Re: TLS Callback Entry in Assembly (win32)This is a discussion on Re: TLS Callback Entry in Assembly (win32) within the ASM x86 ASM 370 forums in Programming Languages category; "bwaichu @ yahoo.com" <spamtrap @ crayne.org> wrote: > >UPX2:004080F1 push 61736D38h <-- not sure if this >is a checksum Nope. It's a signature. Those are the ASCII characters 'asm8'. -- Tim Roberts, timr@probo.com Providenza & Boekelheide, Inc.... | ||||||||
| | ||||||||
| ||||||||
| Register | FAQ | Calendar | Search | Today's Posts | Mark Forums Read |
|
#1
08-10-2008, 05:50 PM
| |||
| |||
 Re: TLS Callback Entry in Assembly (win32) "bwaichu@yahoo.com" <spamtrap@crayne.org> wrote: > >UPX2:004080F1 push 61736D38h <-- not sure if this >is a checksum Nope. It's a signature. Those are the ASCII characters 'asm8'. -- Tim Roberts, timr@probo.com Providenza & Boekelheide, Inc.  |
|
#2
08-10-2008, 11:51 PM
| |||
| |||
| Re: TLS Callback Entry in Assembly (win32) On Aug 10, 2:50*pm, Tim Roberts <spamt...@crayne.org> wrote: > "bwai...@yahoo.com" *<spamt...@crayne.org> wrote: > > >UPX2:004080F1 * * * * * * * * push * *61736D38h *<-- not sure if this > >is a checksum > > Nope. *It's a signature. *Those are the ASCII characters 'asm8'. > -- > Tim Roberts, t...@probo.com > Providenza & Boekelheide, Inc. Thanks. I have dug some more and have spent the better part of the weekend reading about exe packers. This one is upx, which can be seen in any hex viewer and in the IDA disassembly. The TLS Callback just increments the debugger piece, so that plugins that reduce it back to zero have no effect. That part above pushes the first part of the e-mail address used, so the work around is a little tricky. Basically, this contest really has me looking at the workings of the PE format, unpacking, and anti-debugging tricks. To complete it, I just downloaded uat and unpacked it. But I still need to better understand manual unpacking. I have been pointed to chimprec, which replaces lordpe/imprec for dumping the exe after reaching the original entry point, and rebuilding the IAT. I have a lot more to learn about how windows exe files are built. Right now, I'm trying to build a program that runs the TLS Callback, puts a message saying that the program is in the callback, runs the start entry point and prints out a message staying the program arrived in start. But I'm struggling to do this in NASM. Is there a way to do this without editing the PE header after linking the file in NASM, or do I have to write this in MASM32? What is interesting is that the callback occurs in the data segment, not the text segment. I think, at some point, I need to write a basic exe packer in assembly to see how they are written. Thanks. |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
All times are GMT -5. The time now is 02:50 AM.
