'manual'에 해당되는 글 2건

  1. 2009.03.11 Intel CPU Architecture by CEOinIRVINE
  2. 2008.12.04 Manual Unpacking of UPX Packed PE File by CEOinIRVINE

Intel CPU Architecture

Hacking 2009. 3. 11. 03:05

Intel® 64 and IA-32 Architectures Software Developer's Manuals
 
 
These manuals describe the architecture and programming environment of the Intel® 64 and IA-32 processors. Electronic versions of these documents allow you to quickly get to the information you need and print only the pages you want. At present, downloadable PDFs of Volumes 1 through 5 are at version 029 and printed manuals of version 028 will be available soon. The downloadable PDF of the Intel 64 and IA-32 Architectures Optimization Reference manual is at version 017 and the printed manual at version 017.
 
Intel® 64 Architecture x2APIC Specification
This document describes the x2APIC architecture which is extended from the xAPIC architecture. Extensions to the xAPIC architecture are intended primarily to increase processor addressability. The x2APIC architecture provides backward compatibility to the xAPIC architecture and forward extendability for future Intel platform innovations.
Download ›
(PDF 325KB)
  
 
Intel® 64 and IA-32 Architectures Application Note
TLBs, Paging-Structure Caches, and Their Invalidation
This application note is for supplemental information for the Intel® 64 and IA-32 Architectures Software Developer’s Manual Volumes 3A and 3B.
Download ›
(PDF 235KB)
  
 
Intel® 64 and IA-32 Architectures Software Developer's Manual
Documentation Changes
Describes bug fixes made to the Intel® 64 and IA-32 Architectures Software Developer's Manual between versions.
Download ›
  
 
Intel® 64 and IA-32 Architectures Software Developer's Manual
Volume 1: Basic Architecture
Describes the architecture and programming environment of processors supporting IA-32 and Intel® 64 Architectures.
Download ›
(PDF 3.72MB)
Order a printed copy ›
(SKU #253665)
 
Intel® 64 and IA-32 Architectures Software Developer's Manual
Volume 2A: Instruction Set Reference, A-M
Describes the format of the instruction and provides reference pages for instructions (from A to M). This volume also contains the table of contents for both Volumes 2A and 2B.
Download ›
(PDF 3.40MB)
Order a printed copy ›
(SKU #253666)
 
Intel® 64 and IA-32 Architectures Software Developer's Manual
Volume 2B: Instruction Set Reference, N-Z
Provides reference pages for instructions (from N to Z). VMX instructions are treated in a separate chapter. This volume also contains the appendices and index support for Volumes 2A and 2B.
Download ›
(PDF 6.47MB)
Order a printed copy ›
(SKU #253667)
 
Intel® 64 and IA-32 Architectures Software Developer's Manual
Volume 3A: System Programming Guide
Describes the operating-system support environment of an IA-32 and Intel® 64 architectures, including: memory management, protection, task management, interrupt and exception handling, multi-processor support, and thermal and power management features. This volume also contains the table of contents for both Volumes 3A and 3B.
Download ›
(PDF 8.90MB)
Order a printed copy ›
(SKU #253668)
 
Intel® 64 and IA-32 Architectures Software Developer's Manual
Volume 3B: System Programming Guide
Continues the coverage on system programming subjects begun in Volume 3A. Volume 3B covers debugging, performance monitoring, system management mode, and Intel® Virtualization Technology (Intel® VT). This volume also contains the appendices and indexing support for Volumes 3A and 3B.
Download ›
(PDF 4.73MB)
Order a printed copy ›
(SKU #253669)
 
Intel® 64 and IA-32 Architectures Optimization Reference Manual
Intel® 64 and IA-32 Architectures Optimization Reference Manual provides information on Intel® Core™ processors, Intel NetBurst® microarchitecture and other recent Intel® microarchitectures. It describes code optimization techniques to enable you to tune your application for highly optimized results when run on Intel® Atom™, Intel® Core™ processors, Intel® Core™ processors2 Duo, Intel® Core™ processors Duo, Intel® Xeon®, Intel® Pentium® 4, and Intel® Pentium® M processors.
Download ›
(PDF 4.43MB)
Order a printed copy ›
(SKU #248966)
 
Intel® 64 Architecture Memory Ordering White Paper
This document has been merged into Volume 3A of Intel 64 and IA-32 Architectures Software Developer’s Manual.
 

'Hacking' 카테고리의 다른 글

HTTP HyperText Transfer Protocol (HTTP)  (0) 2009.03.11
TCP Analysis - Section 4: TCP Flag Options  (0) 2009.03.11
Socket Capable Browser Plugins Result In Transparent Proxy Abuse  (0) 2009.03.10
Staring Into The Abyss, A Bit Before Cansec  (0) 2009.03.10
Apple Airport Extreme / Time Capsule Multiple Vulnerabilities  (0) 2009.03.07
Posted by CEOinIRVINE
l

Manual Unpacking of UPX Packed PE File

Hacking 2008. 12. 4. 05:26
Manual Unpacking of UPX Packed PE File
 
 
Introduction
Here is a short tutorial on unpacking the UPX packed binary file. UPX is a free, portable, executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression.

