Log in

View Full Version : telock 0.98 again :(


volodya
October 10th, 2003, 09:10
Guys, first of all - I READ EVERYTHING on this forum and played a LOT with it. I know about int 1/int 3 tricks - I've read evaluator/nikolastela posts, I know DR-tricks - I've read Solomon's post. So two questions left. Pretty hard...

1) Still cannot understand DPL stuff with int 1. WHY SOFT-ICE changes it?
2) Solomon, when describing SEH-handler with DR-self tracing didn't mention other path which is doing

xor eax,eax
dr0 <- 0
dr1-3 <-0
and putting the mask to dr6-7.

So, for example, suppose I bypassed the handler (unfortunately I'm not really sure how to bypass it CORRECTLY - I mean not int 3/1 but DR-stuff...) but later on program start complaining about CRC-error! I know for sure that it is NOT int 3/int 1 check - I didn't press F8 or sth like this.... The only thing that immediately comes to mind is the DR-stuff again. But I didn't find anything around that damn MessageBoxA... The code is really crazy around, but no SEH-frames, no CONTEXT access... BTW, I need to check for the GetThreadContext/SetThreadContext...
May be someone can enlighten the situation for me?

volodya
October 10th, 2003, 23:16
Sorry, CRC error was the part of my stupidity, I know what to do with it now. The only thing left is the DPL stuff....

volodya
October 12th, 2003, 21:31
OK, gentlemen, thank you for the answers.
Fortunatly, I was able to figure everything by myself.
Russian-speaking visitors will be able to read my second chapter on wasm.ru in one week.

evaluator
October 13th, 2003, 04:07
noThanks for Thanks.

Can you explain, what is:
"DPL stuff"?

ZaiRoN
October 13th, 2003, 04:27
Hi,
directly from Intel manual volume 3, System Programming Guide:

DPL (descriptor privilege level) field
Specifies the privilege level of the segment (descriptor). The privilege level can range from 0 to 3, with 0 being the most privileged level. The DPL is used to control access to the segment. See Section 4.5., "Privilege Levels", for a description of the relationship of the DPL to the CPL (Current privilege level) of the executing code segment and the RPL of a segment selector.

evaluator
October 13th, 2003, 05:12
Zairon, "thanks for.." ??

I'm interesting, why Volodya talks about DPL when subj is tElock!?

ZaiRoN
October 13th, 2003, 06:11
Sorry evaluator, I misunderstand you

volodya
October 13th, 2003, 11:39
evaluator

Indeed, there was no need to speak about DPL here, because telock uses int 3. In case of int 1, DPL is right what you need - I was able to find your brilliant explanations about KiTrap0D and priviledge level changes and access violation. I wrote the small program:


EXCEPTION_DISPOSITION
__cdecl
_except_handler(
struct _EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct _CONTEXT *ContextRecord,
void * DispatcherContext )
{
printf("STATUS: %x\n", ExceptionRecord->ExceptionCode);
ContextRecord->Eip++;
return ExceptionContinueExecution;
}



int main(void)
{
DWORD handler = (DWORD)_except_handler;

__asm
{
push handler
push FS:[0]
mov FS:[0],ESP
int 1
mov eax,[ESP]
mov FS:[0], EAX
add esp, 8
}

return 0;

}

and it has proved what's happening indeed. So now I have clear understanding of what's going on. Thanks, evaluator

evaluator
October 13th, 2003, 14:55
ok,
so for final move, DPL is important for INTxx instructions.
however tElock uses F1h opcode(against single step),
which is not affected by DPL rule for Intel's P.

>WHY SOFT-ICE changes it?
Probably authors have some ideas about it.. Try to ask them!