there are tuts, info or any manual or guide of paimei usage?

i found only the info of the official page and is very limited.

thanks in advance
Ricardo Narvaja

It seems to have several more or less "official websites", so just to make sure, you saw the following, right?

http://pedram.redhive.com/PaiMei/docs/


Also, a small third-party "tutorial" making use of it:

http://www.matasano.com/log/422/pedram-aminis-amazing-paimei-win32-reverse-engineering-in-python/


Anyone else know about any other good information sources for PaiMei?

yes is the only i found too, is very limited info for the possiblities of this tool.

Thanks
Ricardo

Yep, I thought so too when looking into it earlier. Let's hope it's just extremely intuitive or self-documenting once you start working with it, apparently a bunch of people have done quite a lot with it at least (or they might of course just have a secret documentation website or even more likely all too much time on their hands).

maybe my first PAIMEI tutorial with installation steps a mini tut using process stalker y continue investigating for the part 2.

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/958-PAIMEI-PARTE%201%20INSTALACION.rar

ahi esta

ricnar

Nice Ricardo, you are a genuine contributor.

And WE always appreciate your efforts.

Regards,

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/960-USANDO%20PAIMEI%20PARTE%202.rar

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/965-PAIMEI%20-PARTE%203-USANDO%20BREAKPOINTS.rar

PAIMEI TUTORIALS PART 2 and 3

Bah humbug to web storage, this stuff is too good and too rare Ricardo.

EDIT: All tutorials are now available directly from the server, see post #28 below for the links.

Cheers,
Kayaker

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/958-PAIMEI-PARTE%201%20INSTALACION..rar

Yes here is available jeje or here

http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/958-PAIMEI-PARTE%201%20INSTALACION..rar

(have two dots hehe ..rar)
well i go for write the 4, je
ricnar

EDIT: All tutorials are now available directly from the server, see post #28 below for the links.


All right, that file contains both PaiMei and IdaPython and is too large for an attachment, so what I did was to remove them and will just attach the tutorial files here.

The program files themselves can be obtained from their respective sites:

http://paimei.openrce.org/

http://d-dome.net/idapython


Or, just in case, I uploaded the programs that were originally in the tutorial here:

http://www.woodmann.com/malware/Paimei+IdaPython.zip

Keep the PaiMei tuts coming

Kayaker

http://ricardonarvaja.info/WEB/OTROS/PYTHON%20DESDE%20CERO/
http://storage2.ricardonarvaja.com.ar/web/OTROS/PYTHON%20DESDE%20CERO/

if anybody want learn python from ZERO, from real ZERO (knowing nothing), here is the INTRODUCCION TO PYTHON FROM ZERO written by me when i learn python.

ETAPA 1 : THE BASICS ( 33 TUTORIALES )
ETAPA 2: ADVANCED (9 TUTORIALS TILL TODAY AND CONTINUE)

This tuts are write for me when i learn python, using the MARK LUTZ books for learn, and when i understand, wrote a tut from this theme expaining the book of LUTZ, easy for starters than me.

in the etapa 1, i was learn with the BOOK LEARNING PYTHON of MARK LUTZ
in the etapa 2 i'm learning with the book PROGRAMMING PYTHON of MARK LUTZ and i'm writing more parts-

Really this tutorials are not copied from LUTZ boooks but are based on then, i write in a more understable mode for starters in python, (i'm learning python and am a starter too in this languaje) and in spanish (the original are english), maybe the english readers can read the original books, but in spanish there are only few books about python and in a simple level.

Maybe for a spanish reader can be useful.

ricnar

Thanks again for sharing your efforts Ricardo!

Regards,

Great tut from GERA, make a keygen with pydbg, i based my tut in this great tut.

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/967-TUTE%20DE%20GERA%20de%20keygen%20con%20PYDBG.rar

i post here, the reason my tut is based from GERA tut, and GERA not have problem i post too.

ricnar

I'd have to say... You are the man Ricardo!!!
I was always curious on how to operate PAEMEI but thanks to you, now I can get a grip on it. Keep it rollin' !!!

thanks, is very cool the efforts for investigate new things, can be useful for others, thanks to you for read my simple tuts, i will continue with more parts of paimei.

ricnar

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/968-PAIMEI-PARTE%204-%20LOGUEAR%20ARGUMENTOS%20DE%20UNA%20%20O%20VARIAS%20APIS.rar

PARTE 4

Ricardo Narvaja

Thanks again Ricardo for sharing your efforts here.

Regards,

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/970-PAIMEI-PARTE%205-GRAFICANDO%20CON%20PAIMEI.rar

GRAPH WITH PAIMEI

ricnar

Thanks for share.Ricardo Narvaja.

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/975-PAIMEI-PARTE6-EMPEZANDO%20A%20GRAFICAR%20DESDE%20UN%20SCRIPT%20O%20SHELL%20DE%20PYTHON%20CON%20PAIMEI.rar

ricnar

Good work Ricardo. Hope you have time to keep this interesting project going.

Regards,

Ricardo...thanks for your tutorials on paimei.

I am hoping you can speak some English because I tried to translate this message into Spanish and it made no sense when I translated it back to English.

I am trying to translate your tutorials from Spanish to English and some words are not translatable. Here's an example:

yendo a la consola de mysql y dropeando la database

The word 'dropeando' appears many times in a Google search but cannot be translated by any online translators. I have tried three, and get the following results:

1)Going to console the database mysql and dropeando
2)going to the console of mysql and dropeando the database
3)going to the console of mysql and dropeando the database

I found one site refering to 'dropeando bombas', which I took to mean 'dropping bombs'.

Could you try to clarify what you mean in reference to MySQL? I think your instructions are to run the command line script that creates the SQL database for paimei. Before that, I think you refered to checking or unchecking (tick/untick) a box that is related to this script. It related to the line:

.1-REV122>__setup_mysql.py localhost (user) (pass)

May I suggest, that if you want to reach an international audience, you keep the Spanish language very simple...the way you might talk to a young child. Do not use slang or idioms. It's easier for me to understand what is implied by simplicity than to decipher sophisticated or idiomatic language. We don't communicate through words, but through the images conveyed by the words.

Anyway, the words je je translated OK.

is a command of mysql DROP DATABASE, used for discard or delete a bad created database.

i need drop, or delete de folder of the database, when i install mysql i forgot the mark in STRICT MODE and the database creates in bad mode, which paimei cannot work, only making drop database or unistall mysql and delete all folders created by the program i can create a new fresh database, and sucesfully for use by paimei.

thanks for read i have two readers now hehehe.
ricnar

Ah! The light goes on. I should have read about SQL first. Thanks for pointing that out, Ricardo, and the other part of the explanation.

I'll be back with some other questions, if you don't mind. I had to translate from Russian in the past when I tried to repair a hard drive. It helps to converse with a person who speaks the language. jeje.

if i can help you, ask, no problem to me.

ricnar

I had only one year of Spanish in High School, nearly 50 years ago and I could easily understand:

yendo a la consola de mysql y dropeando la database

as something to do with "going" to "MySQL" and "dropping" the "database"!



Regards,

I have uploaded parts 1-8 here, para la posteridad

http://www.woodmann.com/malware/958-PAIMEI-PARTE-1-INSTALACION.zip
http://www.woodmann.com/malware/960-USANDO-PAIMEI-PARTE-2.zip
http://www.woodmann.com/malware/965-PAIMEI-PARTE-3-USANDO_BREAKPOINTS.zip
http://www.woodmann.com/malware/968-PAIMEI-PARTE-4-LOGUEAR_ARGUMENTOS_DE_UNA_O_VARIAS_APIS.zip
http://www.woodmann.com/malware/970-PAIMEI-PARTE-5-GRAFICANDO_CON_PAIMEI.zip
http://www.woodmann.com/malware/975-PAIMEI-PARTE-6-EMPEZANDO_A_GRAFICAR_DESDE_UN_SCRIPT_O_SHELL_DE_PYTHON.zip
http://www.woodmann.com/malware/977-PAIMEI-PARTE-7-CONTINUAMOS_GRAFICANDO_DESDE_UN_SCRIPT_O_SHELL_DE_PYTHON.zip
http://www.woodmann.com/malware/981-PAIMEI-PARTE-8-HEAP_TRACE_CON_PAIMEI.zip

Jeessh, JMI, and I thought I was the only old gaffer on this board.

I took four years French in high school and all I remember is 'Vien (sp??) voir mon bain tourbillon'? It's a line guys use on young ladies in Montreal, and even Ottawa , which means loosely, "would you like to see my hottub"?

I plugged the above in my translator and it choked.

I could pretty well figure out the dropeando from the use 'dropeanda bombas', but dropping the database didn't stand out till Ricardo pointed out it was part of SQL language. I tried 'blowing up the database', 'exploding the database', and even came across a few Spanish profanities aimed at one's mama.

Earlier in the tute (there I go with English slang), Ricardo had mentioned checking/unchecking a box. I did not connect the two till he explained the overall usage. So, it pays to ask sometimes, even if one appears stupid in the process. It also pays to try the process, as one translates, as the actual doing of it may reveal what is meant.

thanks Kayaker...now if you'd be good enough to translate them.

