Hi all,

Check this, it might be interesting: hxxp://aod.anticrack.de
It would be gr8 to share you opinions here.

CuTedEvil

I realise I might be banned after this, but I really don't care in this case. With all posible respect to the site and the forum (it is simply brilliant!) I have to say that you, CuTedEvil, is noone but A THIEF!
You so called book is nothing more but just "preprocessed" The Svin's essays and explanations. You took his sources, his ideas and NEVER even said trivial "thanks" to him! So, ANY russian-speaking person WILL NEVER THINK IT IS YOUR BOOK. The best possible option will be to think about you as the editor, NOT the author.

Well, just another few cents of criticism. I didn't check the parts you've stolen from The Svin's code - they should be OK, but it is obvious you know nothing about PE structure and verification. Let me be more concrete.

Quote:
If you remember well AddressOfEntryPoint member is located at the Optional
Header. Which is actually the RVA of the Entry Point.

Once again, wrong, my friend. You should practice more. Learn StarForce protection. EP contains VA! At least you should mention it as a special case.

Quote:

Actually, the import table is an array of IMAGE_IMPORT_DESCRIPTOR
structures, each of these structures has information about a DLL that the PE is
importing symbols from."

The statement is totally wrong. An array of IMAGE_IMPORT_DESCRIPTORs should be called Import DIRECTORY. Import table is nothing but IMAGE_THUNK_DATA!

Quote:

What should we do
to get a list of all the imports in a specific PE ?
Basically what we should is:
• Go to the the first IMAGE_IMPORT_DESCRIPTOR structure

Excellent logic! This technique is a little bit old, actually! What are you going to do if there are NO IMAGE_IMPORT_DESCRIPTORs structures and file is still valid, ah? What about IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT? Have you ever heard of LdrpWalkImportDescriptor inside ntdll.dll?


The rest is more or less OK. And I know why. You were using Iczelion's tutorials. But at least you said thanks to him. Not to The Svin.
So, my dear lamer, bye for now.

The Svin's lessons are free to read from, and no, AOD's sources or text was not taken from svin's but inspired from probably.
so volodya My friend you are wrong here.

i'v read all TheSvin's essays btw i liked them.

@vladimir : I do not really care about your critisim. About what you said about (The Svin) I don't deny they are gr8 tutorials and I learned from them.

Not mentionning the sources I took from was a mistake (The e-book was supposed to be published after 15 chapters, the last one would contain all the (Thanks Fly To ...) but for lack of time, we deleted the last chapter)

About being a lamer or theif, I'd rather not to comment. I'm better than that

About your second post, you're trying to look smart, showing some knowledge. but again, I really do not care. maybe that will make u sad, but, sorry, I just do not care.

Have a nice time.
CuTedEvil

hmmm.....

RVA + ImageBase = VA .....

We take a HexEditor, open a PE-file, jump to OptionalHeader.AddressOfEntryPoint (which we know is a DWORD), and see: 1000h.
Now we jump to OptionalHeader.ImageBase (again a DWORD) and see: 400000h. If the theory rocks, the result will be 401000h as VA.

But we don't trust it. Better take a prof. dissassembler (like PEExplorer 1.94)which is able to proove this... Oops, our VA is correct...

Conclusion: "Once again, wrong, my friend... vladimir"


"Import table is nothing but IMAGE_THUNK_DATA!"
I don't know how your PE files look like, but mine have IAT and ImportTable. Please don't misunderstand me, but: where is IMAGE_THUNK_DATA??

... and finaly the last one: did you know what "Basically what we should is:" means? In this causal connection "basically" means "the normal way".
"Normaly, you open your car with a key! And if you don't find it, you smash the window..."

"Only who is innocent is able to throw the first stone"...

Hi,

I do agree with volodya writing greetings and thanks is not hard anyway.It is a a respect to previous authors.I think any one can do it .

>Not mentionning the sources I took from was a mistake (The e-book was supposed to be published after 15 chapters, the last one would contain all the (Thanks Fly To ...) but for lack of time, we deleted the last chapter)

You have time to post something here and don't have time to write greetings(thanks to..)?

