'Reversing' 카테고리의 글 목록

Image File Execution options 설정으로 프로세스 시작시 자동 디버깅 가능

1. Regedit.exe

2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

3. 서브키로 디버깅 하려는 Program의 이름을 추가 (Ex. clarus.exe)

4. 추가한 서브키에 "이름:Debugger ; 종류:문자열 값(REG_SZ) ; 데이터:디버거 Full path" 추가

by MSDN

You can set up your application to start Visual Studio when you launch the application from Windows. Visual Studio will load your application, ready for debugging, but will not commence debugging until you issue an execution command. Having Visual Studio launch the debugger in this way is useful for debugging services and COM out-of-proc servers.

To setup an application to launch the debugger automatically

Start the Registry Editor (regedit).
In the Registry Editor, open the HKEY_LOCAL_MACHINE folder.
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.
Under the Image File Execution Options folder, locate the name of the application you want to debug (myapp.exe, for example). If you cannot find the application you want to debug:
1. Right-click the Image File Execution Options folder and choose New Key from the shortcut menu.
2. Right-click the new key and choose Rename from the shortcut menu.
3. Edit the key name to the name of your application, for example, myapp.exe.
Right-click the myapp.exe folder and choose New String Value from the shortcut menu.
Right-click the new string value and choose Rename from the shortcut menu.
Change the name to debugger.
Right-click the new string value and choose Modify from the shortcut menu.
The Edit String dialog box appears.
In the Value data box, type devenv /debugexe.
Click OK.
From the Registry menu, choose Exit.
The directory containing devenv.exe must be in your system path.

Now, use any method to start your application. Visual Studio .NET will start and load the application.

'Reversing' 카테고리의 다른 글

hooks (0)	2015.11.12
Anti-reversing (0)	2012.09.24
Restructuring01 (0)	2011.12.12
unpack 참고 url (0)	2011.11.08
Inline patch 로 해결 (0)	2011.10.28

:

Restructuring01

Reversing 2011. 12. 12. 17:13

Tuto01RES_R.exe

- 원본

- 바이너리 분석

- 재구성

'Reversing' 카테고리의 다른 글

Anti-reversing (0)	2012.09.24
프로세스 시작시 자동 디버깅 (0)	2012.01.05
unpack 참고 url (0)	2011.11.08
Inline patch 로 해결 (0)	2011.10.28
IMAGE_SECTION_HEADER structure - Characteristics (0)	2011.10.28

:

unpack 참고 url

Reversing 2011. 11. 8. 15:07

In December the topic decides as "the shell" the correlation content, asks the friend which the panel members and each position is interested to accept.

Considered some article lengths quite are short, alone supposes for the essence, will cause the essence to be in flood, thus will lose the essence placard the significance, therefore decided the short article merge will be a group, will ask the member to accept take the group as the unit, will send when the placard please sends group of articles in a card.

1. ASProtect
1.
ASProtect Analysis Of Hardware Breakpoint Clearing Feature http://arteam.accessroot.com/tutorials.html? Fid=15
ASProtect 2.x SKE Inline Patching And Defeating Memory CRC http://arteam.accessroot.com/tutorials.html? Fid=13
ASProtect 2.x SKE Inline Patching Tutorial http://arteam.accessroot.com/tutorials
(To 12.09 accepts by arhat)

2.
ASProtect 2.3 SKE Inline Patching Tutorial http://arteam.accessroot.com/tutorials.html? Fid=12

3.
ASProtect SKE Unpacking Approach http://arteam.accessroot.com/tutorials.html? Fid=16

4.
Synopsis On Asprotect SKE Patching http://arteam.accessroot.com/tutorials.html? Fid=125

5.
Asprotect V2.xx Reload http://arteam.accessroot.com/tutorials.html? Fid=17

2. Armadillo
1.
Unpacking Armadilloed Dll http://arteam.accessroot.com/tutorials.html? Fid=141
Unpacking Armadillo V4.x With PE Header Trick.rar http://arteam.accessroot.com/tutorials.html? Fid=140

2.
Unpacking And Cracking Armadillo V4.x DLL http://arteam.accessroot.com/tutorials.html? Fid=132
Unpacking And Cracking Protection Plus V4.x DLL http://arteam.accessroot.com/tutorials.html? Fid=134

3.
Unpacking Armadillo V4.x With Code Splicing http://arteam.accessroot.com/tutorials.html? Fid=139
Unpacking Armadillo V3.x With ANTI-DUMP http://arteam.accessroot.com/tutorials.html? Fid=137

4.
Unpacking Armadillo V4.x With ANTI-BP http://arteam.accessroot.com/tutorials.html? Fid=138

3. EXECryptor

1.
Unpacking And Dumping ExeCryptor And Coding Loader http://arteam.accessroot.com/tutorials.html? Fid=136

2.
ExeCryptor 2.2.4
Http://www.reversing.be/article.php? Story=20061129191447423

3.
ExeCryptor 2.3.9 - Unpacking
Http://www.reversing.be/article.php? Story=20061206203632615

4.
ExeCryptor official crackme
Http://www.reversing.be/article.php? Story=20061201111617600

5.
ExeCryptor 2.2.50 - Unpacking MSVC++ target
Http://www.reversing.be/article.php? Story=20061206203057545
Unpacking_EXEcryptor_2.3x
Http://bbs.pediy.com/temp/Unpacking_EXEcryptor_2.3x.rar

4. Themida

1.
Tutorial: TheMida Defeating Ring0
Author: Deroko
Http://arteam.accessroot.com/tutorials.html? Fid=126

2.
THEMIDA The 1.0.0.5 And TRACERS By AkirA
Http://bbs.pediy.com//temp/english_AkirA themida.rar

5. MoleBox

1.
Unpacking MoleBox Pro V2.5 http://arteam.accessroot.com/tutorials.html? Fid=153
ACProtect Debug Register Protection http://arteam.accessroot.com/tutorials.html? Fid=4

6. SafeDisc

1.
SafeDisc 3.20 - 4.00
Http://www.reversing.be/article.php? Story=20061030193245121

7. Thinstall

1.
Thinstall 2.5 - manually unpacking
Http://www.reversing.be/article.php? Story=2005110100440274

2.
Thinstall 2.521 - unpacking dependencies and injecting a DLL
Http://www.reversing.be/article.php? Story=20060708191417910

7. PESpin

1.
PESpin 1.304 public - repairing IAT
Http://www.reversing.be/article.php? Story=20060224214713516

2.
PESpin v1.0 , 1.1 & 1.3 - manually unpacking
Http://www.reversing.be/article.php? Story=20050811173217736

8. Enigma protector

1.
Enigma protector 1.02 - manually unpacking
Http://www.reversing.be/article.php? Story=20060111231417419

9. Yoda Protectorr

1.
Yoda Protector 1.03.3 - manually unpacking
Http://www.reversing.be/article.php? Story=20060103202621966
(Oneself translates)
2.
Yoda's Protector v1.03.2 ? Manually unpacking tutorial
Http://www.reversing.be/article.php? Story=20050823224144160

10. Krypton

1.
Krypton 0.5 - (half) manually unpacking
Http://www.reversing.be/article.php? Story=20051130102647333

11. ActiveMark

1.
ActiveMark_v5.42.1218_F.E.A.R. _LOADER_by_CondZero.rar
Http://bbs.pediy.com/temp/ActiveMark_v5.42.1218_F.E.A.R. _LOADER_by_CondZero.rar

ActiveMARK_v5.x_Process_Dumper_by_CondZero.rar
Http://bbs.pediy.com/temp/ActiveMARK_v5.x_Process_Dumper_by_CondZero.rar

2.
Unpacking_ActiveMark_v5.x_Advanced_Part2_by_Condzero
Http://bbs.pediy.com/temp/Unpacking_ActiveMark_v5.x_Advanced_Part2_by_Condzero.rar

3.
Unpacking_ActiveMark_v5.x_Basic_Part1_by_Condzero
Http://bbs.pediy.com/temp/Unpacking_ActiveMark_v5.x_Basic_Part1_by_Condzero.rar

12. Other

1.
Cracking With Loaders Theory General Approach And A Framework V12
http://arteam.accessroot.com/tutorials.html? Fid=81
(Middle of the month person oneself translates)

Such are first many, has the good again increase, because I am not many to the shell understanding, but also asks the man of insight to direct, if above article translation necessity, also please one and pointed out.

This placard to 2007-02-22 20:11 by kanxue edition

'Reversing' 카테고리의 다른 글

프로세스 시작시 자동 디버깅 (0)	2012.01.05
Restructuring01 (0)	2011.12.12
Inline patch 로 해결 (0)	2011.10.28
IMAGE_SECTION_HEADER structure - Characteristics (0)	2011.10.28
VA, RVA, RAW (0)	2011.09.22

:

Inline patch 로 해결

Reversing 2011. 10. 28. 15:17

IMAGE_SECTION_HEADER structure - Characteristics 고려
(Ex. 0x80000000 ADD)

기존 사이즈로는 답 안나옴

long jump 때문에 5byte 갉아먹음

따라서 복원할 부분 binary copy

code cave 부분에 의도한 op code 뒤로 삽입

다시, patch한 5byte op code 이 후로 jump

'Reversing' 카테고리의 다른 글

Restructuring01 (0)	2011.12.12
unpack 참고 url (0)	2011.11.08
IMAGE_SECTION_HEADER structure - Characteristics (0)	2011.10.28
VA, RVA, RAW (0)	2011.09.22
바이너리 패치 후 파일 실행 오류 (0)	2011.08.29

:

IMAGE_SECTION_HEADER structure - Characteristics

Reversing 2011. 10. 28. 14:56

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680341(v=vs.85).aspx

'Reversing' 카테고리의 다른 글

unpack 참고 url (0)	2011.11.08
Inline patch 로 해결 (0)	2011.10.28
VA, RVA, RAW (0)	2011.09.22
바이너리 패치 후 파일 실행 오류 (0)	2011.08.29
UPack 상세 분석 (0)	2010.09.02

:

VA, RVA, RAW

Reversing 2011. 9. 22. 19:18

VA = RVA + ImageBase

RAW - PointerToRawData = RVA - VirtualAddress

파일의 임의의 위치 - 해당섹션 시작위치 = 메모리의 임의의 위치 - 해당 섹션의 시작위치

'Reversing' 카테고리의 다른 글

Inline patch 로 해결 (0)	2011.10.28
IMAGE_SECTION_HEADER structure - Characteristics (0)	2011.10.28
바이너리 패치 후 파일 실행 오류 (0)	2011.08.29
UPack 상세 분석 (0)	2010.09.02
pe 분석 (0)	2010.09.01

:

바이너리 패치 후 파일 실행 오류

Reversing 2011. 8. 29. 14:48

실행 파일이 메모리에 로딩되어 프로세스로써 실행될 때 그대로 1:1로 로딩되는 것이 아니라,

규칙에 의해서 올라가게 되며 보통은 파일과 메모리가 1:1로 매칭 되지 않음

즉, 메모리에 대응되는 파일 오프셋이 존재하지 않으므로 수정된 코드를 파일로 만들면 오동작 하게 됨.

- PE Header를 분석하여 파일에 존재하지만 프로그램에서 사용되지 않는 공간을 버퍼영역으로 선정

- 파일 끝을 버퍼 영역 만큼 확장하고, PE header 를 수정하여 그 부분을 메모리에 로딩

'Reversing' 카테고리의 다른 글

IMAGE_SECTION_HEADER structure - Characteristics (0)	2011.10.28
VA, RVA, RAW (0)	2011.09.22
UPack 상세 분석 (0)	2010.09.02
pe 분석 (0)	2010.09.01
리틀 인디안, 빅 인디안 (0)	2010.08.30

:

C'est la vie

'Reversing'에 해당되는 글 16건

instant debugger

'Reversing' 카테고리의 다른 글

hooks

'Reversing' 카테고리의 다른 글

Anti-reversing

'Reversing' 카테고리의 다른 글

프로세스 시작시 자동 디버깅

'Reversing' 카테고리의 다른 글

Restructuring01

'Reversing' 카테고리의 다른 글

unpack 참고 url

'Reversing' 카테고리의 다른 글

Inline patch 로 해결

'Reversing' 카테고리의 다른 글

IMAGE_SECTION_HEADER structure - Characteristics

'Reversing' 카테고리의 다른 글

VA, RVA, RAW

'Reversing' 카테고리의 다른 글

바이너리 패치 후 파일 실행 오류

'Reversing' 카테고리의 다른 글

티스토리툴바