Perhaps it was easier for me because I work with MySQL and the Database for vBulletin fairly frequently, and have spent some time attempting to learn the necessary and appropriate commands. (And occasionally screwing them up!!!)

And I am that old! I graduated from High School in 1964 and I was one of the oldest people in my class because I had to wait an extra year to start school because the cut off for starting the previous year was the day before my birthday.

Regards,

Small world. I graduated in 1963 but had the opposite age problem. I skipped grade 3, so I had just turned 17 when I graduated. It wasn't that I was a brain so much as the grade 3 teachers not wanting to have me in their classes. Actually, I started school early...just after turning 5.

It's tough when you are a year behind other students hormonally. One goddess, who sat in front of me in grade 12 Math class, was about two years older, and more like a mother than a schoolmate. At least, that's how she talked to me.

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/977-PAIMEI-PARTE%207-CONTINUAMOS%20GRAFICANDO%20DESDE%20UN%20SCRIPT%20O%20SHELL%20DE%20PYTHON%20CON%20PAIMEI.rar

PARTE 7 graphing complete programs and functions from shell or script.
Thanks for your interest in my modest tutorials, very happy i have readers
ricnar

Ah i forgot the response of this, the argentinian not talk in pure spanish, we have many many words, only used here.
I try not use this words but is difficult to me, the day to day use is so frequent, but i try always use only pure spanish words, sorry if fail in some case.

ricnar

thanks ricardo. On my system, your URL shows up with '%20' in place of a space (0x20). Just want to point that out to anyone having trouble downloading the file. The solution is to manually edit the URL, replacing each %20 with a space, or put the entire line in an editor and use the 'replace' function.

"You must be using some shitty browser dude" - I think that would be the appropriate response if anyone is having download problems

Just copy/paste that into Opera or Firefox (ARE there any other real browsers?) and it should work fine with the %20 or any other % symbol where it replaces a url string character.

or browse

http://storage2.ricardonarvaja.com.ar/web/

browsing

/CURSO NUEVO
/TEORIAS NUMERADAS
/901-1000
and downloading the 977, but i use opera or firefox hehe, how Kayaker say and have no problem.

ricnar

A response from a source in Miami (Cuban extract) explained that 'dropeando' is Spanglish for the English word 'dropping'. It's one of those curious combinations that evolve when people speak two languages. The same person gave the following example:

Instead of saying "I'm dropping my daughter off at school," they say "estoy 'dropeando' mi hija en la escuela."

I have the same problem Ricardo. I speak Scottish. The rest of the English speaking world has ruined the language to the point no one can understand it.

Here's the official Micro$oft usage:

DROP DATABASE (Transact-SQL)

Removes one or more databases or database snapshots from an instance of SQL Server.

In the same article, they say:

Dropping a database deletes the database from an instance of SQL Server and deletes the physical disk files used by the database.

I can't find any reference to 'drop' in a Spanish dictionary, so the person from Miami must be right. The English verb 'drop' has been combined with the Spanish ending 'eando'.

No need for you to apologize. I have learned a bit of Spanish, and some SQL too.

I have tried on two of the latest versions of Firefox and Opera. Neither will accept the %20. In fact, Opera has a feature where you can highlight the URL, right click and select 'go to URL'. It wont work with the %20 in there.

Admittedly, I have other software that 'might' interfere, like Proxomitron, although it's used only as a proxy on Opera. Firefox is connected directly to the net. I still use proxomitron because it has a handy kill feature for sites that annoy me.

The point is 'dude', it's not working on mine, and it 'might' not be working on someone else's machine. Rather than having someone give up and miss out on Ricardo's tutorials, I pointed out a solution.

Remember, 'Teach, not flame'. (I know, I know...you were only kidding).

that's how I got your tutorials first time Ricardo, and it's probably the best way. You have a nice site with lots of good articles. The only thing missing is a nice photo of Gabriella Sabatini.

hehe, yes we use verboise forms of english words

SWITCH -SWITCHEANDO (switch-switching) is the most known spanglish word, i have no problem with go to url and copy paste the link, i use opera in ubuntu, maybe a configuration was changed, look in TOOLS-PREFERENCES-NETWORK
i have marked ENCODE THE INTERNATIONAL WEB ADDRESSES and the two marks ENABLE REFERRER LOGGING and ENABLE AUTOMATIC REDIRECTION the three options are marked try this, maybe have unchecked one of this marks.

ricnar

Kayaker "kidding"??? Oh the shame of it! I thought that was my job!!

I know lots of people hate IE, but I don't have a bit of problem downloading Ricardo's materials using:

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/977-PAIMEI-PARTE%207-CONTINUAMOS%20GRAFICANDO%20DESDE%20UN%20SCRIPT%20O%20SHELL%20DE%20PYTHON%20CON%20PAIMEI.rar

in IE 7+. Puts up the rar file for downloading almost instantly.

It might be something in your settings. I know it can't be because your Scottish (notice I didn't say "scotch," which is a drink :devil because I am also. There's actually a small town in Scotland after which my mother's family was named.

Regards,

dammit, JMI, I wish you hadn't suggested that. I went and tried it, and it works. Then I tried Firefox and Opera, and they now work too. I just booted the computer, maybe it has something to do with that, but I've been plagued with that problem for a long time, not only on this site.

What do I do now to wipe the egg off? Do I edit my remarks or leave them?

Oh...I wouldn't go that far. If you have ever followed the Scottish international soccer team, and taken in their kamikaze style of beating the best and losing to the worst, you will understand how incompetent we can be as a race. Ricardo doesn't have that problem with the Argentinian soccer teams.

On the other hand, there was James Clerk Maxwell, the Scottish mathematician/theoretical physicist, whose work received compliments from Einstein. When Maxwell was a young guy at school, his school mates called him 'daftie'. As you know, daft is a Scottish term for stupid, crazy or mad, whatever applies. I think any young kid being derided by his peers should read about Maxwell so he/she can see how stupid peer pressure can be.

Fair fa' your honest, sonsie face,
Great Chieftan o' the Puddin-race!

I have them all checked. I think the problem is in the proxy I use (Proxomitron). It may be a bit old. When I started using it, I was having trouble with clicking on a site and having many pop-up windows created. Prox killed those and was configurable for changing many aspects of html. Opera has its own pop-up blocker but I find it doesn't work as well as Prox. There is a feature to bypass Prox if I want to, but maybe it is interfering somehow, even when it's switched off.

I don't run Firefox through Prox, however, and it is affected in the same way. I should say, it was affected. All my browsers seem to work after a fresh boot.

ah well, perfect.

ricnar

Not yet perfect, Ricardo.

I am still following your tutorial. I have installed PaiMei, Python 2.4, MySQL server and all the other modules. Now I am at the command line of Paimei and I type as follows:

Paimei 1.1-REV122>__setup_mysql.py localhost (user) (pass), where user 'root' and passwd is my password.

When I tried this several times before, I received an error that localhost was not recognized as an internal or external command. I don't understand why localhost was not recognized, but I just tried it now and received no error message. It went back to the prompt. Can I assume the database has been formed?

....later....answered my own question. When I loaded Paimei, and tried to connect to MySQL server, I got this error:

Failed connecting to MySQL server: unknown database 'paimei'.

More work to do. :-)

BTW...I was having trouble because I had the photos turned off in MS Word. We have a saying here that a picture is worth 1000 words. How true. I can follow your tutorial easily now. You have written a very good tutorial.

is neede permit conection throught firewall when you create the database.

You install the program mysql, in the form descripted by turorial? (without strict mode mark etc)?

use 127.0.01 not localhost probably you use proxy and this make more complicated the thing, you need look in a coomand line netstat -na and see if the service of my sql are listening for conection look the PID of the process, maybe the port is used and cannot use the same port or so.
The sql part is the more complicated part, i suggest you read a faq of the program mysql till the service are listening and wainting for conections and next use the script :setup my sql etcetc
ricnar

hehe ie firefox opera why not use start->run-> type "explorer copy paste" --> ok to get the file i normally do that most of the time may be i'm

sorry Ricardo...I wrote another reply but it seems I did not post it. (late at night).

Everything is OK. The file __setup_mysql.py was 0 bytes in size. I replaced it with the proper file. Paimei now gives the 'success' message when MySQL is loaded. It had nothing to do with localhost.

BTW...I did a 'ping localhost' and it found localhost OK. I read quite a bit of the MySQL manual. That's how I found __setup_mysql.py was corrupt. I tried to load it in a text editor and it would not load. :-)

well perfect is solved

ricnar

Hey blabberer...I'm afraid to ask.

What does start->run-> "explorer copy paste" do exactly? I'm afraid to try it in case it copies my entire system and tries to paste it back.

Yeah...thanks. Now I have to try the crackme to see how it works.

yipppeee dont worry it wont do anything like that
it will simply take the %20 embedded string you paste and fetch you the file
nothing more nothing less

verrrrry interrrrresting. thanks. The only downside is that you have to allow IE Explorer to get involved. I find that to be both intrusive and dangerous.

Did you realize you can highlight URL, right-click while in Opera, and choose 'go to URL' from drop-down menu?

http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/981-PAIMEI-PARTE%208-HEAP%20TRACE%20CON%20PAIMEI.rar

ricnar

Thanks for the ongoing efforts Ricardo.

Regards,

Hey Ricardo....helppppp!!! I have been stuck at one part of your tutorial for a while now.

I have done the following steps and get these results:

-connect to mysqlserver in Paimei
-select ADD TARGET
-enter name of target = Crackme
-select crackme under 'available targets'
-right-click crackme and select 'Add Tag'
-enter name of tag = Filter
-right-click Filter and select 'Use for Stalking'
-load crackme in IDA
-load IDA Python plugin
-select all options
-select pida_dump.py
-generate crackme.exe.PIDA file
-back to Paimei...select 'Add Module(s) under PIDA modules
-select crackme.exe.PIDA and load it
-under 'Data Capture'...load crackme.exe
-deselect (uncheck) 'Restore BP', 'Heavy', and 'Unhandled'
-select 'Basic Blocks'
-select 'Start Stalking'

The crackme window comes up and the following appears:

PaiMei Process Stalker

Module by Pedram Amini

Using 'Filter' as stalking tag.

[!] You must load at least one PIDA file.

Loaded PIDA module 'crackme.exe' in 0.13 seconds.

Function coverage at 0%. Basic block coverage at 0%.

Stalking module crackme.exe

Loading 0x7c900000 \WINXP\System32\ntdll.dll

Loading 0x7c800000 \WINXP\System32\KERNEL32.DLL

Loading 0x77d40000 \WINXP\System32\USER32.DLL

Loading 0x77f10000 \WINXP\System32\GDI32.DLL

Loading 0x5d090000 \WINXP\System32\COMCTL32.DLL

Loading 0x77dd0000 \WINXP\System32\ADVAPI32.DLL

Loading 0x77e70000 \WINXP\System32\RPCRT4.DLL

Loading 0x763b0000 \WINXP\System32\COMDLG32.DLL

Loading 0x77f60000 \WINXP\System32\SHLWAPI.DLL

Loading 0x77c10000 \WINXP\System32\MSVCRT.DLL

Loading 0x7c9c0000 \WINXP\System32\SHELL32.DLL

Loading 0x773d0000 \WINXP\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.DLL

That's it!!! There's nothing else.

I have moved the crackme window around, selected 'About', but nothing happens. According to your tutorial I should get other data. I have already found the code in IDA where the registration takes place, but that's not the point.


ps. I just noticed this:

Function coverage at 0%. Basic block coverage at 0%.

Any ideas?

I think I can help there because I had the same problem. You need to select Stop Stalking first and then the data will be written to the database. Then right click on your Tag (FILTER) and select Load Hits, which will load them from the database into the Data Exploration window.

I only figured that out because I have a full WAMP installation (apache/mysql/php) and I looked at the paimei mysql database with phpmyadmin. The "cc_hits" table was empty until I pressed Stop Stalking, then it was filled up.

Then when you set up the second REGISTER tag and want the register data (eax, ebx, etc.) recorded, select the checkboxes Heavy and/or Unhandled before starting stalking. Once again stop stalking to have the data written to the database and select Load Hits from the second tag.

it wasn't necesary for me , i make the same step, i write in tutorial, and from process stalker there are a video in the paimei page, and make exactly the same steps, but if you need more steps perfect.

http://pedram.redhive.com/PaiMei/docs/PAIMEIpstalker_flash_demo/index.html

ricnar

Hey Kayaker...thanks for tip. I tried all that but nothing seems to work. I was thinking about it more last night and I may have screwed up the installation. When I used 'install_requirements.py', I allowed it to download what it could not find. Unfortunately, I was not aware of the larger MySQL 5 server and installed MySQL-python.exe-1.2.1. I realized later that Ricardo was using the larger MySQl 5 server. There may be a conflict between the two MySQL servers.

Also, when I run __install_requirements.py again, it reports that it can't find Pydot, GraphViz, Oreas GDE, and UdrawGraph, even though they are installed in the Python24 sub-directory. I know Ricardo mentioned that and I think he was talking about a path problem. I have Python24 and Pamei under the same sub-directory, and the downloader from __install_requirements.py selects the Python24 directory automatically. So, it should know where to find them.

light goes on. I finally figured out what Ricardo was saying about the paths. I loaded __install_requirements.py in my text editor, and it is looking for certain installs in c:\program files. Problem is, I'm using C:\ for Win 98.
I guess these Unix/Linux guys need to learn about the windows %path% statement.

I just tried it again. When I hit 'Start Stalking', the crackme window comes up. I hit 'Stop Stalking', then went to 'Filter', right-clicked, and hit 'Load Hits'. I got this message:

Function coverage at 0%. Basic block coverage at 0%.

I'll keep looking, and if push comes to shove, I'll reload the install.

thanks for URL Ricardo. I have already followed the instructions exactly as in the demo. I will check my installation.

Enjoyed the demo Ricardo!

Regards,

Had myself confused on this one. The file MySQL-python.exe-1.2.1, is a required installation file. It is the Python interface to the MySQL server. For some reason, I thought it was a version of MySQL modified for Python, but PaiMei wont run without it. I uninstalled it, then re-installed it, but Paimei is still not running correctly. Back to the drawing board.

mmh...
0) download and install mysl5, python2.4, SF interface mysql->python, wxwidget2.8 for python 2.4, ctypes for 2.4, any of the graph server you prefer i.e. GDE. Make sure they are installed in '\program files\', or you need to edit scripts.
1) 'clean' your mysql.
2) in windows, edit my.ini, change sql_mode to -->sql-mode="MYSQL40"<-- and reboot, if linux np.
3) open your dos console in installation directory, and run __install_requirements.py, then __setup_mysql.py

if you messed with mysql, edit/alter within last script to make it work.

Maybe someone could make "Scottish" instructions for our venerable friend WaxfordSqueers! Sometimes we "older folks" need instructions with lots of pictures. Especially, if one have been "sipping" of the Scottish national nectar!

WaxfordSqueers:

There are also "packaged" programs which will install and set up MySQL, Apache, and PHP on your machine, such as XXAMP and WAMP5, which can take some of the guesswork out of setting up and connection to those components on a Window$ machine. Might be worth checking out. It's how many of us run vBulletin on our Local Machine for testing purposes. Snap to install and mostly auto-configures. Might need some tweeking for PaiMei. Haven't had time to try the install myself yet.

Maximus:

Thanks for your step-by-step for those who might be having trouble "figuring it out."

Regards.

That confirms my suspicion. When I ran __setup_mysql.py I got an error message something like

#1101 - BLOB/TEXT column 'eax_deref' can't have a default value

I figured it was because the CREATE_TABLE command in the script might have been developed for an earlier version of mysql. Since I wasn't about to downgrade my mysql 5 WAMP setup, I instead changed the problem lines in __setup_mysql.py to work properly:

Just change all the lines under 'CREATE TABLE cc_hits' which use a 'text' type from

eax_deref text NOT NULL default ' ',
to
eax_deref text NOT NULL,

and you can maintain mysql 5 compatibility without modifying the my.ini file.

What other reasons for the sql-mode="MYSQL40" edit?

See why we count on Kayaker to "get down" into the code to find solutions for "the rest of us."

Regards,

well, i'm not sure how/what MySQL can return if you strip the default values out. They should return an empty string, but I would rather avoid to check it by myself... too many times when dealing with variants i expected '0' and got 'null' to let things without an explicit default value (it should be checked if pedram makes implicit use of the default value).
that line simply forces a more 'tolerant' syntax in mysql (which is the default one enforced in linux mysql5 btw).

thanks for tips Maximus. I cleaned up __install_reqirements.py. As you said, everything points to c:\program files. I'm in the middle of re-installing the whole enchilada, so I'll look at other scripts too.

A fetish seems to have developed in Windows for putting everything in one drive under one directory in x:\program files\. That never made sense to me. I find it a lot easier to use several partitions of about 20 to 40 meg in size and I like to leave the base partition for the OS. I even have a small partition for the swap file, as in Linux.

Many authors assume windows will be on the c:\ drive. Not so. My XP install is on the D:\drive, and on a FAT32 partition. I have win98 on c:\. That way, I can use win98 to peek at XP and change certain things I can't change while XP is running. Of course, I maintain a large NTFS partition for files over 2 gig.

It's good to see the UNIX/Linux crowd and the Windows crowd communicating and working on projects that overlap both OS's. Or maybe it's just the Linux crowd feeling sorry for us Linux-challenged types. In this particular project, I'd like to see better use made of the %...% features, which are variables filled in by the system as to the actual paths used, rather than those assumed to be used. Even if I wanted to use c:\program files\, I couldn't, unless I could get a pipe to win98.

thanks for the tip on my.ini. I found it in the MySQl directory (on partition F:\ ) but there's no reference to sql-mode'. I'll check out your suggestion. Thanks again.

Och!! Awa ben the scullery. Maybe I should change my name to Waxford MacSqueers. I'm not a good representative of Scotland, in that I don't like haggis and I don't like Scotch. I put raisins and milk in my porridge, which would raise eyebrows (the big bushy eyebrows) of the highlanders, who dump their porridge in a drawer and hack pieces out as required.

I noted that Kayaker had done that, but for mere mortals like myself, it's enough to get MySQL5 setup and running on it's own.


I think it is easier to translate Spanish to English than it is to translate Unix to English. Kudos to Ricardo for translating Unix to Spanish.

Just came across this URL:
http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html

it makes sense to me but would make more sense to you.

near bottom of page, it says:

MYSQL40

Equivalent to NO_FIELD_OPTIONS, HIGH_NOT_PRECEDENCE.

kayaket this error appear if you have checked STRICT MODE mark in instalation of mysql, if you uncheck this error doesn't appear.

http://paimei.openrce.org:8000/ticket/5

i remark for quit this mark, make a graphic and put a arrow to the mark, hehe, but nobody see my warnings, hehehe (joke)

ricnar

look in the page of the ticket description of the error

D:\paimei>__setup_mysql.py localhost paimei blahblahblah
Traceback (most recent call last):
File "D:\paimei\__setup_mysql.py", line 27, in ?
cursor.execute("""CREATE TABLE cc_hits (
File "C:\Python24\Lib\site-packages\MySQLdb\cursors.py", line 163, in execute
self.errorhandler(self, exc, value)
File "C:\Python24\Lib\site-packages\MySQLdb\connections.py", line 35, in defau
lterrorhandler
raise errorclass, errorvalue
_mysql_exceptions.OperationalError: (1101, "BLOB/TEXT column 'eax_deref' can't have a default value"

jeje similar

ricnar

For those who may be interested, you can view, and even download, Pedram Amini's presentation at RECON 2006 of PaiMei here:

http://www.archive.org/details/Pedram_Amini_PaiMei_and_the_Five_Finger_Exploding_Palm_RE_Techniques

The presentation includes the slides he used during his presentation.

Regards,

That clears things up. WAMP uses 'use strict;' by default in most of its mysql scripts. Doesn't seem to affect Paimei operation though beyond the table creation problem.

I'll check the code in the XXAMP install and report back later on my findings related to the "strict" mode usage, incase anyone is interested in trying the program with XXAMP.

Regards,

thanks for url, JMI. Pretty impressive what paimei is capable of doing. Helps to see it from the author's perspective.

I didn't quite get what Ricardo meant in his 1st paimei tutorial about filtering the GUI on the crackme. Basically, the crackme is a GUI, not much else. It seems with paimei, you can filter out the code used to run the GUI, by moving it around and hitting all the GUI controls except for the particular control you want to find. In this case, it's the registration option on a drop down menu. You create another filter for it, then paimei zeros in on that code by removing all the GUI code from the search. Later, you can graph it and see exactly where the code is executed and where you came from to get there.

One other thing that impressed me was the ability to call up a function, feed it random parameters based on the number of pushes, and see what it returns. If I'm reading that right, you should be able to take any mysterious function and analyze its usage. I realize I'm probably oversimplifying, but it would be cool to isolate on code like that and test it.

I think this is going to be a powerful tool....if I ever get it going.

Ricardo...is it possible fior you to post a copy of crackme.exe.pida?? I want to compare it to mine. I have tried everything to get Paimei talking to the database (mysql) but nothing works, I am beginning to think something is wrong with my pida file (no...not paedophile ).

I tried configuring mysql with strict mode and without it. I even entered the mode in my.ini so strict mode was off. I tried what Maximus said about setting mode to mysql40. No matter what I did, I still got the error about BLOB/TEXT column 'eax_deref'. I finally did what Kayaker suggested and editing the __setup_mysql,py file.

I have done several DUMP DATABASE operations, but nothing is being written to the database. The last error I got was:

Traceback (most recent call last):
File "modules\_PAIMEIpstalker\TargetsTreeCtrl.py", line 330, in on_right_click_popup_load_hits
File "modules\_PAIMEIpstalker\HitsListCtrl.py", line 132, in load_hits
File "modules\_PAIMEIpstalker\HitsListCtrl.py", line 64, in append_hits
File "F:\Paimei\Python24\Lib\site-packages\wx-2.6-msw-ansi\wx\_core.py", line 7447, in Yield
return _core_.Yield(*args, **kwargs)
wx._core.PyAssertionError: C++ assertion "wxAssertFailure" failed in ..\..\src\msw\app.cpp(684): wxYield called recursively

The wxAssertFailure seems to be related to a debugger, and possibly to 'yielding' to another process or message.

When I do the first Start Stalking, the crackme window comes up, then I move it around, and hit Stop Stalking. After that, whenever I hit Start Stalking, it goes right back to Stop Stalking. That is, it terminates itself. I'm getting no hits.

i suggest you clean all your instalation and start again, whan you have a bad instalation of my sql, is very complicated repair, clean all, and start again step by step how my tutorial show, and don put the mark in strict mode.

But clean all is remove all paimei folder all mysql, go to document and settings and clean all folders when my sql is installed, go to regostry and clean the entries of my sql, and all trace of this, and make sure you download the same packages than me in my tutorial (there a txt when the mysql package link to download).

And install all again from zero.

if you cannot clean, install vbox and put a image of xp inside, and install in the virtual machine, you can snapshot previous to the installation of paimei, and if fail you can restore to the initial state without traces, and try again.

strinct mode not need to be enabled plis, but if you install bad, is not possible repair at all, i go nuts repairing mysql for this reason, but when all is installed with the tutorial method from zero, in a clean instalation all go perfect.

A vbox or wmware image is a must today for crackers or people than investigate programs, all investigators need this.

ricnar

is the time for install XP in a vbox and make a snapshot of the clean instalation, and try the tutorials steps in a clean environment and if fail, return in seconds to a clean enviroment with one click.

You are trying in a corrupt environment by a week, i think is better try the things in this direction, better than continue trying in that corrupt state, when instalation of diferent versions of my sql, have made a mess.

ricnar

Extreme try:
uninstall totally MySQL, uninstall everything including phython.
Then take XAMPP at SF (http://sourceforge.net/project/showfiles.php?group_id=61776) and install it.
Edit the my.ini this way:

reboot and reinstall all. If it does not work, programs->accessories->system utilities->restore system configuation, and roll back BEFORE you installed mysql...

why don't install the packages of the tute? they are proved, other packages i can't be sure if work.

use vbox, this will be a new complete instalation and download mysql from here plis

http://mysql.localhost.net.ar/Downloads/MySQL-5.0/mysql-5.0.45-win32.zip

use this mysql in a clean instalation with no strict mode this work for all crackslatinos than try (more the 100 persons).

I cannot help with others different packages than i not try.

ricnar

uh, didnt know you had everything already packed and set up in your tutorial, ricardo :P

sure, that's better

Hi, Ricardo. I got all my packages from your tute. I was having difficulty translating the tute, however, but now I understand it better. I have already done a complete re-install of Paimei, Python24 and all the other packages. The only package I haven't replaced is MySQL 5.

I have played with the Mysql server for hours, trying to understand it. I am fairly sure it's working OK, but I will re-install it. It doesn't seem to matter whether Strict Mode is selected or not in the install, the errors that Kayaker mentioned appear for me in either case. That suggests to me that my problems may be related to my computer and the way it is setup. Then again, Kayaker had the same problem with a different MySQL setup.

Also, as you pointed out, the Paimei app, __install_requirements.py, is pointed at C:\Program Files, but it also misses packages that are in the Python Directory. It has never identified Pydot, for example, even though I pointed it at the Pydot directory. So, even though your tute is excellent, there are questions arising between your instructions and the Paimei instructions which lead to confusion. I suspect there is a problem with the wxPython package since I have seen similar errors to mine reported elswhere on the net. Maybe it's fixed in the Python 2.5 version of wxPython.

There is a question regarding the version of Python 2.4. You seem to be using Python 2.5, but you claim it works OK. Maybe I'll try Python 2.5

There is a slight discrepancy between your install and that of Paimei. They instruct to install mysql-Python but don't say anything about the server. Your instructions mention the server, MySQL 5, but you are not clear on MySQL-Python. I'll read your tute again. Thanks.

thanks for input Maximus. I have noted your suggestions, but I will try once more to re-install according to Ricardo's tute. If that doesn't work, I'll certainly try your method.

BTW...in his reply to you, Kayaker asked about the significance of setting the mode to MYSQL40. I'm curious about that myself.

We Scots are nothing if not "stubborn and determined" to make "the damned thing work" the way it's supposed to work!

Otherwise we give it a good bash with something hard, just to "pursuade it" a little.

Oh, and the MySQL40 instruction is symply the way to tell MySQL5 not to run in "strict-mode", which MySQL 5 does by default. See for example:

http://www.activecollab.com/support/?pg=kb.page&id=18

which is about a different program, but describes the problem with a program which won't work in strict-mode and how to force MySQL 5 to not use that "mode." There are still alot of programs which choke on "strict-mode" in MySQL 5.

Regards,

Yup, those were the error msgs I got too. They aren't really errors per se but just stderr output of a .py script trying to access mysql database info that isn't there. (But you already knew that)

There is one indicative sign you should see when you press Stop Stalking. Paimei will tell you in its window that it successfully wrote to the mysql db. You can probably see that step and the msg text in the video tutorial.

So, if you don't see that msg when you press Stop Stalking, it ain't working.

Does Paimei make the connection to mysql OK to start with? (You should see an "OK" msg in the status bar if it does).

Has the database named 'paimei' from the CREATE_TABLE routine in setup.py actually been created? A folder named that should exist somewhere, probably under /mysql/data.

I'd hit it with a haggis but it would take too long to clean it up.

thanks for tip, JMI. I suspected that but wasn't sure.

I don't see that.

yes...I have confirmed the creation and deletion of the paimei database several times. You are right, the paimei database is in MySQL5\data. I looked at the tables with the command line and they are all intact. They just don't have data in them.

mi tutorial have a image with a red arrow, when install my sql and when scrict mode is selected, if you dont have this option, don have the same mysql than me.

I install in python 2.4, pydbg don work in 2.5 at all, for this reason i install in python 2.4 all programs of the suite.

Why don't put a vbox if you work in cracking hacking security, need try the programs in a controled environment.

There are no errors, with the programs installed in the suite all for python 2.4 you have paimei working, if you make in a clean machine and looking the images of the tutorial, the red arrow to sctrict mode is in a image (not need be translated at all)

ricnar

here attached is the image from the tutorial, when the option for strict mode is enabled disabled .

ricnar

yeah...I saw the red arrow, Ricardo. Thanks. I was trying to explain that I tried with and without Strict Mode, but it made no difference. I even defeated Strict Mode in my.ini.


I might try that later. I have a headache from trying to install Paimei.

I uninstalled everything. I will try again while following your script exactly.

BTW...in your tute, you say:

Y el otro que debo copiar es el archivo plw que esta dentro de la carpeta plugins del OLLYPYTHON a la carpeta plugins dentro de la instalación del ida.

Should that be IDAPYTHON instead of OLLYPYTHON?

yes is a mistake sorry

ricnar

the mark strict mode made no difference when you have a bad previous instalation, in a clean instalation make a diference between a bad and a good first instalation, and when i install with strict mode enabled i go crazy to repair all, this is the point you are, a bad instalation, and no is easy repair.

For this point, i suggest you use the vbox, make a clean install, of xp, a snapshot of a clean instalation, and try step by step with the packages of the tut and you will see the light, jeje.

ricnar

and in a clean instalation of xp use

http://www.python.org/ftp/python/2.4.4/python-2.4.4.msi

the original package of python 2.4

ricnar

I've been on this Earth too long now to start seeing the light.

thanks for all your help, Ricardo. I appreciate the time you put into your tutes and the time you have spent helping me.

i make other new image of XP in vbox different than the previous when install and make the tutorial.

I make a snapshot of the clean instalation, and will try step by step install in the tutorial mode with the packages of the tutorial, if fail i return to the snapshot.
When i end installing paimei, i tell you if there are any difference or use other package different from the packages of the tutorial.

ricnar

I would not go to all that trouble, Ricardo. It's probably something to do with my system.

You have all the truth, if you install all with the script of the paimei package, end in this error without solution, i think i download all the packages from here

http://pedram.openrce.org/PaiMei/docs/installation.html

and installing only using the script for checking, i'm trying a new method of instalation without problem and next i fix the tutorial with the solution thanks.
sorry and thanks
ricnar

Ricardo...I have completely rebuilt my installation and still get the same error. I have installed by the method of the URL above (openrce) and using your method.

I don't think 'Strict Mode' is the problem. I think Kayaker was right...the __setup_mysql.py script has errors. I will check it more tomorrow...I'm too tired right now. Also, there may be errors in my pida file.

When I installed mysql 5, I made sure the 'Strict Mode' box was NOT checked (ticked). I checked the my.ini file and nothing appears in it for Strict Mode. I also tried what Maximus said, adding the MYSQL mode to my.ini. Nothing makes a difference.

Either the mysql server can't understand the pida file data or the database tables are not being written properly. I'm going to play with the __setup_mysql.py script tommorow. I might try the InnoDB engine or enter it line by line at the command line.

read my previos post i tell the same, i try in a clean xp instalation and don't work, the only posibility is i download from the links of the updated packages and only use the script for test, i continue investigating.

ricnar

i upload the database paimei created sucessfully when i make the tut here

http://rapidshare.com/files/84277782/paimei.rar.html

you need create the databse with the script with user:root pass:root and when the error appear go to data and replace the folder with the paimei folder.

I start paimei and conect sucessfully, i don try all the tutorial but you can try

ricnar

well if you don't use user:root pass:root in the instalation of mysql, unistall mysql delete the paimei folder and reinstall, with user:root and pass:root, and when you use the script for the creation of database

setup mysql localhost root root

and show the error

go and replace with the good database i upload to rapidshare and paimei connect perfect to mysql.

ricnar

Thanks for working so long and hard at it Ricardo!

Regards,

i use this good database in the rapidshare link above in the bad installation, replacing the folder paimei and can make the tutorial of process stalking complete without problems.

ricnar

i should really redownload this paimei again and play with this at least just to say a thanks to you Ricardo

kudos for being hard nosed

here all the notes of the instalation from a clean XP (empty)

1)Check internet connection and disable windows firewall

2)install winrar from
<sorry, you'll have to find it yourself>

3)uncompress and copy the folder PaiMei-1.1-REV122 to C:\

4)Download python 2.4 from
http://www.python.org/ftp/python/2.4.4/python-2.4.4.msi
and install in
C:\Python24\

5)download IDA 5.2 from
<sorry, you'll have to find it yourself>
y instalar en
C:\Archivos de programa\IDA

6)Copy folder python from ollypython to the folder of IDA
C:\Archivos de programa\IDA

7)Copy python.plw fron IDAPYTHON plugins folder to
C:\Archivos de programa\IDA\plugins

8)Run the script and accept all with Y, change the graphviz instalation to
c:\program files\graphviz
ugraph instalation to
c:\program files\udraw(graph)
and govisual to
c:\program files\govisual diagram editor

When this all is installed and detected only pydot fail

C:\PaiMei-1.1-REV122>__install_requirements.py
looking for ctypes ... FOUND
looking for pydot ... NOT FOUND
looking for wxPython ... FOUND
looking for MySQLdb ... FOUND
looking for GraphViz in default directory ... FOUND
looking for Oreas GDE in default directory ... FOUND
looking for uDraw(Graph) in default directory ... FOUND
looking for PaiMei -> PyDbg ... FOUND
looking for PaiMei -> PIDA ... FOUND
looking for PaiMei -> pGRAPH ... FOUND
looking for PaiMei -> Utilities ... FOUND

9)go for pydot to

http://dkbza.org/pydot.html

pyparsing is needed, download from

http://ufpr.dl.sourceforge.net/sourceforge/pyparsing/pyparsing-1.4.8.win32.exe

and install

download pydot from
http://pydot.googlecode.com/files/pydot-0.9.10.tar.gz

extract and copy the three py files of pydot to
C:\Python24\Lib

try in a python shell

>>> import pydot
>>>

and works


C:\PaiMei-1.1-REV122>__install_requirements.py
looking for ctypes ... FOUND
looking for pydot ... FOUND
looking for wxPython ... FOUND
looking for MySQLdb ... FOUND
looking for GraphViz in default directory ... FOUND
looking for Oreas GDE in default directory ... FOUND
looking for uDraw(Graph) in default directory ... FOUND
looking for PaiMei -> PyDbg ... FOUND
looking for PaiMei -> PIDA ... FOUND
looking for PaiMei -> pGRAPH ... FOUND
looking for PaiMei -> Utilities ... FOUND

Now all is detected perfect

10) download mysql from
http://mysql.localhost.net.ar/Downloads/MySQL-5.0/mysql-5.0.45-win32.zip
and install with the tutorial options especially NO STRICT MODE with user:root pass:root

The table fail when created
C:\PaiMei-1.1-REV122\__setup_mysql.py:27: Warning: BLOB/TEXT column 'eax_deref'
can't have a default value
cursor.execute("""CREATE TABLE cc_hits (
C:\PaiMei-1.1-REV122\__setup_mysql.py:27: Warning: BLOB/TEXT column 'ebx_deref'
can't have a default value
cursor.execute("""CREATE TABLE cc_hits (
C:\PaiMei-1.1-REV122\__setup_mysql.py:27: Warning: BLOB/TEXT column 'ecx_deref'
can't have a default value
cursor.execute("""CREATE TABLE cc_hits (
C:\PaiMei-1.1-REV122\__setup_mysql.py:27: Warning: BLOB/TEXT column 'edx_deref'

Replace the folder paimei in folder data of mysql instalation with the good database I uploaded to rapidshare.

it works perfectly!

ricnar

Sorry for having to clean up the links in your last post a bit Ricardo (for us to avoid getting into trouble).

Btw, will you really need your uploaded database for it to work? That Rapidshare download will disappear sooner or later, and I assume you created that file from scratch yourself too, so it shouldn't really be needed to get it to work, right? I assume everything needed to do that is in the tutorial though, isn't it?

dELTA:

If you have been following closely, part of what Ricardo is doing is trying to "fix" problems for people who might have attempted the installation and gotten a "bad" database configuration, which would not respond to what seemed like "normal" efforts to correct the problem.

WaxfordSqueers was one individual who was have problems attempting to "start over" and was reporting still not being able to get his database to work, even though he attempted to delete and re-install nearly everything or everything.

Ricardo then found another solution for "that" anomoly, which was to replace the database with the one in his "rar" file. I believe the specific problem with failure of attempts to "re-install" has not yet been solved without the use of Ricardo's database from the rar file.

Ricardo then advised installing PaiMei in a "clean" XP virtual disc and wrote this tutorial on how to make sure it would work. To avoid "any" possible issues, he added a database he "knew" would work to the rar file, hopefully eliminating "any" and, hopefully "all" problems.

At least that's what I have concluded so far from the "whole" Thread.

Regards,

yes sorry only i append here my notes of the step by step instalation (i don't see the winrar and ida links sorry)
The rapidshare file, was included with the tutorial.

http://www.ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/901-1000/958-PAIMEI-PARTE%201%20INSTALACION..rar

if any reader of the tutorial have problem, i add the rar file with a little txt of explanation of the problem and how correct replacing the database.

ricnar

We understand Ricardo. We know you weren't trying to create a problem.

We just have to remove links to commercial applications to avoid any problems. Sometimes these things slip in and we have to "fix" them.

No Problemo!

Regards,

Ricardo...I have some good news and some bad news. paimei is working now but it was not your database that got it working.

I compared your database to mine, using Hexworks, and they were virtually the same. The only differences were minor as in:

cc_hits.myi were different at offsets 6E,6F,95,96 and 97
cc_tags.myi were different at offsets 6E,6F,95,96 and 97
cc_targets.myi were different at offsets 6E,6F,95,96,97, A5, A6 and A7

Every other database file was the same.

The filesizes of our databases are almost the same, but the loaded databases are much larger.

I tried your database in paimei and it did not work. Then a light came on (an idea). Why not try minesweeper, as in the paimei demo. I would have tried it earlier but I did not have it loaded in XP.

I ran minesweeper through IDA, ran IDA-Python and got my pida file. Set that up in paimei and it worked fine. I got all the hits I can use.

So...it seems the problem is in the crackme GUI. It seems to have been created using a compiler mode that creates DOS-box windows. It doesn't seem to be a proper GUI in the sense that it might have been created under a special template.

The reason I think that is because I tried another app I'm working on. I have another thread going about an app that uses IPC server/client calls, and it wont run under paimei. I'd like to know why...maybe it has code to detect paimei as a debugger. It doesn't detect sice because I'm using IceExt to hide it.

how do you repair ? do you not tell me what was the problem and how was solved? I try installing the program and reach the same point of you, and copying the database can make my paimei work and can start stalking perfect and make all the tutorial without problem, tomorrow i try with minesweeper.

ricnar

BTW, Ricardo, I got the crackme.exe from your tutorial #2. There was no crackme.exe in tutorial #1. At least, that's the way it was in the tutorials I have.

Ricardo:

I'll get back to you later.

WaxfordSqueers:

If you use the button on the far right, which looks like a letter with a down arrow on it, it will open the Reply window without quoting the text of the message your are responding too. Saves both time and room in the database, unless there is actually something in the previous post you feel the need to quote.

[Edit] Looking at your post more closely, after I deleted the quote, I realized I hadn't noticed you had two posts in a row and that may be why you "quoted" the previous post by Ricardo. I hope I fixed that oversite, by putting Ricardo's name at the top of the second post.

Regards,

I've tried to edit my replies so as to minimize the room required. I notice many people are very terse. Whereas I'm not into verbal diarrhea, it irks me when people are overly terse, especially in manuals. I realize there are language differences between users and that probably accounts for much of it. If I'm rambling too much for the database space available, please say so.



I have an explanation. I had a window from a partially crashed app obliterating the middle of the screen. I had to leave right at that moment and wanted to tell Ricardo I would reply later, so I requoted part of his message, while working around the crashed window. Thanks for adding the reference.

Hi Ricardo...actually, I have not solved the problem yet. Paimei does work with minesweeper, but it does not work with the crackme. I am theorizing that the crackme is created as a DOS-box (console) GUI. There is a template for that in one of the C++ compilers. Maybe there is a problem between that kind of GUI and Paimei on my system.

I understand that the crackme worked for you, but even with your database, it did not work for me. I would like to exchange the crackme.exe.pida files with you to see if yours works on mine and vice-versa. Also, I would like to learn more about the pida format. I read that it is compressed.

why do you continue with the next tutorials?

process stalking is only a minimum part of paimei, and is not used in any tutorial only in the 1, for demostration.

maybe in the next version of paimei 2 process stalking is improved and you can use perfect.

i thinks you have a SPECIAL item in your machine (antivirus or service) than make the program fail, you cannt probe in a vbox in a clear environment, we cannot know, but there are any than interfere with the program.

Well i think you can continue with the next parts, process stalking is a minimum part of paimei, and the rest work perfect and don use mysql.

ricnar

You misunderstood. I did not go past tutorial #1. You talked about cruehead's crackme in tute #1 but I could not find the crackme in Tute #1. So, I looked for it and found it in tute #2.

I mentioned that only because you might have used a different version of the crackme in tute #2. Maybe it was altered and I was using the wrong crackme.

that's possible. I am still checking and testing. But...why would minesweeper work OK in my system, and not the other programs?

Maybe some service is hooking and intercepting some apis used by the crackme, and not used in minesweeper, hehe.

ricnar

the part 2 have the original crackme

this is the link to the original in my web if you want compare

http://www.ricardonarvaja.info/WEB/CURSO%20VIEJO/PROGRAMAS%20CURSO%20VIEJO/01-Crackme.zip

ricnar

Hey Ricardo. I compared this file to the one I have using the 'compare' feature in Hexworks. The files are the same.

I need to look more closely at what is happening. The crackme is a small file. I'll compare the pida files to minesweeper and see if anything is obvious.

I tried another app last night, and it loads OK in Paimei, but there are no hits. Something is wrong.

well perfect.

ricnar

Och man! Just give the damn thing a wee tap with your crudgel! That'll teach the sodden bugger a thing or two.

Let's have another pint, maybe something from Wellpark Brewery or a good Scottish Ales! Probably just need a wee bit o' drink after all that heavy thinking.

Regards,

JMI: Just give the damn thing a wee tap with your crudgel! That'll teach the sodden bugger a thing or two.

JMI: Let's have another pint, maybe something from Wellpark Brewery or a good Scottish Ales!

Crudgel...that's a new one on me. I've heard of a Glasgow Kiss. Anyway...don't forget a pint of McKewans. Last one I had was in a small Scottish pub...delixious.

Ricardo...I think I have found the problem.

In Paimei, we are working in the 'PAIMEIpstalker' window. Go to the 'PAIMEIexplore' window. In the middle window, select 'Add Module'. Select a 'pida' file and load it. It will appear in the top, middle window. Double-click the loaded pida module, and it will appear in the bottom, middle window. Expand it by hitting the '+', and you will see all the functions it loaded.

Here's where the problem happens on my system. If I expand the winemine module, for minesweeper, and select a function, it shows the code (disassembly) for that function in the 'Disassembly' window. If I do the same with crackme.exe.pida, it only lists the function name in the 'Diassembly' window, bit there is no code.

I tried the same thing with the other apps that wont work in Paimei, and there's no code there either. Only the minesweeper PIDA file shows code, and it's the only app, so far, that works.

Hmmmmm!!

Starting to sound like your pida file is corrupt maybe. If I do as you wrote (which I hadn't even discovered yet), I DO see the disassembly for the crackme in paimeiExplore. Tried regenerating it or using a different version of IDA?

WaxfordSqueers:

Sorry to have confused you with my misspelling of Crudgel (which I spelled Crudgle). Maybe this will help:

The Cudgel
The cudgel was basically a specialized club used as an instrument of punishment or as a weapon. Cudgels were generally shorter than Quarterstaffs with a weighted, rounded end.

In other words, something perfectly suited for "bashing" objects which refuse to co-operate and behave as they are supposed to.

Regards,

JMI: re crudgel..or whatever. They have some brutal games in Ireland and Scotland, like shinty or hurling, and played with the same kind of club. It's like a grass hockey stick. I think the rules are basically that you can't play till you've been in the local pub for several hours and had so many pints. It's said those games are the forerunners of modern ice hockey. That makes sense.

http://en.wikipedia.org/wiki/Shinty

Trying to keep this thread alive. I have added another app to the list of success with Paimei. It loaded Notepad. That's Msoft 2, rest of appdom 0.