I remember your nick... Sandman's+Lazarus projects

sidenote:I think I make a mistake its evilteach not cuteevil my apology :O

Regards

hxxp://board.anticrack.de/viewtopic.php?p=18925#18925

Hope this is OK.

CuTedEvil

Much better, cuteDevil, much better. Sorry, but I also don't care if you don't care. It is not my problem. Now to the knowledge. Once again.

cuPegasus
Conclusion: "Once again, wrong, my friend... vladimir"

you were listening to me inattentively, my friend. I mentioned SPECIAL CASE. Obviously, EP will contain RVA in 98% of cases, but you never took a look on StarForce protection. Code section is NOT present in the PE file ON DISK, but takes some virtual memory! Therefore, EP MUST be VA.
Conclusion: "Once again, wrong, my friend... cuPegasus"

I don't know how your PE files look like, but mine have IAT and ImportTable

cuPegasus, if I am a teacher, I will NOT give you 10
Once again, CAREFULLY read PE spec:
1) The array of IMAGE_IMPORT_DESCRIPTORS is IMPORT DIRECTORY!
2) IAT and import table are the SAME words! The both refer to IMAGE_THUNK_DATA. The are TWO IMAGE_THUNK_DATA's in the PE. ANY pe, except the one produced with watcom compiler. One IMAGE_THUNK_DATA is being patched at run time with the ntdll.dll - windows loader so it is called FirstThunk. The another one is left intact - so it is called import lookup table (import name table).
For more on the subject - please, read PE spec, see some diagrams in my article and read Osterlund's article about ntdll.dll.
Links are:

hxxp://www.wasm.ru/article.php?article=packlast01
my article - it is in Russian, sorry, but you'll be able to carefully study the diagrams at least!

"Windows 2000 Loader: What Happens Inside Windows 2000: Solving the Mysteries of the Loader" - Russell Osterlund - http://www.smidgeonsoft.com

PE Spec is available on my wasm site or on MSDN.

Normaly, you open your car with a key! And if you don't find it, you smash the window...
are you a native language speaker?

"IAT and ImportTable are the SAME words"
... so we have been very stupid while developing the PE-Fileformat...
... or did the Import section contain both? IAT in the beginning, followed by ImportTable? ...

But perhaps there is a difference between ImportAddressTable and ImportTable. Otherwise there is no need - if your words are correct - to enter BOTH into DataDirectory's of OptionalHeader

You think you are a PE hero? Ok, fine. So this question must be simple for you:
A default PE file (lets assume a dialog application created with asm) contains NO IAT AND ImportTable (creation is very simple using stack during startup). Both entrys in OptionalHeader.DataDirectory's are Zero, it's size is Zero too. Which named OS is able to run this application: Win9X, Win2K, WinXP? AND WHY? What did you have to do to run this application on all OS?

If you can't answer this questions (which explains also the difference between IAT and ImportTable), YOU'LL better read the tutors...

... your article is written russian, so i don't read it.

You think you are a PE hero?

Hm, cuPegasus. There are many MUCH more difficult things than this one.

A default PE file (lets assume a dialog application created with asm) contains NO IAT AND ImportTable (creation is very simple using stack during startup). Both entrys in OptionalHeader.DataDirectory's are Zero, it's size is Zero too. Which named OS is able to run this application: Win9X, Win2K, WinXP? AND WHY?

1. I don't know such OS as Win 9x
2. Win 2k/Win XP/Win 2003.

Hopefully you know that PE file is checked TWO times. 1 one is when the OS creates the context of the process, i.e. the region of the virtual adresses. For Win2k the function is called MiVerifyImageHeader. The pseudocode is here:

NTSTATUS MiVerifyImageHeader(PIMAGE_NT_HEADERS pPE, ...)
{
DWORD FileAlign;

if(pPE->Signature != IMAGE_NT_SIGNATURE)
{
if(pPE->Signature != IMAGE_OS2_SIGNATURE)
return STATUS_INVALID_IMAGE_PROTECT; //0C0000130h
else
{
/*...code for NE-checking...*/
if (NE is invalid)
return STATUS_INVALID_IMAGE_WIN_16; //0C0000131
}
}
if (!pPE->FileHeader.Machine)
{
if(!pPE->FileHeader.SizeOfOptionalHeader)
return STATUS_INVALID_IMAGE_PROTECT;
}
//IMAGE_FILE_EXECUTABLE_IMAGE
if (!(pPE->FileHeader.Characteristics & 2))
return STATUS_INVALID_IMAGE_FORMAT; //0C000007Bh
if(!(pPE & 3))
return STATUS_INVALID_IMAGE_FORMAT;
if (pPE->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)
return STATUS_INVALID_IMAGE_FORMAT;
FileAlign = pPE->OptionalHeader.FileAlignment;
if (!(FileAlign & 0x1FF))
{
if(FileAlign != pPE->OptionalHeader.SectionAlignment)
return STATUS_INVALID_IMAGE_FORMAT;
}
if (!FileAlign)
return STATUS_INVALID_IMAGE_FORMAT;
if (!(FileAlign & (FileAlign-1)))
return STATUS_INVALID_IMAGE_FORMAT;
if (pPE->OptionalHeader.SectionAlignment < FileAlign)
return STATUS_INVALID_IMAGE_FORMAT;
if (pPE->OptionalHeader.SizeOfImage > 0x77000000)
return STATUS_INVALID_IMAGE_FORMAT;
return
(pPE->FileHeader.NumberOfSections > 0x60) ?
(STATUS_INVALID_IMAGE_FORMAT)0);
}

There are several more check in hyperspace... But I omit them for now

This was the FIRST time. Second time the PE is checked with ntdll.dll. There are several tricks here. At first, it is OS specific and Win2k WON'T LOAD the file without Bound imports and imports directory. If bound imports are present, no need in imports directory and loader safely ignores it. bound imports directory is outside of the PE file sections, it is located in pseudosection. If no bound imports are present and there is NO import directory - the file won't be loaded. For the XP situation is a little bit softer. I don't have this OS installed, so I cannot check it But several people were telling me it is POSSIBLE to run such file under this OS.

Does this suticfy you, cuPegasus?

- The application is able to run on W9X and WinXP.
- It is not executable on W2K.
->(OptionalHeader.DataDirectory 1,11,12)

If you want to modify portable executable files which are able to run on all OS, you have to overlay the checking routines of W9X,W2K,WinXP... The file format is always the same, only the routines differs.

It was an interesting conversation.

cu,
Pegasus

Can any of you guys please show me or send me where can i get TheSvin's essays?

I'm glad TheSvin becomes popular.
First of all, TheSvin is in mine group. Our site is wasm.ru. Go there. Go to the tools section and download all his educational programs and one article. Later on there will be more. Then go to asm community board - forum.

* TheSvin is in mine group.
Go there. Go to the tools section and download all his educational programs and one article. Later on there will be more. Then go to asm community board - forum.

Well I'm not glad when its all russian as some ppl has mention.Pls don't adverstise your group here we aren't interested

I'm not going to advertise anything. I don't care!
The guy asked for info, I gave it to him. That's it and that's all. Do not put your personal offences here - we aren't interested

*Do not put your personal offences here - we aren't interested

If you aren't interested you shouldn't post the reply at the first place !!!

here is my formated version of TheSvin's opcode essays 'book'
it can be found on the asm forum (TheSvin's approval for those who really wanna give the finger )
probably there are new essays, so they are not included.
i can't remember what was the last chapter in his essays, around 8-11 prolly.

I remember TheSvin was looking for it. Will you inform him about it or should I do it?

the attachment above is still at the win32 asm forum..
quick search for 'opcode book' will probably reveal it.
you can inform him if you wish to...

It would appear that volodya and CuTedEvil have now kissed and made up because a copy of this effort has been posted by volodya on the wasm.ru site.
I love a happy ending. It happens so rarely in real life.

Regards.