Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-24-2017, 05:03
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 828
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 167
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Arrow "Syser The Debugger, reversecode ed."

Hi reversers!
as per my friend's ping I"m posting here some great news.

A R.E. edition of the well-known tool "Syser Win32 debugger"
This is a long fun over happy weekends/nights of the reverser aka reversecode
He's very skilled and mature and releasing some great stuff from time to time (eg: skype/hidden IDA features/etc)

This time it's up to Syser back from hell (joke)
Some details if you are curious

Some words from himself:
------------------
This work is not for getting *thanks*,
I guess it still has tons of bugs, be it either mine or from the R.E process itself.
Lots of TODOs are waiting for a better time

As for today, you already could run/trace/breakpoing/add watches/even plugins are there!
I've kept the original look & feel as much as possible.
I'm very interested in comments/remarks/bugreports,
especially on debugger crashes/etc

To get it: https://www.sendspace.com/file/wc2cfs


history track record:
===
1607 210517
add handle int 3
fix mouse scroll
fix memory leak PEFile read import

0413 230517
fix crash on delete watch item
improve terminate debug
add FlushInstructionCache on WriteMemory
start debug from cmdline

2046 230517
improve reset(reload the input file) (WO hotkey)


API & plugin sample
https://pastebin.com/3cnTASFy
https://pastebin.com/b2GeZfa8

Note: menu handling routines are still under work, rest should be just fine.

Enjoy!
------------------
Attached Images
File Type: png syser_main.png (81.0 KB, 25 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to sendersu For This Useful Post:
b30wulf (05-24-2017), niculaita (05-24-2017)
The Following 12 Users Say Thank You to sendersu For This Useful Post:
alekine322 (06-03-2017), an0rma1 (10-06-2017), chessgod101 (05-24-2017), computerline (05-24-2017), Hypnz (05-25-2017), Indigo (07-19-2019), ngoksun (05-24-2017), niculaita (05-24-2017), NoneForce (06-08-2017), TechLord (05-24-2017), tonyweb (05-26-2017), VodoleY (05-26-2017)
  #2  
Old 05-24-2017, 14:36
Dark Intentions Dark Intentions is offline
Friend
 
Join Date: Mar 2015
Posts: 15
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 4
Thanks Rcvd at 8 Times in 4 Posts
Dark Intentions Reputation: 2
Maybe it's just my ignorance but i don't really understand the point of this effort. And don't get me wrong, i respect the time and skill invested in this project. I used the original Syser sometimes in the past, and its main advantage was the kernel mode debugging (at least for me). For usermode, syser is not competitive against olly/x64dbg in my opinion. And as far as i remember Syser died with XP. So my question is: can you use this new reversecode version on new OSes for kernelmode debugging? Is it for 32bit as the original was, or can it handle 64 bit code as well?
Reply With Quote
The Following 2 Users Say Thank You to Dark Intentions For This Useful Post:
an0rma1 (10-06-2017), Indigo (07-19-2019)
  #3  
Old 05-24-2017, 14:58
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
It is ring3 x32, but ring3 x64 support planned.
ring0 will be most probable as commercial version (if any).
Reply With Quote
The Following User Says Thank You to Syoma For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 05-24-2017, 15:35
Loki Loki is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 122
Rept. Given: 156
Rept. Rcvd 65 Times in 30 Posts
Thanks Given: 58
Thanks Rcvd at 18 Times in 13 Posts
Loki Reputation: 65
So pretty pointless then? :S
Reply With Quote
The Following User Says Thank You to Loki For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 05-26-2017, 04:09
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 482
Rept. Given: 2,087
Rept. Rcvd 665 Times in 206 Posts
Thanks Given: 452
Thanks Rcvd at 624 Times in 129 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
I am actually rather excited about this project. Syser, like softice before it, is an amazing ring 0 debugger. I've honestly missed not having an alternative on windows 7 and above that didn't require remote debugging. If this project continues fruitfully, and x64 support is implemented seamlessly, it will be an asset to the development and reverse engineering community.
__________________
"Real knowledge is to know the extent of one's ignorance." Confucius
Reply With Quote
The Following User Says Thank You to chessgod101 For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 05-26-2017, 11:31
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 828
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 167
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Breaking update - reverscode added/implemented x64 support http://polariton.ad-l.ink/7qpvNZqYX/image.png
stay tuned
=======================
x32 https://www.sendspace.com/file/bzx86g
x64 https://www.sendspace.com/file/umua9d

