Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-12-2007, 10:16
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
int3 and stolen bytes !

Hi friends.

I think it's an old question.

Tonight I played with CD-Cops and it defeated me !!

The question is:

How to find the stolen bytes in child process which is debugged by its father?
I debugged the father, but I didn't understand where the original bytes written back to child.

As you know, Armadillo with Nanomite protection, Safedisk and Securom use the same method.

How do they execute original bytes? Father executes the codes virtually or child executes them when they were written back at original addresses?

Regards

--------------
edited:

I red the haggar's tut on unpacking SafeDisk. Is there anybody to know the tricks of CD-COPS?
__________________
In memory of UnREal RCE...

Last edited by Newbie_Cracker; 03-12-2007 at 20:00.
Reply With Quote
  #2  
Old 03-12-2007, 22:13
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
in the case of safedisc (and probably the others), some 'simple' instructions (like mov eax, 4 etc) were 'emulated' by adjusting the context data and then using SetThreadContext.. there was a trick with some of these, that if they were executed lots (like maybe 4 times in succession) the 'stolen' bytes were then written back
Reply With Quote
  #3  
Old 03-13-2007, 01:47
trickyboy trickyboy is offline
Friend
 
Join Date: Dec 2005
Posts: 43
Rept. Given: 11
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 14
Thanks Rcvd at 3 Times in 3 Posts
trickyboy Reputation: 0
Talking

@Newbie_Cracker: You can read two tutorials about Nanomite from Ricardo Narvaja. Hope it useful for your question "How do they execute original bytes?"

Best Regards.
Attached Files
File Type: rar 71-ARMADILLO & NANOMITES (part 1).rar (250.9 KB, 17 views)
File Type: rar 72-ARMADILLO & NANOMITES (part 2).rar (162.9 KB, 13 views)
Reply With Quote
  #4  
Old 03-14-2007, 05:33
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
trickyboy,thanks man, I'll read them carefully. I hadn't seen these tuts of Ricardo Narvaja.

and evlncrn8, I saw GetThreadContext and SetThreadContext in CD-COPS debugger, but I didn't understand what they are. Thanks for your info. I'll check them again.
__________________
In memory of UnREal RCE...
Reply With Quote
  #5  
Old 03-14-2007, 16:48
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 210
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 46
Thanks Rcvd at 41 Times in 24 Posts
LaDidi Reputation: 11
?etThreadContext

http://msdn2.microsoft.com/en-us/library/ms679362.aspx
http://msdn2.microsoft.com/en-us/library/ms680632.aspx

http://win32assembly.online.fr/tut30.html
http://win32assembly.online.fr/tut29.html

http://www.koders.com/c/fidF957BCBB3511AC6EA623FAB6DEDE69B07CC0DE0B.aspx

CONTEXT contains the context of the thread (EIP, Flags, EAX, .....).

Regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Damaged stolen bytes *RemedY* General Discussion 9 05-22-2004 16:58
DVDRegionFree 3.25 Stolen bytes MaRKuS-DJM General Discussion 2 01-05-2004 00:23
22 stolen bytes? SvensK General Discussion 2 11-06-2003 17:13
ASPR: stolen bytes neccessary?! MaRKuS-DJM General Discussion 2 11-05-2003 09:13


All times are GMT +8. The time now is 19:13.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )