Log in

View Full Version : The dream is 'really higher up'... :P

BanMe
March 13th, 2011, 13:20
OK so this is a 'blog' entry..what defines a blog?..usually its written by 1 person with some lore about something..sometimes it contains insight to the person writing it, and sometimes it's just nothing..well that isn't how I roll..The dark scowl, calculating eyes, and the 'fuck it I'll help' attitude. Sometimes it shortens, but I am not perfect..

So google shellcoders handbook and find that code and review it the first chaps code available is the triangle function..

and the rules changed.. o0

1.no nulls
2.api can be used, and only api's from kernel32,and ntdll.they should be accessed using 'funner' tactics then hashing the names,and not just signature finding..(think beside the box..)
3.a console program is the aim..yea ..
3. not malicious or insane(at least make it insanely understandable...)
4. should use pic(position independent code) without a data or relocation section...(thats the 'fun' one..)
5. the code should be able to 'modify itself'...

avoid using PEB_LDR_DATA...unless you can 'peb link stack memory' in that case pass it on over..I want to see..

So conceptually compiling the first chapters code to fastcall...(ie I didn't really do this 'yet').. This function would take width in ecx, and height in edx, then multiply them and divide by 2, and then return the result..I think I can get it to be able to get input from user into ecx edx and display result.

Essentially I want to pillage data to find code..so all 'normal' programs' use relocations for the usage of data in code..now its just a simple measure of finding the proper signature around that data.. :d
Indy
March 15th, 2011, 12:08
It is bursting graph. Part of the instruction creates a new. Disasm's can not handle this.
BanMe
March 15th, 2011, 12:55
I need more then that to decipher what you are say..

Bursting graph? with instructions?

Code:


mov eax,ebx ;o0 

call 0fffffffa


more please
reverser
March 15th, 2011, 17:17
Quote:
[Originally Posted by BanMe;89826]I need more then that to decipher what you are say..

Bursting graph? with instructions?

Now you can feel what others feel when reading your posts.
BanMe
March 15th, 2011, 23:54
what do you want?

Because "I" feel like "I" am wanting 'more'..If that is what you want I can most certainly elaborate more...

So I will dissect what I was 'requesting more of' to 'understand it better'..

Bursting graph| still not overly sure what his meaning of 'bursting'..But read his posts to find what is usually referred to as the 'graph'...

Part of Instruction makes new.|
see code below 'COPY it in masm and compile and debug it'..then if you don't see it..congratulate yourself.

Disasm's cannot handle this|
olly and some others interpret this type of code wrongly...

I still need to convert masm's stdin stdout from masm32.lib and convert ascii input to the numeric equivalents and then filter and limit input to prevent overflow and text entry..but this shouldn't be to hard..

Thank you for answering..I was not wanting a flame war..

So the above is still under heavy development and redevelopment, and I am striving to not have 'any' 0's or data in 'my' code..this doesn't yet apply to the 'code' from 'libs' I am using but I will slowly convert them as well..

I found a great board game and a decent website for console IO..The game is called c-jump and there are numerous lectures and macros and exams..

http://www.c-jump.com/CIS77/MLabs/M08console/lecture.html

MLabs dir is access denied and so is CIS77..but there is a lot of other information available that you don't have to 'dig' out..
Indy
March 16th, 2011, 01:35
BanMe
Code:
$	8B

$+1	C3


[$]: mov eax,ebx
[$ + 1]: ret

- It's two flows(at this point the graph is bursting, disassembly is terminated because the address is already described). Such a code can consist of many instructions(eg. have 3 flows).
BanMe
March 17th, 2011, 11:01
Thank you for clarifying more..Sorry 'I' had to ask.. :/

Do you have any examples of 3 or more instruction flows or any papers that discuss them, as that seems like a good 'defense' against people that don't completely understand assembly, as well as a great minimalistic tactic for including 'more' with less..
Indy
March 17th, 2011, 13:49
This code is very difficult to create. Especially if it consists of many flows. That a simple example:
8D 54 08 04 8A 02 2A C3
Flow1:
Code:
$	8D5408 04		lea edx,dword ptr ds:[eax+ecx+4]

