Jump to content
HyperVerge

Returning to Reversing

Recommended Posts

HyperVerge

Greetz,


 


I used to disassemble 16 bit executables for DOS BBS games such as Barren Realms Elite and EGA Trek using good ole debug.exe.


  I started programming with BASIC on the Apple ][e and quickly jumped on the PC bandwagon with Assembly language.  I never did like high-level languages as much as the low-level languages.  I dabbled with Turbo Pascal (7) and Visual Basic (6.0 all the way up to 2013) and VBA.


 


I like using Ollydbg and WinDbg and recently have tried PEBrowse64, but each has limitations as far as single stepping through code.  Exceptions happen far too often, it seems. 


 


Anyone here use virtual machines (and serial or firewire ports) to take advantage of kernel debugging?  I've tried it a couple times, but it was a very finicky procedure...


 


The scene sure has changed since the Internet went mainstream.  I used to think 9600 bps was fast and 14,400 bps was blistering!  R.I.P. x86


 


 


Share this post


Link to post
Share on other sites
CybotX

Exceptions happens due to the anti-debugging included in the software, now a days softwares are smart enough to detect if a process is attached to a debugger or if you are single stepping through codes, some software are even packed and protected . Most of the common exceptions can be ignored by changing the settings in you debugger, ollydbg allows you to ignore all the common exception by settings a range in the options menu, if you run a process and hit an exception press shift+F9 to bypass. Please note some of the software protections can also detect if you are running in a virtual machine and if 'just in time' debugging is enabled for the OS, all these will cause exceptions. Its not the mistake of a debugger that you are unable to step through the codes but the anti-debug techniques. There are methods to defeat them which will require an extreme amount of knowledge level on Windows internals, device drivers , PE internals, Windows Architecture and API Programming. OllyDBG is one of the best user-mode ring 3 debugger out there you may ever found for dynamic analysis. It may even detect known APIs without configuring debugging symbols from microsoft symbol server, but by just looking into local dbghelp.dll is enough.to detect known symbols (except undocumented APIs)


 


WinDBG is best for static analysis and detecting data structure that a process or driver might be using. WinDBG is a shell over windows debugger (NTSD or KD) is a ring 0 can debug both user and kernel mode however as told software protections are smart enough now a days to detect debuggers like windbg too, so again you hit exception and need to do some research to find a way out.


 


IDA Pro - Now this a very fancy interactive debugger allow you to do static analysis and generate graphs and flowchart based on the analysis and create custom labels for data and function procedure. Its one of beloved tool for reverse engineers , you extend its power and functionality you may write powerful script using python, if you are a 'C' programmer learning python is a no big deal or may write plugin just as you can do with windbg where you are writing custom windbg extensions to extend its power. Easy import and export maps , IDC script , save snapshot of your analysis for later. Again its detectable by some of the most commonly known software protections. But its very good for static analysis. IDA Pro too is a shell over local debugger, other debuggers can be easily configured with IDA shell like WinDBG, Boch  etc. Not only this IDA Pro has the abiility to analysis any kind of binary that exist from windows to linux binary including game consoles like xbox and playstation , kernel and user memory dump analysis and much more.


  • Upvote 4

Share this post


Link to post
Share on other sites
Debugger

Wow...This awesome,,,  :D


Share this post


Link to post
Share on other sites
Phoenix

Good to see a caveman. Back from the stone age. Just kidding...... :D


 


Welcome to the forum HyperVerge. CybotX is the latest technology available in the market. You can also upgrade yourself like us.


 


We are still in the process of upgrade.  :D

  • Upvote 2

Share this post


Link to post
Share on other sites
HyperVerge

Wow, I haven't heard the terms Ring 0 and Ring 3 since I was a teenager.  Anyone remember remapping interrupt vector tables to intercept BIOS interrupts?  Is there anything similar in function these days?   The last good intercepting program I used was Soft-ICE (for protected mode debugging).


 


Thanks CybotX for the refresher on anti-debug techniques.  I fondly recall unaspack, unarmadillo, peid, caspr, pklite/pkxlite, et al.  Is IDA the same Interactive DisAssembler that existed for DOS all those years ago?  Have you experimented with checked builds of Windows?  I've gone as far as downloading and installing them


(Win7 & Server 208 R2), but haven't tried to actually do anything debugging-wise.


Share this post


Link to post
Share on other sites
CybotX

remapping interrupt vector tables to intercept BIOS interrupts - days of softice and dos has over, all terms has been obsolute with time.


To generate a dos interrupt while programming a 16-bit application, please check the attachment i have made to this thread. It hold all the possible dos interrupt you can use in your program. To debug Kernel protected mode WinDBG will need a memory snapshot which you can obtain using NMI interrupt to hit at a higher IRQL level accessing protected mode to crash the system and generate a memory snap, this requires a system reboot and then once the snap is obtained you can start debugging . However 'LiveKD' is a tool which will allow you to trick WinDBG to think that it looking at memory snap already and you don't have to worry about generating NMI interrupt and doing system reboot can be skipped and then once the trick is performed you can continue doing live kernel mode debugging. You don't even have to boot the system into debugging mode to do all these stuff.


 


The day has come where ending of 32-bit systems is going to take place. This is 64-bit era. You are using Server 2008 R2 you know already what I am talking about. WinXP is dead , server 2003 will dead soon too.


 


IDA can even be used for 16-bit dos applications such as native .COM files.


 


Windows Checked build symbol has larger binaries, with more debugging symbols in the code itself. I am using a retail version and so limited to symbol information. Both of these builds has its own symbol files. When debugging a target on Windows, you must use the symbol files that match the build of Windows on the target. For example if you are using a x64 bit system, use x64 version of debugger even while debugging 32-bit app. The WOW64 implementaton takes care of the rest.


 


 


GooD Luck...!


dosints.pdf

LiveKD.zip

Share this post


Link to post
Share on other sites
Debugger

Cybotx ...Now that insane :P ..Seriously how much did you screwed Windows Cybot ?? :P


  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

Guidelines