PELock Blog » Assembler http://www.pelock.com/blog Assembler, software protection, code obfuscation and other crazy stuff. Fri, 04 Apr 2008 11:05:14 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Really easy scripting with ODbgScript http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/ http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/#comments Wed, 05 Sep 2007 23:30:31 +0000 Bartosz http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/ ODbgScript is an extension for OllyDbg debugger (note to myself: so mr smartass there’s life except SoftICE heh :) ).

I was always a little bit afraid of using it becouse i thought it’s easier to write separate application than to code in this weird scripting language.

But today i need a tool to dump decrypted strings from one application (while it’s running). I wanted to start coding live dumper based on WinApi’s debug functions but i though what the heck, let’s try to do it in ODbgScript.

Here’s the result:

; declare variables
        var     string_ptr
        var     file_name
        var     file_index
        var     file_size
        var     x
 
; set breakpoint at the instruction where we
; intercepts decrypted strings
        bp     401020
 
; initialize file_index variable
        mov     file_index, 0
 
; run application after setting the breakpoint
again:
        run
 
; if we're here, it means application hit the breakpoint
; continue to execute script after breakpoint is hit
; (don't stop in OllyDbg)
        cob
 
; pointer to the encrypted string is stored
; at [ebp-14] let's grab it
        mov     x, ebp
        sub     x, 14
        mov     x, [x]
 
        mov     string_ptr, x
 
; strings are null terminated, let's find its
; size so we can dump it (LEN command didn't work
; here, it always returns 0FFh)
        find    string_ptr, #00#
 
        cmp     $RESULT, 0
        je      skip_file
 
; calculate string size
        mov     x, $RESULT
        sub     x, string_ptr
 
        mov     file_size, x
 
; format file name for decrypted string, name it using
; file_index value and .txt extension, eval works almost
; like wsprintf
        eval    "C:\Test\{file_index}.txt"
        mov     file_name, $RESULT
 
; dump memory area to the file
        dm      string_ptr, file_size, file_name
 
; log action
        eval    "{file_index} - VA = {string_ptr},
                 SIZE = {file_size}"
        log     $RESULT;
 
; increase index value
        inc     file_index
 
skip_file:
 
; run application again after dumping
        jmp     again

At first it might look confusing, but after playing with it for 5 minutes you will love it, especially if you know how to code in assembler.

And if you make mistakes in the script, don’t worry, it has its own, built-in debugger, available directly from OllyDbg so you can spot every mistake you did, trace down the script, modify its variables etc.

In other words viva la ODbgScript :)

PS. And don’t ask me why i didn’t use it before ;)

]]> http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/feed/ 0 SSE5 on the way http://www.pelock.com/blog/2007/09/02/sse5-on-the-way/ http://www.pelock.com/blog/2007/09/02/sse5-on-the-way/#comments Sun, 02 Sep 2007 15:57:53 +0000 Bartosz http://www.pelock.com/blog/2007/09/02/sse5-on-the-way/

With the introduction of SSE5, many new 128-bit instructions have been added to the existing instruction set detailed in the AMD64 Architecture Programmer’s Manuals. Included are 46 base instructions that expand to 170 total instructions, enabling improved performance and reduced loads.

Source:
http://developer.amd.com/sse5.jsp

PDF Documentation:
AMD64 Technology 128-Bit SSE5 Instruction Set

I wonder in how many years will it be used as a default set of instructions?

]]> http://www.pelock.com/blog/2007/09/02/sse5-on-the-way/feed/ 0 VMware detection (anti-debugging trick against TRW) http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/ http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/#comments Sun, 15 Apr 2007 19:44:26 +0000 Bartosz http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/ Some of the anti-debugging tricks can be used to detect VMware, one of them is an old anti TRW (TRW was a popular debugger in 9x days) trick.

This anti-debugging trick works fine on a real Windows 9x installations (95, 98, ME) but it raises an exception under VMware (while reading IDT entry).

BOOL IsVMware9xTrw()
{
    // detect NT/XP/Vista
    if ( (GetVersion() & 0x80000000) == 0 )
    {
        return FALSE;
    }
 
    // detect VMWare (anti debugging trick against TRW)
    // VMware isn't detected with vm acceleration disabled
    __try
    {
        __asm
        {
            sub    esp, 6
            sidt   fword ptr [esp]
            pop    ax
            pop    eax
            mov    al, byte ptr [eax + 00Eh]
        }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
        return TRUE;
    }
 
    return FALSE;
}

Binaries and source code:
http://www.pelock.com/download.php?f=vmware_trw.zip (18 kB)

Please test this code on your own systems and tell me about the results.

]]> http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/feed/ 5