Why? If there's something wrong in my system, why does it work with Notepad and Minesweeper? I fixed a problem in the PIDA generation on my system but nothing much has changed. Mind you, the other two apps are not exactly straight apps. One is written in Delphi and the other uses IPC, COM and other nasty contrivances.

I have been working on some other Python stuff. The loader for Paimei is PAIMEIconsole.pyw, I think it's Ok to mention Python here, since it's open source. So is Paimei. Anyway, it's possible to load Paimei as a standard app in a Windows debugger using the standard BMSG hwnd wm_command.

In the python directory, there are two versions of python: python the command line app, and pythonw the windows interface. When the breakpoint hits, it breaks in one of the wxPython modules, which makes sense since it's called from a GUI. Soon, the code leads to pythonw then into python itself.

Python is pretty well just a wrapper that calls python24.dll, where all the goodies are to be found. I am hoping to find out where Paimei is stalling on the bad apps. First, I needed to get myself some nms files. I was hoping there was a python24.pdb file, and there is one, but I can't find it on the net. So far I've made my own nms files for python, pythonw and python24.dll. More soon.

As a side note, if you want to use python25 instead of python24 you can do it by updating pydbg/pydasm.pyd (python wrapper for libdasm disassembler), either by recompiling it, using the recompiled version provided at this link, or hexediting the .pyd file to look for python25.dll instead.

See here:

http://therning.org/magnus/archives/278

if your system have a problem, use a wmware or vbox and have a clean state, your state of machine is a exception, not a rule, if you have a corrupt SO, cannot be able to run nothing without problems.

ricnar

thanks for heads up and URL Kayaker. I know Ricardo has Python25 loaded, as well as python24, and I'm wondering if it might make a difference. I read on a python site that different version will co-exist, as long as py files, etc., are only pointed at the one.

I plan to load paimei in THE debugger and see exactly where it is failing.

I understand, Ricardo. I want to understand why it fails.

If Paimei works perfectly with two apps, then why would a corrupt installation be the problem? The problem for me is that I do not understand how Paimei and/or Python work. Python is called a 'scripting' language, but scripts do not run a processor. We have a saying in English, 'under the hood'. It refers to where the engine is found in a car. The hood is the hinged door that lifts to reveal the engine. That's what I am doing...looking under the hood.

It turns out that Python interprets the scripts, so it is no different than C or C++ with their compiler. Also, I worked with the Basic language at one time and I am familiar with interpretive languages. Python.exe and Pythonw.exe, along with python24.dll are interpreting the scripts, and they are PE files. We should be able to use 'Our Tools' to understand what is going wrong. Theoretically!!

I am happy that you went to so much trouble to help introduce us to Paimei. It has many possibilities. Now we need to understand it and how it works. I think we should study paimei more closely...under the hood.

BTW...I uninstalled my firewall, and the problem is still there. I had gmer loaded, an anti-rootkit app. I uninstalled it too. No luck. I have stripped my XP SP2 system back to a basic SP2 install. No more Microsoft hacks for me. My anit-virus is old and very basic. I don't want the newer types with their monitors and junk. Anything I download, I scan myself. I am behind a router firewall and a good software firewall, and I check regularly for rootkits, etc. My system is simple and clean.

Paimei is new, and I'm sure it has not been tested on all applications. I am interested in Paimei because I am having trouble with the app that uses IPC calls. Paimei cannot even load the app, and I don't think it is my system that is causing the problem. If it was my system, the IPC app would not run correctly, but it runs normally.

If I go to VMWare, and I have more trouble, I wont be able to understand how to fix Paimei problems. Softice and Olly have been well documented. There is hardly anything on the net about Paimei. The only way to understand it is to fix it.

well perfect good luck hehehe.;-)

ricnar

Here is an English manual on the Process Stalker / pStalker, PaiMei module, which has not been mentioned in this thread before I think:

http://pedram.redhive.com/process_stalking_manual

and full API docs:

http://pedram.redhive.com/process_stalking_manual/ps_api_docs


More info on Process Stalker can be found in the CRCETL:

http://www.woodmann.com/collaborative/tools/Process_Stalker

And there's of course also an entry for PaiMei itself:

http://www.woodmann.com/collaborative/tools/PaiMei


Oh, and WaxfordSqueers, what happened to your investigation? Did you ever get it to work right, or understand why it didn't?

Hi Delta...thanks for post on P-Stalker.

I don't know what to say about PaiMei. I will revisit it again, but my experiences on more difficult apps were not good. I contacted the author, giving him generated error messages and he either didn't want to know, or he actually didn't know what to make of them. He didn't even reply to my last query.

If it had not been for Ricardo, I would have given up on the app long ago. I stripped my system back to bare bones and it runs sice perfectly on XP SP2. I think that's a decent test of my system right there. Sice is so finicky with interfering drivers, but I can load difficult apps in it and trace them through ring 0 with total stability. Also, I went over my system with several different rootkit detectors to make sure something wasn't lurking in the background.

So, what's up with PaiMei? I can't even get it to run a simple crackme that is nothing more than a GUI shell. It chokes on an app using an IPC server/client and it can't run an app written in Delphi. Yet it can run Notepad and Minesweeper normally. That just doesn't make sense. If there is a driver interfering, it should do it with Notepad and Minesweeper as well.

I am not so arrogant as to assume there is not something wrong on my system, but why am I having so much difficulty with just one app? There is no other app that wont run on my system.

Anyway, I went back to good, old sice for the IPC app and I'm making more headway with it. I also revisited DeDe for the Delphi app, having forgotten how well da-fixer's tool worked on Delphi. Between it and sice, I isolated the problem quickly.

I haven't given up on PaiMei. I have plans to use sice on it and I was preparing nms files for that. It's just not a priority right now. I will eventually trace it with sice to see where it is choking.

You don't have problems with all PAIMEI, only with process stalker module ( a very decorative independent module)

This is the 1% of the package of paimei, and is rarely used, the suite of debugging pydbg, pygraph, pida and others are really the used part.

process stalker is NOT paimei, is only a independent module very rarely used, and don't affect the other modules.

I think is the same than say softice don't work, for the reason you can use the DOS module of softice in XP, who use really this feature?

And i continue thinkin softice or a service against softice make the mess in your machine, but is not important, you stuck only in a decorative part (process stalker) and don't use the really important part of paimei.

ricnar

great lord! alongside of your impressive tutorials you have vastly improved your
english vocabulary too
one fine day i hope i would see an excellent english tutorial from you :thumbsup:

thanks Ricardo. I was interested in process stalker features for an app I was investigating and I did not look at the entire package. I would still like to understand why P-Stalker doesn't work for me. I'll get back to it sometime because the ability to isolate the code that interests you is a valuable asset.

i put in my web the last paimei of the svn have many improvements and fixes from the downloadable version (by example hardware breakpoints are fixed in this package, and in the downloadable version have a bug), and have other bugs resolved.

http://ricardonarvaja.info/WEB/OTROS/HERRAMIENTAS/L-M-N-O-P/PAIMEI%20SVN%2015-02-2008.rar

this is the list of fixes

http://code.google.com/p/paimei/source/list

this version is the complete and workable folder of paimei, have no installers, make a copy of the old folder and replace for this.

Next in the folder python24-Lib-sitepackages replace the folder with problems with the same folder in this pack, by example for the hardware breakpoint problem i replace the pydbg folder in site packages for the new pydbg folder in this package and the problem are fixed.

using this folder for start paimei and replacing the old folders in sitepackages, i think there are more than 200 fixes repaired and we can use the more new package for have paimei working better.

ricnar

a friend who is using paimei, making a script, have this strange experience.

The script of paimei work perfect, but while OLLYDBG is open, don't work.

is very strange, i think maybe the same problem conflicting with softice or other debuggers can be possible, anyone have this problem with ollydbg and paimei?

ricnar

Hi Ricnar:

One thing to watch out is the plug-ins for OllyDbg. Some of them are quite invasive and inconsiderate, hooking a lot of low level debug functions in the windows system (I won't mention names).
I suggest your friend running a fresh Olly download with no plug-ins and see what happens.

yes is a plugin thing, if my friend run ollydbg without plugins, the script of paimei work perfect, thanks.

ricnar

Hey Ricardo. When I try to use __install_requirements.py, I get an error that the installer is not found. That seems to happen because there is no installer in Paimei\installers. In an older version of Paimei, there is a file in there called PaiMei-1.1.win32.exe, which claims to install Paimei.

I copied that file over to the new Paimei installers directory, but it seems to be loading older files for pgraph, pida and utils in the Python24 site-requirements subdir. I'm thinking of just copying those directories directly from the new installation. What do you think?

Do you read my previous post?

copy the new folder to paimei folder, and copy the folders of pydbg, pida, etc from this new folder to python24-Lib-site packages, here are the installed folders and copying the new folders over the old folders, paimei use the new libs. ( i put the hardware breakpoint example, i replace the pydbg folder in site packages and is solved)

paimei use the paimei folder and the libs in site packages, replacing all, you don't need installers.

ricnar

I guess not. I got to the URL and never read past that point. Sorry.

