ReversingLabs | Forum
September 04, 2010, 06:14:48 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: TitanEngine 2.0.3 has been released
 
   Home   Help Search Login Register  
ReversingLabs | Forum > The Lab > TitanEngine > [Contest] Do a cool engine hack or usage sample and win a T-shirt!
Pages: [1]
« previous next »
  Print  
Author Topic: [Contest] Do a cool engine hack or usage sample and win a T-shirt!  (Read 978 times)
tpericin
Chief Software Architect
Administrator
Member
*****
Posts: 31


View Profile WWW Email
« on: August 01, 2009, 09:21:23 PM »
Apply here...

* revesing_lab_majice.jpg (200.9 KB, 1280x1600 - viewed 170 times.)
Logged
roxaz
Member
*****
Posts: 1


View Profile Email
« Reply #1 on: August 02, 2009, 12:59:45 PM »
Some time ago i implemented my own pattern search that worked with patterns provided in c string like ?00 ?? 12 0C 2D Huh?. TitanEngine however uses patterns provided in byte arrays, and you have to manually set wildcard byte. I noticed that function Find is just a mirror of FindEx. As Ex functions are always more powerful, Find had to be simplified, thats what i did. My modification of that function does not accept length of pattern and wildcard any more, and instead of byte array you have to provide c string pattern. Function allocates a temporary WORD array, then converts textual representation of bytes to numbers and stores in array. ?? are stored as 0?3F3F. Now you can see why temporary array is needed - to store wildcards. Next step is to discover which byte of 0-0xFF is not used in pattern, and use it as a wildcard. When that is figured out - bytes in WORD array are copied to BYTE array, and wildcard 0?3F3F WORD is replaced with previously discovered wildcard byte. This function has one flaw tho - it comes from and engine itself. If you happen to use all 256 possible bytes in pattern you will run out of possible candidates for wildcard, then 0?00 will be used as a wildcard and 0?00 will not be matched in pattern. But hey, who makes patterns that long and difficult? I doubt anyone does? So this is a flaw in theory only i guess.

Replace function Find in UnpackerEngine.cpp with:
Code:
__declspec(dllexport) long long __stdcall Find(LPVOID MemoryStart, DWORD MemorySize, LPCSTR SearchPattern){

DWORD PatternSize = (strlen(SearchPattern) + 1) / 3;
BYTE WildCard = 0;
WORD* WordPattern = new WORD[PatternSize];
BYTE* BytePattern = new BYTE[PatternSize];

for (DWORD i = 0; i < PatternSize; i++)
{
PCHAR Num = (PCHAR)(SearchPattern + i * 3);

if(*(PWORD)Num == (WORD)0x3F3F) // ??
WordPattern[i] = (WORD)0x3F3F;
else
WordPattern[i] = (WORD)strtol(Num, 0, 16);
}

for (BYTE i = 0; i <= 0xFF; i++)
{
for (DWORD j = 0; j < PatternSize; j++)
{
if (WordPattern[j] == i)
break;

if(j == PatternSize - 1)
WildCard = i;
}
}

for (DWORD i = 0; i < PatternSize; i++)
{
if(WordPattern[i] == 0x3F3F)
WordPattern[i] = WildCard;
else
BytePattern[i] = (BYTE)WordPattern[i];
}

delete[] WordPattern;

long long Return = FindEx(dbgProcessInformation.hProcess, MemoryStart, MemorySize, BytePattern, PatternSize, &WildCard);

delete[] BytePattern;

return Return;
}

Replace function declaration in SDK.h with:
Code:
__declspec(dllexport) long long __stdcall Find(LPVOID MemoryStart, DWORD MemorySize, LPCSTR SearchPattern);
« Last Edit: August 04, 2009, 02:07:16 AM by roxaz » Logged
tpericin
Chief Software Architect
Administrator
Member
*****
Posts: 31


View Profile WWW Email
« Reply #2 on: August 02, 2009, 07:17:43 PM »
Cool hack noted, will be rewarded with a T-Shirt. email me with drop location and we will make sure you get it as soon as they are out of the print.
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!