Guys, first of all - I READ EVERYTHING on this forum and played a LOT with it. I know about int 1/int 3 tricks - I've read evaluator/nikolastela posts, I know DR-tricks - I've read Solomon's post. So two questions left. Pretty hard...

1) Still cannot understand DPL stuff with int 1. WHY SOFT-ICE changes it?
2) Solomon, when describing SEH-handler with DR-self tracing didn't mention other path which is doing

xor eax,eax
dr0 <- 0
dr1-3 <-0
and putting the mask to dr6-7.

So, for example, suppose I bypassed the handler (unfortunately I'm not really sure how to bypass it CORRECTLY - I mean not int 3/1 but DR-stuff...) but later on program start complaining about CRC-error! I know for sure that it is NOT int 3/int 1 check - I didn't press F8 or sth like this.... The only thing that immediately comes to mind is the DR-stuff again. But I didn't find anything around that damn MessageBoxA... The code is really crazy around, but no SEH-frames, no CONTEXT access... BTW, I need to check for the GetThreadContext/SetThreadContext...
May be someone can enlighten the situation for me?

Sorry, CRC error was the part of my stupidity, I know what to do with it now. The only thing left is the DPL stuff....

OK, gentlemen, thank you for the answers.
Fortunatly, I was able to figure everything by myself.
Russian-speaking visitors will be able to read my second chapter on wasm.ru in one week.

noThanks for Thanks.

Can you explain, what is:
"DPL stuff"?

Hi,
directly from Intel manual volume 3, System Programming Guide:

DPL (descriptor privilege level) field
Specifies the privilege level of the segment (descriptor). The privilege level can range from 0 to 3, with 0 being the most privileged level. The DPL is used to control access to the segment. See Section 4.5., "Privilege Levels", for a description of the relationship of the DPL to the CPL (Current privilege level) of the executing code segment and the RPL of a segment selector.

Zairon, "thanks for.." ??

I'm interesting, why Volodya talks about DPL when subj is tElock!?

Sorry evaluator, I misunderstand you

evaluator

Indeed, there was no need to speak about DPL here, because telock uses int 3. In case of int 1, DPL is right what you need - I was able to find your brilliant explanations about KiTrap0D and priviledge level changes and access violation. I wrote the small program:


EXCEPTION_DISPOSITION
__cdecl
_except_handler(
struct _EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct _CONTEXT *ContextRecord,
void * DispatcherContext )
{
printf("STATUS: %x\n", ExceptionRecord->ExceptionCode);
ContextRecord->Eip++;
return ExceptionContinueExecution;
}



int main(void)
{
DWORD handler = (DWORD)_except_handler;

__asm
{
push handler
push FS:[0]
mov FS:[0],ESP
int 1
mov eax,[ESP]
mov FS:[0], EAX
add esp, 8
}

return 0;

}

and it has proved what's happening indeed. So now I have clear understanding of what's going on. Thanks, evaluator

ok,
so for final move, DPL is important for INTxx instructions.
however tElock uses F1h opcode(against single step),
which is not affected by DPL rule for Intel's P.

>WHY SOFT-ICE changes it?
Probably authors have some ideas about it.. Try to ask them!