Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
advanced search  
Topics
News (14)
Tutorials (115)
Crackmes (70)
Coding (23)
Challenges
Download
Hall Of Fame
User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User
Banners
 Welcome to BiW Reversing
 Saturday, January 28 2023 @ 01:53 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Code beyond the JMP TABLE

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Coding Corner
View previous topic :: View next topic  
Author Message
Ksbunker
Occasional Poster
Occasional Poster


Joined: 15 Jul 2005
Posts: 24
PostPosted: Sun Jul 13, 2008 3:47 pm    Post subject: Code beyond the JMP TABLE Reply with quote
Code:
00401000 >/$ 6A 00          PUSH 0                                   ; /Style = MB_OK|MB_APPLMODAL
00401002  |. 6A 00          PUSH 0                                   ; |Title = NULL
00401004  |. 6A 00          PUSH 0                                   ; |Text = NULL
00401006  |. 6A 00          PUSH 0                                   ; |hOwner = NULL
00401008  |. E8 0D000000    CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
0040100D  |. 6A 00          PUSH 0                                   ; /ExitCode = 0
0040100F  \. E8 00000000    CALL <JMP.&kernel32.ExitProcess>         ; \ExitProcess
00401014   .-FF25 00204000  JMP DWORD PTR DS:[<&kernel32.ExitProcess>;  kernel32.ExitProcess
0040101A   $-FF25 08204000  JMP DWORD PTR DS:[<&user32.MessageBoxA>] ;  user32.MessageBoxA


How do I get code after the JMP table? I.e. AFTER the following...?

Code:
00401014   .-FF25 00204000  JMP DWORD PTR DS:[<&kernel32.ExitProcess>;  kernel32.ExitProcess
0040101A   $-FF25 08204000  JMP DWORD PTR DS:[<&user32.MessageBoxA>] ;  user32.MessageBoxA
Back to top
View user's profile Send private message
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317
PostPosted: Mon Jul 14, 2008 5:46 pm    Post subject: Reply with quote
Do you mean while linking, or when you fiddle with the PE header manually?
_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
Ksbunker
Occasional Poster
Occasional Poster


Joined: 15 Jul 2005
Posts: 24
PostPosted: Tue Jul 15, 2008 6:19 am    Post subject: re: Reply with quote
Was in a hurry when I posted that!

More information.

I can mess around with the PE post-linking, but I'd very much prefer to learn (if indeed one can) before/during linking.

I'm trying to make a crackme whereby, its general layout is as follows;

.data

;data

.code

EntryPoint:

;code

;jmp table

; db 1024 dup(0)
; code called in TLSCallback
end EntryPoint
Back to top
View user's profile Send private message
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317
PostPosted: Thu Jul 17, 2008 10:37 am    Post subject: Reply with quote
Do you really need to have the code behind the jmp table in the same section?
If so, this is something I never tried. Still a couple of possible pointers :

All entries in the import redirect table are created like you would use EXTERN variables in your code. the linker automatically creates an entry in the table that 'links' to some lib you added to the linker. So I guess that is the way to go if you want to have extra code there. Maybe one redirection jump from there to your code is enough?

On the other hand, if you settle with modifying your app at runtime, there are possibilities to hack up the import table. You could for example have your codepiece encoded in whatever section, and have some code executed at startup that decodes it and injects it after the import redirect table...
Some good starter reading for that : http://www.codeproject.com/KB/system/inject2it.aspx

If you do find a clean way to do this without messing after linking, I'm interested to know how to do it Smile
_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
stingduk
Regular
Regular


Joined: 19 Feb 2005
Posts: 148
PostPosted: Sat Jul 19, 2008 8:03 pm    Post subject: Reply with quote
you mean like this ksbunker
Code:


00401000 >PUSH    ESP                                  ; /pThreadId = 0012FFC4
00401001  PUSH    0                                    ; |CreationFlags = 0
00401003  PUSH    ESP                                  ; |pThreadParm = 0012FFC4
00401004  PUSH    mytls.0040103C                       ; |ThreadFunction = mytls.0040103C
00401009  PUSH    0                                    ; |StackSize = 0
0040100B  PUSH    0                                    ; |pSecurity = NULL
0040100D  CALL    <JMP.&kernel32.CreateThread>         ; \CreateThread
00401012  PUSH    EAX
00401013  PUSH    -1                                   ; /Timeout = INFINITE
00401015  PUSH    EAX                                  ; |hObject = NULL
00401016  CALL    <JMP.&kernel32.WaitForSingleObject>  ; \WaitForSingleObject
0040101B  POP     EAX                                  ;  kernel32.7C816D4F
0040101C  PUSH    EAX                                  ; /hObject = NULL
0040101D  CALL    <JMP.&kernel32.CloseHandle>          ; \CloseHandle
00401022  PUSH    0                                    ; /Style = MB_OK|MB_APPLMODAL
00401024  PUSH    mytls.0040300C                       ; |Title = "Iczelion's tutorial no.2"
00401029  PUSH    mytls.00403025                       ; |Text = "Win32 Assembly is Great!"
0040102E  PUSH    0                                    ; |hOwner = NULL
00401030  CALL    <JMP.&user32.MessageBoxA>            ; \MessageBoxA
00401035  PUSH    0                                    ; /ExitCode = 0
00401037  CALL    <JMP.&kernel32.ExitProcess>          ; \ExitProcess
0040103C  RETN
0040103D  INT3
0040103E  JMP     NEAR DWORD PTR DS:[<&kernel32.CloseH>;  kernel32.CloseHandle
00401044  JMP     NEAR DWORD PTR DS:[<&kernel32.Create>;  kernel32.CreateThread
0040104A  JMP     NEAR DWORD PTR DS:[<&kernel32.ExitPr>;  kernel32.ExitProcess
00401050  JMP     NEAR DWORD PTR DS:[<&kernel32.IsDebu>;  kernel32.IsDebuggerPresent
00401056  JMP     NEAR DWORD PTR DS:[<&kernel32.WaitFo>;  kernel32.WaitForSingleObject
0040105C  JMP     NEAR DWORD PTR DS:[<&kernl.Messagebo>;  kernl.Messagebox
00401062  JMP     NEAR DWORD PTR DS:[<&user32.MessageB>;  USER32.MessageBoxA
00401068  PUSH    EBP
00401069  MOV     EBP, ESP
0040106B  CALL    <JMP.&kernel32.IsDebuggerPresent>    ; [IsDebuggerPresent
00401070  CMP     EAX, 1
00401073  JNZ     SHORT mytls.0040107A
00401075  CALL    <JMP.&kernl.Messagebox>
0040107A  MOV     EAX, 1
0040107F  LEAVE
00401080  RETN    0C
00401083  PUSH    EBP
00401084  MOV     EBP, ESP
00401086  CALL    <JMP.&kernel32.IsDebuggerPresent>    ; [IsDebuggerPresent
0040108B  CMP     EAX, 1
0040108E  JNZ     SHORT mytls.00401095
00401090  CALL    <JMP.&kernl.Messagebox>
00401095  MOV     EAX, 1
0040109A  LEAVE
0040109B  RETN    0C



you already have a readymade sample in downloads here

take a look at ntglobalflag plugin for ollydbg
it comes with a small test exe which has all things you ask for done

it has two sections (i intentionally kept my code in two sections )

but you can use /merge:mysection=.text directive in linker command to merge .text with jmp table to tls code after jump table like i pasted above

\masm32\bin\Link /section:mysection,ERW /merge:mysection=.text /SUBSYSTEM:WINDOWS %1.obj

all you need to do is

.code

start:

your code here

then insert one more section with another
.code YourSecrectSection

insert your secret code here

finish with
end start

take a look at mytls.asm

as a bonus it has tls codes too Smile

Detten WHERE ARE YOU you Seem to be adept at doing a disaapearing Act
Back to top
View user's profile Send private message
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317
PostPosted: Tue Jul 22, 2008 8:58 am    Post subject: Reply with quote
Nice explanation stingduk, I forgot all about your precious tool!

Quote:

Detten WHERE ARE YOU you Seem to be adept at doing a disaapearing Act


I visit Efnet #biw now and then, but not daily Sad
I can be reached through mail : detten (at nospam) gmail (dot) com
Will bring the shell server back up one of these days aswell.
_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Coding Corner All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2023 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 1.12 seconds