To follow this tutorial you need to download latest UPX packer from UPX website and then pack any of the PE (windows executable) file with it.
 
Unpacking Steps
Before we begin with unpacking exercise, lets try to understand the working of UPX. When you pack any executable with UPX, all existing sections of that file are compressed and appended with new UPX code which decompresses entire packed sections during run time. During the execution of UPX packed binary file, following steps take place...
  • First the current register status is saved through PUSHAD instruction
  • Next all packed sections are unpacked.
  • Resolve the import table of original executable file.
  • Once the job is done, restore the register status via POPAD instruction
  • Finally jump to Original Entry point (OEP)
 
 
Unpacking UPX
Manual unpacking process involves following steps
  • Finding OEP of the program.
  • Dumping the memory image of the binary when the program reaches OEP.
  • Fixing the import table
I am using the generic approach so that you will be able to unpack the executable which is packed with any version of UPX. Here I am using the OllyDbg to unpack the PE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for reverse engineering.

That is all you needed to know before the start. Lets get into some action. Load the UPX packed binary file into the OllyDbg and start tracing the binary, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present in the first few instructions based on the UPX version that you have used to pack the PE file. Now put the breakpoint on POPAD instruction. So when we reach POPAD instruction, all the sections will be unpacked and all imports will be resolved. After POPAD instruction, it will jump to OEP.

There are many ways to set the breakpoint at the PUSHAD instruction. When you are at this instruction, you can put the hardware read breakpoint at ESP-4 address. If you have command bar plugin installed then you can just type 'hr esp-4' to set this breakpoint. Other way is to find the POPAD (opcode 61) instruction in the code and set the breakpoint for yourself. You can just scroll down in OllyDbg from the current instruction till you find all zeroes, then just few instructions above the start of zeroes you will find the POPAD instruction. Now you can directly set breakpoint on POPAD instruction.

Once you have set the breakpoint, press F9 and you will break on the instruction which is immediately after POPAD or on POPAD instruction based on which method you have used. Now start tracing with F7 and soon you will encounter a instruction which will jump to OEP that is somewhere in the unpacked code section.

Now you have found the OEP. Note down this address somewhere. Next task is to dump the entire binary image from memory. This can be done using OllyDmp plugin which comes with OllyDbg. Now launch this plugin and dump the entire binary file to the disk using default options. It will automatically fix the import table for you so there is no need to explicitly fix it. That's it and you are done with unpacking the UPX packed file.
 
 
 
Fixing Import Table
For most of the advanced packers, OllyDmp will not be able to fix the import table. In such a case, following method will be helpful. Here, we will be using the ImpREC tool which is more advanced tool for fixing import table.

When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp without asking it to fix the import table. Next launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the OEP (enter only RVA, not a complete address) and click on 'IAT Autosearch' button to automatically search for import table. Then click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as valid : No) then remove it by right clicking on it and then from the popup menu, press on 'Delete Thunks'. Now once the import functions are identified, click on Fix Dump button in ImpREC and then select the previously dumped file.

Once you have dumped the image from memory and fixed the import table, you can verify it by executing that application.
 
 
UPX Unpacked...!
That's all, you have successfully unpacked the UPX packed executable file. Its great job though its the simplest packer without any anti debugging features.

As you move on, you will see more and more challenging protectors. Hope you have enjoyed your first unpacking lesson as I did years back..!
 
 
References
    1. UPX: Ultimate Packer for Executables.  
    2. OllyDbg: Popular Ring 3 Debugger.     
    3. ImpREC: Import Reconstruction for PE files  
 
 
See Also
  Writing PESpin plugin for ImpREC. 
  Faster way to enumerate process heaps. 
  Finding the reference count of DLL. 
 

'Hacking' 카테고리의 다른 글

Problems with Penetration Testing  (0) 2008.12.08
Security Job  (0) 2008.12.04
General IP Stack Tuning Recommendations  (0) 2008.11.29
Denial of Service Attacks  (0) 2008.11.29
Creating a Computer Security Incident Response Team: A Process for Getting Started  (0) 2008.11.29
Posted by CEOinIRVINE
l
◀ 이전페이지 1 다음페이지 ▶
블로그 이미지
Information Security & US & Life & Love & Fashion & Hacking & Passion hack, web security, game security, game hack, fps, ava, wow, starcraft II, soldier front, gunz, reverse engineering, SQL injection, XSS, hacking, penetration testings, IT, internet technlogoy, security, penetratoin testing, XSS, XSRF CEOinIRVINE

최근에 올라온 글

공지사항

카테고리

CEOinIRVINE (2282)
Editorials (4)
Finance & EMBA (1)
Fashion (239)
IT (215)
Hacking (266)
Online Game (17)
Vocabulary (14)
iLoveBlackberry (2)
Business (1108)
Politics (165)
US News (115)
World News (63)
Career Consulting (8)
Apple (5)
Car (13)
Travel (5)
Irvine (3)
Sports (3)
recipe (1)
Music (15)
TVs (11)
Spanish (1)
Cyber Law (1)
Perl (3)
Java (1)
Artificial Intelligence (1)
Stock (1)

태그목록

달력

«   2024/05   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

링크

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바