1607 210517
add handle int 3
fix mouse scroll
fix memory leak PEFile read import
0413 230517
fix crash on delete watch item
improve terminate debug
add FlushInstructionCache on WriteMemory
start debug from cmdline
2046 230517
improve reset(reload the input file) (WO hotkey)
1528 240517
hide BP(CCh) bytes from HexView, show original value
colored BP(code,data) in HexView
done re PopupMenu on HexView (hotkey not tested), operation toolbar in TODO
done re command(edit,move,compare) memory
0203 250517
done re ModuleList window
done re ascii/unicode string context ref
fix env path by add manifest
2224 250517
fix crash without dbg plugin
first build x64
Reply With Quote
The Following User Gave Reputation+1 to sendersu For This Useful Post:
Shub-Nigurrath (06-29-2017)
The Following 12 Users Say Thank You to sendersu For This Useful Post:
abhi93696 (05-27-2017), alekine322 (06-03-2017), besoeso (05-26-2017), chessgod101 (05-27-2017), deepzero (05-26-2017), Hypnz (05-26-2017), Indigo (07-19-2019), niculaita (05-26-2017), TechLord (05-26-2017), tonyweb (05-26-2017), WRP (05-27-2017), zeuscane (05-26-2017)
  #7  
Old 05-27-2017, 16:00
WRP WRP is offline
Family
 
Join Date: Nov 2010
Posts: 115
Rept. Given: 13
Rept. Rcvd 36 Times in 21 Posts
Thanks Given: 68
Thanks Rcvd at 167 Times in 71 Posts
WRP Reputation: 36
I can donate for ring0 version.
Reply With Quote
The Following 3 Users Say Thank You to WRP For This Useful Post:
Indigo (07-19-2019), niculaita (05-27-2017), sh3dow (05-30-2017)
  #8  
Old 05-28-2017, 08:20
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 743 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
What about making this open source? It might be an interesting read for the future.
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 4 Users Say Thank You to mr.exodia For This Useful Post:
Hypnz (05-28-2017), Indigo (07-19-2019), niculaita (05-28-2017), TechLord (05-29-2017)
  #9  
Old 05-29-2017, 13:26
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 828
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 167
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Hello people!
how do you do!

more updates from reversecode:

1813 280517
fix mouse wheel scroll on x64
fix scroll by UPbtn bar
add ALT+ hotkey
fix fit hexview on x64
fix hexview change addr on edit addr area
fix align stackview on x64
fix str sym ref on \t
add resolve ctx ref on r8-r15 CPU reg x64
improve PE loader for x64, for resolve import/export sym
fix select bytes on hexview for x64
add show EB line jmp ref
chg addr/offs represent on codeview

