[Plugin] Polymorphic Breakpoint [Archive] - RCE Messageboard's Regroupment

Mattwood

October 12th, 2005, 12:19

Hi,

I just released a new plugin for set special breakpoint.

http://reverseengineering.online.fr/spip/article.php3?id_article=50 ("http://reverseengineering.online.fr/spip/article.php3?id_article=50") (Source are included)

Cheers.

Mattwood^FRET

blabberer

October 12th, 2005, 12:43

nice to see it here

Ricardo Narvaja

October 12th, 2005, 13:44

i try but don´t work for me, i don´t know if i use well, but i try with any polimorphic bp, put run, stop in a ACCESS VIOLATION , but when i pres shift +f9 for skip the exception and continue the program generate a error and crash.

A little explanation of the method of use i think is necesary

Ricardo Narvaja

Ricardo Narvaja

October 12th, 2005, 13:47

i try but don´t work for me, i don´t know if i use well, but i try with any polimorphic bp, put run, stop in a ACCESS VIOLATION , but when i pres shift +f9 for skip the exception and continue the program generate a error and crash.

A little explanation of the method of use i think is necesary

Ricardo Narvaja

Mattwood

October 12th, 2005, 13:58

lol ricardo of course, look:

With the first version of breakpoint we have :
CALL unpatche.01006381
FSUB ST(5),ST
XOR DWORD PTR SS:[ESP],1337 ; <= EXCEPTION
JMP NEAR DWORD PTR SS:[ESP] ; kernel32.7C816D4F

Here the program crash because you need special caracteristic as WRITABLE

So i created a second version of breakpoint
The Stack Polymorphic breakpoint

CALL unpatche.01006398
PUSH 0FE21
XOR BYTE PTR SS:[ESP],0CA
JMP NEAR ESP

The stack is writable and executable so i use it, it 's a better way.

Mattwood^FRET

Ricardo Narvaja

October 12th, 2005, 14:56

yes i see, when loop, pause, press minus to return to the bp adress, new origin here, quit bp and RUN.

With this sequence pause and you can continue.

Ricardo

Mattwood

October 12th, 2005, 15:08

Yes for remove a breakpoint you need to pause ollydbg. And after go to the Polymorphic breakpoint manager

Mattwood^FRET

odshell

October 18th, 2005, 20:55

To Mattwood:

From your readme.txt:
[I]
The way of the plugin is to set a polymorphic EBFE likes :

00DE321C . E8 02000000 CALL 0x90f.00DE3223
00DE3221 . DCED FSUB ST(5),ST
00DE3223 $ 813424 371300>XOR DWORD PTR SS:[ESP],1337
00DE322A .- FF2424 JMP NEAR DWORD PTR SS:[ESP]

Here the routine decrypt DCED with 1337 and the word at [00DE3221] = EBFE, but this way need to special right : the section must be writable.
/[I]

Did you test it?Your code is wrong.
[ESP]=00DE3221,
[[ESP]]=[00DE3221]=EDDC
So "XOR DWORD PTR SS:[ESP],1337" is what meaning?Doesn't worked.

Mattwood

October 21st, 2005, 06:46

OMFG Thanks you odshell

I corrected it

You can download the news version at http://reverseengineering.online.fr/spip/article.php3?id_article=50 ("http://reverseengineering.online.fr/spip/article.php3?id_article=50")