$+4	8A02			mov al,byte ptr ds:[edx]

$+6	2AC3			sub al,bl

Flow2:
Code:
$+2	08048A			or byte ptr ds:[edx+ecx*4],al

$+5	022A			add ch,byte ptr ds:[edx]

$+7	C3			ret

Flow3:
Code:
$+3	04 8A			add al,8A

$+5	022A			add ch,byte ptr ds:[edx]

$+7	C3			ret
BanMe
March 17th, 2011, 19:38
Thank you again..my friend..your like a book of knowledge..I thank you for sharing as usual..

it's working..I got a answer for calculating the area of a triangle in shellcode...lol! this and the manual is definitely the funnest way to learn..

'fo tehm'..(for me?)w/e..if ya'll cant get this one.. read my sig repeat my sig to yourself....one of you will..'apply the thought'.. hint 'butterflys'... o0
Code:


.486

.model flat,stdcall

option casemap:none

code SEGMENT DWORD flat PUBLIC  'text' ;name the code section flat and 'public'..

include      \masm32\include\windows.inc

;include    \masm32\include\ntdll.inc

include      \masm32\include\kernel32.inc

include      \masm32\include\masm32.inc

;includelib  \masm32\lib\ntdll.lib

includelib  \masm32\lib\kernel32.lib

includelib  \masm32\lib\masm32.lib



ScStart:

assume fs:nothing;yea

jmp fstart;skipjack over the 'data' 

fix_end:

    dec esi;go back 1 to 'ff'

    xor dword ptr [esi],0f1f1f1f2h;fix the string..make 0d[carriage return] ,0a[new line],00,00[terminate string]

    pop esi\

        fix stack

    pop ecx/

    ret

fix_string_code:

    push ecx'save this'

    push esi 'save this'

    xor ecx,ecx'zero ecx

    sub ecx,-21h 'make ecx '!'..

@@:

    lodsb;read byte from [esi] to al esi after op is +1

    cmp al,cl;test byte for '!'...avoid those 0's

    jne @b;inc string string..

    dec cl;make ! into ' '(a space your cant 'see' it..lol)

    mov byte ptr [esi-1],cl;overwrite esi minus 1 with cl(space)

    inc cl;revert cl back to '!'

    lodsb;check if this ! terminates the string next byte should be ff..thats how I made it.. o0

    cmp al,0ffh

    je fix_end

    jmp @b;repeat remove ! and replace with ' '..

stdin_stack:;yea..

    push esi

    xor ecx,ecx;0

    mov esi,ecx ;esi 0

    sub ecx,-8h;add 8 to 0..

    xor esi,fs:[ecx];read fs stack base address..

    sub ecx,-0fch;

    pop esi

    ret

prep_atoi_string:

    xor ecx,ecx;clear

    xor ecx,eax;read eax

    add ecx,-2h;sub ecx 2 for the enter you 'have to hit' (crlf..)

@@:

    inc esi;inc past 'data' input

    dec ecx;minus 1

    jnz @b

    mov word ptr [esi],cx;over that crlf    

    ret

get_title:

    mov eax,ebx;..'this terminates disassembly..' next instruction is a call to the middle of this instruction(indy showed that..)

    db 0e8h;call

    dd 0fffffffah;back -1

    ret

    db 061h;a

    db 072h;r

    db 065h;e

    db 061h;a

    db 021h;!

    db 06Fh;o

    db 066h;f

    db 021h;!

    db 074h;t

    db 072h;r

    db 069h;i

    db 061h;a

    db 06Eh;n

    db 067h;g

    db 06Ch;l

    db 065h;e

    db 021h;!

