Thread: ASPR 1.2 question
View Single Post
  #2  
Old 04-30-2004, 08:22
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
OK. Let's try to get this typed without a crash.

I've rebooted my computer several times trying to get the MS Baseline Security program to load properly. Then I went back to the target and am having "different" behaviour, which mirrors what R@dier attached here, but is different than his tut on Tag&Rename, but I think I fully understand the difference.

First, the program is no longer crashing at the routine starting at 00A111D3. That's good and most likely has something to do with rebooting the computer several times. After the original F9 and 26 more SHIFT+F9s, I finally get to the 00A10019 routine we all know and love. But here it still does not behave the same as R@dier's tut on Tag&Rename, so I thought I'd mention the differences, to anyone who may be following along.

When I got to 00A10019, I tried setting the F2 bp on the RETN and pressing SHIFT+F9 one more time (as described in the Tag&Rename tut), where I had expected to bring up the memory map window and place a "break on access" on the code section. However, if I bp the RETN and hit another (the 28th total F9 and) SHIFT+F9, it breaks on the RETN, but the program IS ALREADY STARTED.

If, on the other hand, I bp the RETN at 00A1005C AND set a memory break on access on the .code section of the target, and press SHIFT+F9 one more time (for a total of 27 SHIFT+F9 and one F9) the program never reaches the bp on the RETN and goes RIGHT TO THE OEP at 0047ED5F, without ever running the CTRL+F11 described by R@dier in the Tag&Rename tut and, probably as a result, the run trace is completely empty. Works the same if no bp is set on the RETN and just a break on memory access is set on the .code section of the target, as R@dier's attachment states.

This program has NO Stolen Bytes, as everyone has reported, and this fact probably explains why that last tracing step using CTRL+ F11 was not necessary, but no one has actually said so and this was the first one of the few ASPR programs I've had time to play with recently, which had no stolen bytes.

R@dier's trick of letting ASPR fix its own IAT is very useful indeed.

Since I've not seen anyone discussing the possible indicators of when there might be, and might not be "stolen bytes" I have this observation. In those targets I had time to play with which HAD stolen bytes, that last exception was in the form:

00D23D03 3100 XOR DWORD PTR DS:[EAX],EAX
00D23D05 64:8F05 00000000 POP DWORD PTR FS:[0]
00D23D0C 58 POP EAX
00D23D0D 833D BC7ED200 00 CMP DWORD PTR DS:[D27EBC],0
00D23D14 74 14 JE SHORT 00D23D2A
00D23D16 6A 0C PUSH 0C
00D23D18 B9 BC7ED200 MOV ECX,0D27EBC
00D23D1D 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00D23D20 BA 04000000 MOV EDX,4
00D23D25 E8 E6D2FFFF CALL 00D21010
00D23D2A FF75 FC PUSH DWORD PTR SS:[EBP-4]
00D23D2D FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00D23D30 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00D23D33 8338 00 CMP DWORD PTR DS:[EAX],0
00D23D36 74 02 JE SHORT 00D23D3A
00D23D38 FF30 PUSH DWORD PTR DS:[EAX]
00D23D3A FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00D23D3D FF75 EC PUSH DWORD PTR SS:[EBP-14]
00D23D40 C3 RETN
00D23D41 5F POP EDI
00D23D42 5E POP ESI
00D23D43 5B POP EBX
00D23D44 8BE5 MOV ESP,EBP
00D23D46 5D POP EBP
00D23D47 C3 RETN

while this target, without stolen bytes is in the form:

00A10019 3100 XOR DWORD PTR DS:[EAX],EAX <---- we are currently stopped here;
00A1001B 64:8F05 00000000 POP DWORD PTR FS:[0]
00A10022 58 POP EAX
00A10023 833D D839A100 00 CMP DWORD PTR DS:[A139D8],0
00A1002A 74 14 JE SHORT 00A10040
00A1002C 6A 0C PUSH 0C
00A1002E B9 D839A100 MOV ECX,0A139D8
00A10033 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00A10036 BA 04000000 MOV EDX,4
00A1003B E8 30C4FFFF CALL 00A0C470
00A10040 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00A10043 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00A10046 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00A10049 8338 00 CMP DWORD PTR DS:[EAX],0
00A1004C 74 02 JE SHORT 00A10050
00A1004E FF30 PUSH DWORD PTR DS:[EAX]
00A10050 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00A10053 FF65 EC JMP DWORD PTR SS:[EBP-14]
00A10056 5F POP EDI
00A10057 5E POP ESI
00A10058 5B POP EBX
00A10059 8BE5 MOV ESP,EBP
00A1005B 5D POP EBP
00A1005C C3 RETN

Notice the "extra" return in the first and the difference between the:

PUSH DWORD PTR SS:[EBP-14] for one with stolen bytes

vs

JMP DWORD PTR SS:[EBP-14] for one without.

Maybe one of you with more time to play can confirm whether this is a consistent pattern between these two types.

Regards,
__________________
JMI
Last edited by JMI; 04-30-2004 at 08:29.
Reply With Quote