#1
|
|||
|
|||
...when you don't have NOP instructions XDD???
I found this sentence at the very start of an old tutorial by Eternal Bliss:
"A fast tutorial with some tricks to learn how to patch P-Code when you don't have NOP instructions XDD.". The last part of the sentence says nothing to me. What does "when you don't have NOP instructions XDD" mean??? What is XDD??? yaa |
#2
|
|||
|
|||
Re:What is XDD???
Hallo, It seem a strange opcode but its a smiley.
The necessary smiley trasformations are: :-) -> :-D -> X-D -> XD -> XDD In fact the problem is/was that the PCODE equivalent of X86 NOP opcode is/was unknown. Search this WTK Tutorialz for NOP: Code:
Gracias por leerme en ingles, pero hay una version en castellano XDD Hope it helps, void Last edited by void; 09-06-2004 at 01:01. |
#3
|
|||
|
|||
?
Quote:
|
#4
|
|||
|
|||
These are the links for anyone interested:
hxxp://www.woodmann.com/crackz/Tutorials/Cp375i.htm hxxp://www.programmersheaven.com/articles/userarticles/john/vbvm.htm and here is the article I took that sentence from: hxxp://members.v3space.com/blackfenix/wktvbdebug/tutos/vbcrackme10.html void, from these articles it would seem that there is indeed no equivalent for a NOP mnemonic in p-code. But then you say that it "is/was unknown". Is it still unknown??? yaa Last edited by yaa; 09-06-2004 at 07:36. |
#5
|
|||
|
|||
PCODE NOP
Hallo,
I have very little experience in reversing. In John Chamberlain's site about MS Visual basic VM there is an opcode.txt dated march 2001 which mention a P-CODE NOP equivalent FC14 while the Eternal Bliss' VBCrackMe v10.0 is dated June 1999. WKTVBDE dated 2002 assigns to FC14 the operation CI2UI1 But I found no documentation about CI2UI1. Regarding the Eternal Bliss' VBCrackMe Tutorial if FC14 is truly the PCODE NOP, it couldn't be used to disable the 004048B7: BranchF jump (1C 07 05) in vbcrackme10.exe like the one byte X86 NOP is used to overwrite multibyte X86 opcodes. Also the Eternal Bliss' solution to overwrite EqVarBool (which test the equality of two boolean vars and pushes -1 or 0 to the stack according to the comparision result) pushing -1 (dword) in the stack leave me a bit confused because EqVarBool takes 2 dwords from the stack and pushes one. I don't know if the stack is freed correctly when the function returns (who manages this one more dword?). Another way to bypass the check is to change the BranchFalse jump (1C 07 05) into an uncoditional Branch (Opcode 1E and LO HI bytes) that jumps to 004048BAh. So if BranchFalse(1C) 0705 is equal to BranchFalse 0x0507h and corresponds to BranchFalse 004048E3h. then Branch 004048BAh corresponds to Branch 0x04DEh (0x0507h - (0x4048E3h - 0x4048BAh)) and is equal to Branch(1E) DE04. This mean that 1C0705 could be changed to 1EDE04 obtaining the same result but it mess the stack too (I've just discovered that BranchF pops a dword from the stack) How does the stack gets balanced in the virual machine? Ok! I've read the part of by John Chamberlain's Microsoft P-Code Implementation regarding the stack: Quote:
Microsoft P-Code Technology Code:
Source code P-code m = i+j+func(); L1: LdfW i LdfW j AddW CallFCW func AddW EQuote StfW m n = i + j + func(); Quote L1 StfW n Regarding the PCODE NOP, I don't know if there is a VBVM opcode of the DoNothing VB statement neither a X86 NOP equivalent. Is there an updated and detailed VB opcode List with mention of values pushed onto the stack? I edited this post many time as I discovered new infos I did not post new replies to prevent the "Posting of Substance" Feature . I hope I've not caused any confusion. void Last edited by void; 09-06-2004 at 18:47. |
#6
|
|||
|
|||
For those interested, for p-code VB apps good tools are ExDec (hxxp://www.iespana.es/jbduc/downloads/tools/betaexdec.zip), VBParser (hxxp://www.pediy.com/tools/Decompilers/VB_pcode/VBParser/VBParser1.2.zip) and WKTVBDebugger (hxxp://vbdebug.cjb.net/). Smartcheck instead is good for non p-code apps.
yaa |
#7
|
|||
|
|||
CI2UI1
CI2UI1 =
Convert Integer_2_Byte to Unsigned_Integer_1_Byte Function should be evident from above text. As for NOP, also check for some minor info: hxxp://www.woodmann.net/forum/showthread.php?t=5628&highlight=NOP Thanks Sarge |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
crackme with FILD, FLD, FSTP instructions | Zeocrack | General Discussion | 1 | 11-05-2022 20:09 |