    db 0ffh;cr 

    db 0fbh;lf

    db 0f1h;00

    db 0f1h;00

fstart:

    jmp sstart

get_width:

    mov eax,ebx

    db 0e8h

    dd 0fffffffah

    ret

    db 065h 

    db 06Eh

    db 074h

    db 065h

    db 072h

    db 021h

    db 06Ch

    db 065h

    db 06Eh

    db 067h

    db 074h

    db 068h

    db 03Ah

    db 021h

    db 0ffh 

    db 0fbh

    db 0f1h

    db 0f1h

get_length:

    mov eax,ebx

    db 0e8h

    dd 0fffffffah

    ret

    db 065h 

    db 06Eh 

    db 074h 

    db 065h 

    db 072h 

    db 021h 

    db 077h 

    db 069h 

    db 064h 

    db 074h 

    db 068h 

    db 03Ah

    db 021h

    db 0ffh 

    db 0fbh

    db 0f1h

    db 0f1h

sstart:

    call  get_title

    mov esi,dword ptr [esp-8h]

    inc esi

    call fix_string_code

    push esi

    call StdOut

    call get_width

    mov esi,dword ptr [esp-8h]

    inc esi

    call fix_string_code

    push esi

    call StdOut

    call stdin_stack

    push ecx

    push esi

    call StdIn

    push esi

    call prep_atoi_string

    call atodw

    push ecx

    call get_length

    mov esi,dword ptr [esp-8h]

    inc esi

    call fix_string_code

    push esi

    call StdOut

    call stdin_stack

    push ecx

    push esi

    call StdIn

    push esi

    call prep_atoi_string

    call atodw

    mov edx,ecx;store this entry

    pop ecx;get last entry

    mul ecx;mul the 2

    xor ecx, ecx;0

    inc ecx;add 1

    sar eax,cl;divide by 2

    dec ecx;0

    xor ecx,eax;read result

    dec esi;minus a 'word' to fix it up

    dec esi

    push esi;push buffer

    push ecx;push result

    call dwtoa;convert to ascii

    push esi;

    call StdOut;output result

    ret

code ends

end ScStart


I guess the next question is who can make it faster and 'smaller'..(literally 'who' can?) I have a few idea's to make it smaller and 'better'.. but still not many for 'faster' yet...anyone?

`!```radical thought```!`below caution'...
the key to this..make code into action and understanding...I try to 'make' a game of it..do you as well?
Indy
March 20th, 2011, 12:47
One thread - one instruction

In this sample in any given time is decrypted only one instruction:
2445

2444
BanMe
March 20th, 2011, 14:54
no one 'laughs' enough....do it unto lucidity and then 'pull' the knives out of your own minds...one by one and 'display them'...for the fun of it?thanks for starting the fun :}.. 0's..no fun for you?

I meant that as a complement to 'crying'...laugh more and play more for in your 'playing' you would learn more. :P
and the other part was 'find the path of most resistance and walk it internally.'.

Also 'try' to have the lowest amount of zeros.

But yea I love your code...funny playful and so well presented...and utilized..
Indy
March 20th, 2011, 15:50
I do not know what you mean

Reading the stack memory outside of the stack - is prohibited and is a perversion

Quote:
'pull' the knives out of your own minds..

Your tasks are solved long ago. It has long been known that the best defense against a disassembler is crypting and virtualization.
BanMe
March 20th, 2011, 17:47
Scared I am of the path I take...But I am willing to look and adapt to change.

This is what I am trying to say to any who read my thoughts..Take the 'time' for yourself and find the things that hold you back(road blocks).. Then rip them out and face them, but not only 'face' them, air them out and rethink them..This will change anyone, as it would leave any who tried: open and 'thread'bare to the world, that is what 'I' am so afraid of 'the knowledge that we are so easily misunderstood'...That is a 'terrible thing' and I seem to stumble upon this 'factor' very often.. It always leaves me with a thought to find out 'why' and can it be adapted.

So pick your own 'poison' and go 'after' it..never stop, falter often, and always question.
Enjoy your life more and break the 'wheel', just to fix it again..