring 0, naturally - so this is kept in ring 0. But most in terms of lines of code is actually ring 3 based. --------- Erratum for: Pushing the Envelope with HASP - by Quine As Fravia notes - this is an excellent essay. That it has an error of beauty does not change this fact. Quine is a master cracker and this essay is unusually insightful and well written. heheh. enough ass kissing.. :) ------Quote A regular breakpoint won't fire because they've re-routed the interrupt. No problem. This has always seemed more of a minor nuisance than anything else because all you have to do is set a debug register breakpoint. So, 'bpmb CallHasp x' does the trick. The x indicates that it will break if the execution reaches that address. In other words, it's functionally equivalent to a regular bpx, but invisible to any anti-SoftICE tricks. Of course, you only get four debug register bps at a time, but I've always found that to be plenty. ------ UnQuote These statements are well - not entirely correct. A regular breakpoint won't fire - more than once. This is because the way a regular breakpoint works is by inserting an interupt 3 - (elsewhere on fravia's somebody uses the opcode cd 03 - to get a int 3 - this is soooo clumbsy - the real opcode is one byte (0cch)) Anyways - this int 3 is overwritten as by Hasp as it overwrites this section in the memory - as Quine notes later. Rerouting interupts requires ring 0 - which HASP doesn't have and doesn't take. Had it had ring 0 - I'm quite certain that along with int 3 it would've rerouted int 1 (debug exception) which is the handler of the BPM's making Quine's approach useless (even tracing would be gone then because tracing utillizes this exception too). This however isn't the case. The invisibillity is only an approximative truth. As no opcode is inserted into the program obviously you can't look for changes or anything to that effect. Also you cannot access the breakpoint registers from ring 3. Thus bpmb on execution is undetectable from ring 3. Not from ring 0 though. It should be noted that while the breakpoint isn't detecable from ring 3 - winice is - on my homepage you can find multiple techniques - some exploiding holes in windows - some more wellbehaved - but common to them all is they run from ring 3. One should also note that this hole thing with Int 3 isn't a specific anti-softice technique - it's a general counter meassure to any debugger - in particular application level debuggers which does not have the int 1 possiblities avaible because of their ring 3 status. The technique that Quine applies is a very efficient technique - that you should all learn and enjoy - it is truely powerful. --------- Appendix for: Quine's quick crack for Heavy Protection - by Quine ofcause :) ---- Quote P.S. A further consequence of +RCG's neglect of relocations is that the program will crash if it is ever relocated by the operating system. This is not bound to happen to an exe, but it is extremely likely with a dll, in which case the operating system will start adding values to bytes within the encrypted code and that will lead to an inevitable crash. ----- Unquote Quine has an excellent point. That I'd like to take the opportunity to elaborate on. EXE-files are not relocated by windows if they can be loaded by the desired ImageBase which is put in the PE-header by the linker. Modern linkers has obviously chosen a Desired ImageBase that is always possible in win 95/nt and thus relocations is not a problem and will not be used. However Windows NT 3.12 does exists and new operating systems might have a different way of assigning memory so that the default imagebase of today might not be that of tomorrow forcing relocation to all files made now. DLL's are more vounerable to Relocations than EXE's. However not much - but encrypting them blindly is definately not a good idea. The real issue here is that relocations MIGHT take place and blindly encrypting forgetting about relocations is the sure way to incompatbillity which ofcause is not a desireable quality. However there is a way to encrypt without suffering the penalties of having to explicitly dealing with relocations. If you encrypt additively the encryption/decryption scheme is invariant to relocations. E.g. Add 4 to every byte in the image for encryption and sub them for decryption will not be effected by relocations because relocations in themselves are additive of nature. At first glance such a scheme seems a week encryption - however it can be shown that every byte-2-byte schemes such as XOR,ROL/ROR encryptions can be considered special cases of a sufficiently advanced additive scheme. Also I'd like to speak a word of warning about using Ring 0 code to defend against debuggers. The stability offered by NT hinges (an actually what little stability offered by win95 too) on a seperation between the application level and the system level. (ring 3/ring 0) - gaining ring 0 and using it in a protection system is a violation of the sound principle of having this seperation - and indeed if you are just a wee bit intelligent - not required for a good protection either. They key word is here - stay out of ring 0 unless you have most excellent reasons to be there. Think of it this way: Microsoft wanted to keep the GFX driver out of ring 0. When you think of how much hardware related a GFX driver and thus the incentive to program it in ring 0 is - the ring-seperation issue is in it's right light. Do not write ring 0 code unless there is no other way of doing what you want. ---------- Stone / United Cracking Force '98 ************************ email: ************ =====End of Issue 127=================================== ======================================================== +HCU Maillist Issue: 128 01/29/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: errata & etc. ARTICLES: -----#1------------------------------------------------- Subject: Re: errata & etc. Stone, >>>> It is true that your own code can be write protected. However this is something that you choose (or most likely your linker) at compile time. <<<< From what I remember this is just needs a READWRITE flag set in the source code. But I can't remember where I read this. >>>> This is because the way a regular breakpoint works is by inserting an interupt 3 - (elsewhere on fravia's somebody uses the opcode cd 03 - to get a int 3 - this is soooo clumbsy - the real opcode is one byte (0cch)) <<<< I assumed that softice used hardware breakpoints when they were available for bpxing - I didn't think that you had to do it by hand. Oh well, back to fkey/macro definitions... As for CCh - I just wish some asm programmers used CD03 when they whacked INT 21h onto 3 :) Was CD03 used deliberately to 'nop out' unwanted code? It seems very unnatural to type CD03 rather than CC. >>>> winice is - on my homepage you can find multiple techniques - some exploiding holes in windows - some more wellbehaved - but common to them all is they run from ring 3. <<<< I've always thought it strange that protectionists never tried to search for softice given how easy it can be done and how difficult (if not impossible) it would be to hide from a determined programmer. I wrote to Quine about this not long ago as he pre-empted one of my 'concept' protection schemes: basically heavy softice detection with PE wrapping. I thought that since most crackers have little experience in unpacking PE packed files it would be quite safe also tools were limited at the time, but with Quine's SoftDump... >>>> key word is here - stay out of ring 0 unless you have most excellent reasons to be there. Think of it this way: Microsoft wanted to keep the GFX driver out of ring 0. When you think of how much hardware related a GFX driver and thus the incentive to program it in ring 0 is - the ring-seperation issue is in it's right light. Do not write ring 0 code unless there is no other way of doing what you want. <<<< I agree that going to ring 0 is hardly ever necessary. But I remember reading the above paragraph somewhere recently. Was it something you wrote? Do you know where it is from? >>>> P.S. A further consequence of +RCG's neglect of relocations is that the program will crash if it is ever relocated by the operating system. This is not bound to happen to an exe, but it is extremely likely with a dll, in which case the operating system will start adding values to bytes within the encrypted code and that will lead to an inevitable crash. <<<< In defence of RCG. I think he was presenting a protection CONCEPT rather than a finished protection itself - it has done it's job of presenting ideas and has generated discussion. ~~ Ghiribizzo =====End of Issue 128=================================== ======================================================== +HCU Maillist Issue: 129 01/30/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: erratums & appendix ARTICLES: -----#1------------------------------------------------- Subject: Re: erratums & appendix Well, it's always nice have a message from Stone who is a true scholar of= the PE format, an excellent exe-packer, and all around good cracker. As it = turns out, from our correspondence, we agree on many points. I'd just like to take a = little time to comment on his comments and may be expand on a point or two. Stone >>>>>>>>>>>>>> It is true that your own code can be write protected. However this is something that you choose (or most likely your linker) at compile time. In the part of the PE-header refered to as the object table - each object is assigned flags - these flags determine among other things weather a GPF should be produced by writting in the memory space occupied (defined in the object table entry too) by the object. Overridding this protection microsoft supplied some API functions - which we in this essay rampage amongst. It is true you cannot directly jump from a lower ring to a higher But there is ways. Pietrek noted that you could setup your own call gates and obtain ring 0 that way. Others noted that MS left a undocumented VXD function in one of their VxD's for ring switching. Further it's not entirely true that the major part of the OS operates at ring 0. Infact MS went thru great lengths to ensure this wasn't the case. Memory management, IO management and such ofcause requires ring 0, naturally - so this is kept in ring 0. But most in terms of lines of code is actually ring 3 based. <<<<<<<<<<<<<<<<<<< All of this quite correct and to add something, as Stone knows, = VirtualProtect is my preferred method of writing to the code section at runtime. It allows = you to set a read only page to read/write (with some restrictions obviously) and then = set it back once you're done. Stone >>>>>>>>>>>>>>>>>>>>> --------- Erratum for: Pushing the Envelope with HASP - by Quine As Fravia notes - this is an excellent essay. That it has an error of beauty does not change this fact. Quine is a master cracker and this essay is unusually insightful and well written. heheh. enough ass kissing.. :) <<<<<<<<<<<<<<<<<<<<< Oh, come on, it's never enough ;) >>>>>>>>>>>>>>>>>>>>>>> ------Quote A regular breakpoint won't fire because they've re-routed the interrupt. No problem. This has always seemed more of a minor nuisance than anything else because all you have to do is set a debug register breakpoint. So, 'bpmb CallHasp x' does the trick. The x indicates that it will break if the execution reaches that address. In other words, it's functionally equivalent to a regular bpx, but invisible to any anti-SoftICE tricks. =20 Of course, you only get four debug register bps at a time, but I've always found that to be plenty. ------ UnQuote These statements are well - not entirely correct. A regular breakpoint won't fire - more than once. This is because the way a regular breakpoint works is by inserting an interupt 3 - (elsewhere on fravia's somebody uses the opcode cd 03 - to get a int 3 - this is soooo clumbsy - the real opcode is one byte (0cch)) Anyways - this int 3 is overwritten as by Hasp as it overwrites this section in the memory - as Quine notes later. Rerouting interupts requires ring 0 - which HASP doesn't have and doesn't take. Had it had ring 0 - I'm quite certain that along with int 3 it would've rerouted int 1 (debug exception) which is the handler of the BPM's making Quine's approach useless (even tracing would be gone then because tracing utillizes this exception too). This however isn't the case.=20 The invisibillity is only an approximative truth. As no opcode is inserted into the program obviously you can't look for changes or anything to that effect. Also you cannot access the breakpoint registers from ring 3. Thus bpmb on execution is undetectable from ring 3. Not from ring 0 though. It should be noted that while the breakpoint isn't detecable from ring 3 - winice is - on my homepage you can find multiple techniques - some exploiding holes in windows - some more wellbehaved - but common to them all is they run from ring 3. One should also note that this hole thing with Int 3 isn't a specific anti-softice technique - it's a general counter meassure to any debugger - in particular application level debuggers which does not have the int 1 possiblities avaible because of their ring 3 status. The technique that Quine applies is a very efficient technique - that you should all learn and enjoy - it is truely powerful. --------- <<<<<<<<<<<<<<<<<<<<<<<<<<<<< I have to admit that Stone is absolutely on point here. I was a little = sloppy here and didn't do enough research into anti-SI/anti-debugging techniques, but= rather just made an assumption. I have since taken a look at the anti-debugging info= on Stone's site and learned what to look for next time and how it works. I suggest = every one take a peel there. Stone >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also I'd like to speak a word of warning about using Ring 0 code to defend against debuggers. The stability offered by NT hinges (an actually what little stability offered by win95 too) on a seperation between the application level and the system level. (ring 3/ring 0) - gaining ring 0 and using it in a protection system is a violation of the sound principle of having this seperation - and indeed if you are just a wee bit intelligent - not required for a good protection either. They key word is here - stay out of ring 0 unless you have most excellent reasons to be there. Think of it this way: Microsoft wanted to keep the GFX driver out of ring 0. When you think of how much hardware related a GFX driver and thus the incentive to program it in ring 0 is - the ring-seperation issue is in it's right light. Do not write ring 0 code unless there is no other way of doing what you want.=20 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Ok, this is a big deal, people. The only problem with what Stone wrote = here is that he didn't write it in all capitals with a lot of exclamation points :). = STAY OUT OF RING ZERO! What this really means is stay out of ring zero unless you = are writing a debugging tool of some sort that requires it. Do not ever use ring zero = in a protection scheme!!! This is tantamount to spreading a virus (or a = trojan horse, whatever). Foisting ring zero code on unsuspecting and unknowing users = is highly irresponsible. You're going to crash the computer at one point or = another and that really sucks. Especially if you get some crazy idea to use ring zero = code on an NT system (provided you have some means of even getting it there). NT = machines don't crash. If you manage to crash one, you've done a very bad thing that = people will hate you for. One of the two times in 9 months my NT system has crashed = (this is not a typo) was because of a bad driver and I was ready to kill the driver = programmers. The other time was because I did something stupid in SoftICE. A crashed = NT machine is a sad, pathetic site that is the fault of bad and irresponsible = programming by, I have to say, someone other than Micro$oft. I've spouted off long enough. Thanks, Stone, for your comments. Quine =====End of Issue 129=================================== ======================================================== +HCU Maillist Issue: 130 01/31/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: A question about SoftICE #2 Subject: W32Dasm #3 Subject: Re: W32Dasm ARTICLES: -----#1------------------------------------------------- Subject: A question about SoftICE Hi, A question about SoftIce: How could I set a breakpoint to a function which name start with a ? mark ( ex. ********************************************* <-- comes from timelock 3.0) ? BlueMan -----#2------------------------------------------------- Subject: W32Dasm Has anyone else ever gotten a GDI failure while dissassembling things using this program? Joe Dark -----#3------------------------------------------------- Subject: Re: W32Dasm Joe Dark wrote: >Has anyone else ever gotten a GDI failure while dissassembling >things using this program? Yes, i always got that message with one of the cracked early versions, when it finnished the disassembling and wanted to present the result, (may be something wrong with fonts), but it never really was a problem. I just hit ok and everything worked fine. Now i have reged 8.9 (fished from net) and it does not produce the GDI message. bye Zer0+ =====End of Issue 130===================================