flat assembler
Message board for the users of flat assembler.
![]() Goto page 1, 2 Next |
Author |
|
shism2 04 Jun 2006, 21:41
If everyone could run this program and please post the data showed in the messagebox's in a list.
I need to collect that data for a project im working on .... THANK YOU VERY MUCH EVERYONE.... That help's.... ![]()
|
|||||||||||
![]() |
|
shism2 04 Jun 2006, 22:46
What Os are you using and there are 7 pop ax...
Anti-debugging techniques lcode: If it isn't to much trouble could you run it under OllyDbg,please. |
|||
![]() |
|
blacky 04 Jun 2006, 23:01
oops. sry, nvm
|
|||
![]() |
|
shism2 04 Jun 2006, 23:07
Umm, blacky... Could you please list them ?
|
|||
![]() |
|
LocoDelAssembly 04 Jun 2006, 23:28
Quote:
Quote:
Runs perfectly under OllyDbg. However there is something wrong, the first, third and fifth MessageBox has no title bar. I don't know why that's happens. Note that this problem with the MessageBox happens without any debugger too. The last three MessageBox reports diferent value under OllyDbg: 0738H, 7C92H and FFFFH [edit]Windows XP SP2 Spanish[/edit] [edit2]Ah, now I see the effect of push ss/ pop ss but note that the single step debugging only skips pushfd. If I put a breakpoint at pushfd it's also skipped, so it's interesting to put a call to a procedure in place of pushfd ![]() The problem with MessageBox possibly is the unalignment caused by pop ax[/edit2] |
|||
![]() |
|
shism2 05 Jun 2006, 00:05
It doesn't skip the instruction. It still executes the pushfd. Just "looks" like it does. Yes, your right about the alignment and the problem with Messagebox. Hm, Im using windows xp sp1. I'm going to make little programs to test some stuff. Hope your a faithful tester
![]() Also, What does the first messagebox give you under OllyDbg? Single step debugging, I'm not using that. The effect is to retrive the previous values of the registers. It seems that ollydbg changes them. Would be nice if someone who has windows xp sp1 ... Also posts results... |
|||
![]() |
|
LocoDelAssembly 05 Jun 2006, 02:11
I mean it skip the instruction from the single stepping (doesn't stop execution at pushfd but at the next instruction). I was wrong about the breakpoints, I tested it again and it stops execution at pushfd this time
It gives me 0246H like when I don't use a debugger. Only the three last MessageBox gives me differents values (0738H, 7C92H and FFFFH). However if I do single stepping (pressing F7) it shows 0346H instead in the first MessageBox. About the problem with the MessageBox's title bar if I replace pop AX with pop EAX it works fine (showing others values of course), I can't imagine why is a problem for MessageBox to display the title bar with an unaligned stack ![]() PS: Sorry about the six "pop ax", in fact there are five unpaired, pushfd takes 4 bytes ![]() |
|||
![]() |
|
shism2 05 Jun 2006, 02:26
its cool thanks man. The value is higher than 300 if single stepping. mines 386
|
|||
![]() |
|
zhak 05 Jun 2006, 12:22
MS Win2k 5.00.2195 SP4
w/o OllyDbg... 0246H 0000H 8989H 7C59H 0004H 0000H 0008H every second (starting with the first) message box appears w/o caption and now under OllyDbg... 0346 0000 8989 7С59 0000 0000 0000 |
|||
![]() |
|
shism2 05 Jun 2006, 19:16
Ok thanks... So I know the first messagebox is a sure anti-debug under all systems. The other ones are a bit iffy to use.
NEW *FIXED* VERSION :
|
|||||||||||
![]() |
|
LocoDelAssembly 05 Jun 2006, 19:31
0246H <- Or 0346H if I do single stepping over pop SS
6D4FH 0738H FFFFH F000H <- Some times B000H, E000H, etc (seems to be related in how much time I spend before reaching this MessageBox) 3DFDH FFC8H Code: .flat1:00402000 ; Section 2. (virtual address 00002000) .flat1:00402000 ; Virtual size : 0000004C ( 76.) .flat1:00402000 ; Section size in file : 00000200 ( 512.) .flat1:00402000 ; Offset to raw data for section: 00000800 .flat1:00402000 ; Flags E0000020: Text Executable Readable Writable .flat1:00402000 ; Alignment : 16 bytes ? .flat1:00402000 ; --------------------------------------------------------------------------- .flat1:00402000 .flat1:00402000 ; Segment type: Pure code .flat1:00402000 _flat1 segment para public 'CODE' use32 .flat1:00402000 assume cs:_flat1 .flat1:00402000 ;org 402000h .flat1:00402000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing .flat1:00402000 mov eax, 90h .flat1:00402005 mov ecx, 8 .flat1:0040200A .flat1:0040200A loc_40200A: ; DATA XREF: .flat1:0040200Ao .flat1:0040200A mov edi, offset loc_40200A .flat1:0040200F repe stosb .flat1:00402011 jmp dword ptr [esp] .flat1:00402011 ; --------------------------------------------------------------------------- .flat1:00402014 dd 6A006Ah, 13E8h, 746F4E00h, 69656220h, 6420676Eh, 67756265h .flat1:00402014 dd 646567h, 15FF006Ah, 40307Ch, 15FF006Ah, 40305Eh, 70h dup(0) .flat1:00402014 _flat1 ends ![]() |
|||
![]() |
|
shism2 05 Jun 2006, 23:24
oops.... That is a anti-debug I forgot to leave out
|
|||
![]() |
|
shism2 05 Jun 2006, 23:26
I need input from other people sigh... I can't just do it with just 3 people including me
|
|||
![]() |
|
madmatt 06 Jun 2006, 06:38
Here's my results:
0246 6d4f 0034 0039 7000 a938 ffc8 What exactly does this program do? EDIT: Using Windows XP-SP2, Intel Celeron PIV 2.7ghz |
|||
![]() |
|
Vasilev Vjacheslav 06 Jun 2006, 11:32
madmatt, this is the debugger detection trick
|
|||
![]() |
|
zhak 06 Jun 2006, 15:13
here's one more set of resultsm for you, shism2.
WinXP 5.1.2600 SP2. 0246, 6D4F, VAR, VAR, VAR, B038, FFC8 ;w/o debugger 0346, 6D4F, 0, 0, VAR, B038, FFC8 ; under SoftICE 0346, 6D4F, VAR, VAR, VAR, B038, FFC8 ; under OllyDbg 0346, 6D4F ,B754, 8BB1, VAR, B038, FFC8 ; under w32dasm debugger this trick works only if to single step push ss/pop ss, otherwise EFLAGS gives 0246. So you can easily overcome it. Hm, its debuggers' fault. IMHO, they should predict PUSH SS/POP SS and emulate it. |
|||
![]() |
|
Vasilev Vjacheslav 06 Jun 2006, 15:52
...but they don't
|
|||
![]() |
|
shism2 07 Jun 2006, 00:24
Hmm.... The first value is without a a doubt obvious. The others I need to research more into. I think I want this thread deleted. Till I make another program to research the others
|
|||
![]() |
|
madmatt 11 Jun 2006, 06:41
Updated my results:
Olly Debug: 0246, 6d4f, 0738, ffff, e000, a938, fffc8 WinDbg: 0246, 6d4f, 0000, fa9c, f000, a938, ffc8 No Debugger: 0246, 6d4f, 0034, 0039, e000, a938, ffc8 |
|||
![]() |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.