Anyway, it's still not working on the crackme but I have made some progress. I actually got one hit and 1 export to mysql.

I keep getting hung up at the loading of comctl32.dll, which is located in the SxS directory of windows, although notepad and minesweeper have no problem there. I made a pida file for comctl32.dll but paimei wanted to set 30,000+ breakpoints in it and the system bogged down. When I unloaded comtl32.dll.pida, and restarted, I got the debugger hit in ntdll.dll.

I started checking out the SxS directory and it can be a nightmare. Msoft uses it to augment the system32 directory, keeping spare copies of different versions of a file for programs that need them. The version of comctl32.dll in the SxS directory is used frequently, but paimei sometimes gets hung up looking for copies in the system32 directory. It gave an error that it could not find the signature for that file in system32.

I have read stories about people having problems with the SxS directory. Visual C 7.0 was having problems finding windows system files in SxS. Apparently it is sometimes necessary to write a manifest file to direct certain apps to the right version of the system file they require.

Hmm, that reminds me of this thread WaxfordSqueers:

http://www.woodmann.com/forum/showthread.php?t=10191

Maybe it could indeed be the main culprit of all these strange PaiMei problems of yours?

thanks Delta. It seems to be related.

Here's a blurb from Msoft from the link ( http://msdn2.microsoft.com/en-us/library/ms997638.aspx ) provided by Blabberer in your url above:

"We fully realize that the new ComCtl32 has the potential to break some applications. To prevent this, ComCtl32 version 6 is installed as a shared assembly, side-by-side with ComCtl32 version 5, which is installed in the System32 directory. The new DLL is only available to applications that provide a manifest telling the operating system that they work with the new DLL. If they do not provide a manifest, existing applications continue to use ComCtl32 version 5. Versions 5 and 6 both ship with Windows XP and are installed side-by-side. We'll talk more about manifests in the next section."

Here's what's happening in my version of Paimei:

PaiMei Process Stalker

Module by Pedram Amini

Using 'gui' as stalking tag.

Loaded PIDA module 'crackme.exe' in 0.08 seconds.

Function coverage at 0%. Basic block coverage at 0%.

Stalking module crackme.exe

Loading 0x7c900000 \WINXP\System32\ntdll.dll

Loading 0x7c800000 \WINXP\System32\KERNEL32.DLL

Loading 0x77d40000 \WINXP\System32\USER32.DLL

Loading 0x77f10000 \WINXP\System32\GDI32.DLL

Loading 0x5d090000 \WINXP\System32\COMCTL32.DLL

Loading 0x77dd0000 \WINXP\System32\ADVAPI32.DLL

Loading 0x77e70000 \WINXP\System32\RPCRT4.DLL

Loading 0x763b0000 \WINXP\System32\COMDLG32.DLL

Loading 0x77f60000 \WINXP\System32\SHLWAPI.DLL

Loading 0x77c10000 \WINXP\System32\MSVCRT.DLL

Loading 0x7c9c0000 \WINXP\System32\SHELL32.DLL

Loading 0x773d0000 \WINXP\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.DLL

The crackme freezes at the second 'loading' of comctl32.dll from the SxS directory (ver 6.0.2900.2180). Note that it loaded one already from Winxp\System32(ver 5.82.2900.2180). Alternately, it does not freeze on Microsoft products like Notepad or Minesweeper. I'll have to investigate further but any comments would be appreciated.

Msoft claims the SxS version is only available to apps that use a manifest. So much for Msoft's theories. It's obvious that something is accessing both versions of comctl32.dll and the crackme doesn't have a manifest.

From what I have read via Google, many people are experiencing the same problem. It would be nice to add a line of code to a Python script so the freeze point would be indicated, but that's way over my head at this time.

Good hanging in there. Looks like you are getting to the bottom of the issue.

Regards,

Hanging in (aka stubbornness) comes naturally to a Scotsman. Would be nice if I knew a little more about what I was doing?

I'm back to tracing through python code, trying to track down where Paimei fails on my computer. One problem I am encountering is the over-bloated nature of Python. If you thought MFC was bad, wait till you trace through python24.dll. For anyone who thinks I'm crazy doing that, it's just for chuckles. You'd have to enjoy the NY Times crossword to know what I mean.

This line is missing from the log window in PStalker (in Paimei) when the app fails:

Setting 683 breakpoints on basic blocks in main module

For some reason, the apps that fail bypass that part of the code, then fail. They don't fail immediately at that point, but after loading a few imports. I want to trace the code to that point to see why the breakpoints are not being set in the apps that fail. It seems to me there should be an error generated if the app can't set the breakpoints...if the PIDA is bad, for example.

A quick digression. The PIDA seems to be packed with zlib but I don't think there are headers on the file. Any ideas on how to decompress it? My plan is to watch it load into memory and dump it, if I ever get there. I'm getting caught up in the Python garbage collector code.

There are only a few functions marked in the python dll, but I have a solution at hand. I have compiled the Python files from source with the hope of getting a good PDB file. My first choice was the debug version, but now I am wondering. I don't know a whole lot about the ins and outs of debugging and could use some advice.

Would I be better off compiling the release version and using the generated PDB file from that for an nms file, or using the debug version? IDA does a reasonable job but there aren't many function landmarks for breakpoints in the release version. If I use the debug version, I don't know how many system files I'd have to recompile to make my present setup functional. Could I just replace the base files like Python.exe, pythonw.exe and python24.dll with their debug counterparts?

The source files for the Windows Python24 install are setup very nicely. I can simply load them in the free VC 2008 and they compile like a charm.

This is a tutorial from ABBSHA, a member of crackslatinos who win the weekly contest for make an pydbg script to reach the oep of a simpleUPX packed program, and print the list of apis of the iat names and addresses

http://storage2.ricardonarvaja.com.ar/web/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1001-1100/1005-USANDO%20PYDBG-%20Script%20de%20Python%20por%20ABSSHA.rar

Thanks to ABBSHA
ricnar

Thanks for sharing Ricardo.

Regards,

and thanks to ABSSHA the author.

ricnar

tnx ricardo for all tut but i have very #$%#45 problem when run PAIMEIconsole.pyw pstalker... did`nt com into my modules why ? and i get flowin error :


Traceback (most recent call last):
File "C:\FUZZERS\PaiMei-1.1-REV122\console\PAIMEIconsole.pyw", line 409, in __init__
exec("from %s import *" % module)
File "<string>", line 1, in ?
File "modules\PAIMEIpstalker.py", line 27, in ?
import _PAIMEIpstalker
File "modules\_PAIMEIpstalker\__init__.py", line 10, in ?
import ProcessListCtrl
File "modules\_PAIMEIpstalker\ProcessListCtrl.py", line 32, in ?
class ProcessListCtrl (wx.ListCtrl, ListCtrlAutoWidthMixin):
File "modules\_PAIMEIpstalker\ProcessListCtrl.py", line 37, in ProcessListCtrl
FUNCTIONS = utils.process_stalker.FUNCTIONS
AttributeError: 'module' object has no attribute 'process_stalker'


can u help me to slave this #@$%#$% problem ???

how do you run process stalker? in the console there is an icon for start, i don' t understand how you start the consola and how you run proces stalker you can explain me?

ricnar

I forgot to mention, thanks Ricardo for the Awesome tutorials. This surely can get a PAIMEI newbie started in a short amount of time. Also, I love your tuts for having a lot of pics, very easy to follow. Thanks again!

Ricardo i only click on PAIMEIconsole.pyw conslo loaded show me some error and at last i see paimei gui (sorry for poor eng)

- i do any thing ex instal sql instal wx.. and all other requerment and and run __re...py and shome everythin is OK and install paimei .

i reed all paimei but i dosn`t have any sens to me .

you install paimei and other complements in the correct versions? in the tut i use python 2.4 and all package have the option to install in 2.4 or 2.5, always is needed the 2.4 version

http://pedram.redhive.com/PyDbg/docs/installation.html

look the packages needed in the page of paimei and verify all are installed in correct versions.

ricnar

Hey everyone, I just wanted to throw down a quick note that I'm in the process of going over and semi-translating Ricardo's excellent tutorials - I'm not finished yet with them but there's a few up on my blog. I'm posting them as I go through them.

Please keep in mind I do not speak Spanish very well at all. When translating them I just used google translate - and tried to fix them a bit by hand for some obvious things they came out sort of decent. One that doesn’t know Spanish could pretty much follow along using a bit of common sense, the google translation, and by looking at the screenshots and examples.

If someone else did a better job - let me know and I can post those instead.

They can be found here:

http://anautonomouszone.com/blog/tutorials ("http://anautonomouszone.com/blog/tutorials")

Cheers,

Chuck B.

good job thanks

ricnar

And for everyone reading this thread just to get their hands on these process stalking features, but still don't want to deal with any Python crap and the assorted problems it brings, take a look at this instead:

http://www.woodmann.com/forum/showthread.php?t=11306