and even more fixes -

0731 290517
fix PE Loader for x64, to read import/export for hibase > 32bit, as example kernelbase.dll
done re sym command, allow show/add symbol/use it for set breakpoint
fix readpe onload file, for correct read sizeof file for x64
fix search module range and module info status for x64
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
Indigo (07-19-2019)
  #10  
Old 05-29-2017, 22:15
niculaita's Avatar
niculaita niculaita is online now
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,076
Rept. Given: 835
Rept. Rcvd 85 Times in 57 Posts
Thanks Given: 2,448
Thanks Rcvd at 405 Times in 286 Posts
niculaita Reputation: 85
SyserHide_25.05.17.zip (22.68kb, 47 de descărcări)
29.05.2017_x86-x64.rar WISP (1.92MB, 3 descărcări)
please give us other free links for them
__________________
Decode and Conquer
Reply With Quote
The Following User Says Thank You to niculaita For This Useful Post:
Indigo (07-19-2019)
  #11  
Old 05-29-2017, 23:20
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 681
Rept. Given: 12
Rept. Rcvd 102 Times in 68 Posts
Thanks Given: 5
Thanks Rcvd at 413 Times in 175 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
@niculaita: x32/x64 https://www.sendspace.com/file/pzl3ni
Reply With Quote
The Following 2 Users Say Thank You to FoxB For This Useful Post:
Indigo (07-19-2019), niculaita (05-29-2017)
  #12  
Old 05-30-2017, 02:17
niculaita's Avatar
niculaita niculaita is online now
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,076
Rept. Given: 835
Rept. Rcvd 85 Times in 57 Posts
Thanks Given: 2,448
Thanks Rcvd at 405 Times in 286 Posts
niculaita Reputation: 85
still remains to upload please SyserHide_25.05.17.zip (22.68kb)
__________________
Decode and Conquer
Reply With Quote
The Following User Says Thank You to niculaita For This Useful Post:
Indigo (07-19-2019)
  #13  
Old 05-30-2017, 04:32
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 828
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 167
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Hider plugin for Syser

Get:
https://yadi.sk/d/L0UKb6QK3JYPRY
https://www.sendspace.com/file/hwp40a

Steps:
unpack (use same dir levels)
syser_hide.dll -> Plugins,
hide_generic.dll nearby main .exe

Who wants might use hide_generic.dll in their projects.
Steps:
as easy as LoadLibrary() and we are cool!
The dll sets up a hook over
ZwWaitForDebugEvent() in debugger process and installs the rest of hooks
and patches memory in a process under debug.

The config is embedded inside the file itself in the following way:
[\x00] - OFF
any other char - ON

Code:ZwQueryInformationProcess[x]
ZwSetInformationThread[x]
ZwClose[x]
NtGlobalFlag[x]
ProcessHeapFlag[x]
IsDebuggerPresent[x]

enjoy

(c) by Veliant from exelab.ru resource
You could reach him here
https://exelab.ru/f/index.php?action=userinfo&user=3136
Reply With Quote
The Following 2 Users Say Thank You to sendersu For This Useful Post:
Indigo (07-19-2019), niculaita (05-30-2017)
  #14  
Old 06-08-2017, 05:29
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 828
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 167
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Hot updates and fresh meat from reversecode!

-------------------------------------

1258 040617
fix disable load x86 on syser x64
fix fmt fit addr exception violation on syser x64
fix PID/TID status and expr var
fix fit addr tab in code/data view for x64
fix 'p ret' cmd, run to return
implement SDK menu api
done re process list window (attach work, detach from target at todo)
starting re peexplorer window

1559 040617
fix load SyserColor.cfg from old SyserOption.exe util https://www.sendspace.com/file/l7r3pw

2058 040617
improve highlight keyword


combined URL for both 32/64: https://www.sendspace.com/file/t4lpr5
Reply With Quote
The Following 3 Users Say Thank You to sendersu For This Useful Post:
chessgod101 (06-30-2017), Indigo (07-19-2019), niculaita (06-08-2017)
  #15  
Old 10-04-2017, 00:08
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 828
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 167
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Due to some issues author shut down the project
PS. He left a chance to recover it - initial bid is $ 10к
details in the link in 1st post.
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When use "vendor defined encryption routines", how to set daemon related part? bridgeic General Discussion 6 01-22-2015 11:35
"Error while unpacking program, code LP5. Please report to author." gokilaravee General Discussion 2 06-01-2011 14:34
Wlscgen: Are "Vendor Id" and "Developer Id" different ? Numega Softice General Discussion 6 02-12-2007 18:12


All times are GMT +8. The time now is 21:50.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX