1、Post subject: Inline ASM HelpPosted: Fri Dec 12, 2003 2:02 pm UserJoined: Sat Nov 29, 2003 8:49 pmPosts: 43 Hi, I wonder if any of you FASM ASM programmers can help me on this one.Basically Im writting a program that I wish to distribute with a license key protection. Ive done this in the past and f
2、ound the software cracked and on a news group in less than a month Still I recently purchased a book that shows a number of ASM techniques for preventing (or at least making it harder) cracking. One of these techniques requires the program to drop into Ring0 (basically the license key checking/encry
3、ption is done in Ring0) . Now Im no ASM guru and I know little or nothing about FASM - however having read all 66 truncated pages of the FASM manual I came up with the following code - however I get an error saying Privilaged Insturction Exception when I compile and run - the whole point of the code
4、 is to drop into Ring0 and execute a command I know to be only executable in Ring0 (duh!) to prove that the program is in Ring0 i.e. I could then continue and write some code for license key checking.Please find my example code bellow.any assistance on what Im doing wrong or pointers to more FASM ex
5、amples/tutorials/manuals will be much appreciated.; Sample program to demonstrate a technique for software protection; Basically if you can drop into ring0 you can prevent debugging by SoftICE and other; debugging tools; This can also be used for inappropriate behaviour (Read viruses!) ; so please d
6、ont!; Inline ASM to pop into Ring 0 execute a Ring 0 command and return to Ring 3 execution; A variable to store our ecx valueedxprevious.l = 0eaxprevious.l = 0! rdmsr ;rdmsr loads the contents of a 64“bit MSR (model specific register) of the ; address specified in the ecx register into registers ed
7、x And eax! MOV v_edxprevious, edx ; save the value of our current edx! MOV v_eaxprevious, eax ; save the value of our current eax! MOV ecx,l_ring0_routine ; move the location of our ring 0 routine To the edx And eax registers! wrmsr ; writes the contents of registers edx And eax into the ; 64“bit MS
8、R of the address specified in the ecx register! sysenter ; executes a fast call to a level 0 system procedure whos locaton is; specified by the MSR; Normal Ring 3 Code continues hereEndring0_routine:! MOV eax,dr7 ; this instruction is functional only in RING0! MOV edx, v_edxprevious ; Restore our or
9、iginal location! MOV eax, v_eaxprevious ; Restore our original location! sysexit ; executes a fast Return To level 3 user code, back to the MSR location we saved earlierTop Rings Post subject: Posted: Fri Dec 12, 2003 2:35 pm Moderatoras i remember, only devicedriver are allowed to change to ring0 .
10、 Joined: Sat Apr 26, 2003 1:11 amPosts: 1099 Have you checked the FASM-Forumor Win32ASM-Forum already about this ?_Thorium wrote:You dont want to be a script kiddy, do you?Top dontmailme Post subject: Posted: Fri Dec 12, 2003 5:42 pm EnthusiastJoined: Wed Oct 29, 2003 10:35 amPosts: 537 ring0 is a d
11、angerous place to be 8O and Im not sure a regular program can sit there !?Maybe you need to write a dummy device driver to do the checking ?!_Paid up PB User ! Top Iria Post subject: Ok here is the original code directly from the bookPosted: Fri Dec 12, 2003 5:48 pm UserJoined: Sat Nov 29, 2003 8:49
12、 pmPosts: 43 Switching into Ring0 Using the SEH (The Owls Method)The last, and probably the best, method for switching into ring0 is to use the SEH. The advantage of this method is that its difficult to discover. While you can use other methods to call the SEH service and the Int 3h instruction, thi
13、s solution is perfect when used with something like the previous136 example.At the beginning of the program, you set a new SEH service that you then call with the Int 3h instruction, which causes an exception. The service tries to determine which exception caused it. Instruction Int 3halways causes
14、the exception EXCEPTION_BREAKPOINT, so we can test it with our SEH service.The program finds the address of the Context array. The Context array checks the register values in the CS and SS of the program before causing the exception, and it saves them in the Context field in the ECX and EDX register
15、s right after the switch into ring0. (This is important for the eventual return into ring3.) The program also sets new values for the CS and SS registers in the Context field: 28h for CS and for 30h forSS, to ensure that the program will run in ring0 after the return. It also sets the flag for the C
16、LI in the EFLAGS register, which prevents any interrupt calls. While the program is running in ring0, it returns all the values necessary for running in ring3 to the registers.Finally, it sets an address from which the program will run, and it switches back into ring3 by means of the IRETD function.
17、Because this method is almost completely unknown, even programs like FrogsICE have problems detecting it.386.MODEL FLAT,STDCALLlocalsjumpsUNICODE=0include w32.incExtrn SetUnhandledExceptionFilter : PROC.datamessage1 db “An example of switching into Ring0 by means of the SEH (The Owls method)“,0messa
18、ge2 db “RING0 was successfully activated“,0.codeStart:xor eax,eax ;nulls the eax register because the new SEH;service is setpush offset xhandler ;address for your new SEH service (xhandler)push dword ptr fs:eax ;saves the address of the original SEH servicemov dword ptr fs:eax, esp ;sets the new SEH
19、 servicepushfd ;saves the EFLAGSmov eax,esp ;saves the ESP register (stack address)int 3h ;causes an error and will also call your new SEH;service (xhandler);From here the program runs in RING0;mov ebx,dr7 ;tests to see if you are really in RING0, and;restores the original register values for RING3p
20、ush edx ; GSpush edx ; FSpush edx ; ESpush edx ; DSpush edx ; SSpush eax ; ESPpush dword ptr eax ; EFLAGSpush ecx ; CSpush offset ring3 ; EIP = address where it will jump back;into RING3iretd ;jump back into RING3;From here the program runs again in RING3;ring3:popfd ;restores EFLAGSpop dword ptr fs
21、:0 ;sets the original SEH serviceadd esp,4 ;clears the stackcall MessageBoxA,0, offset message2,offset message1,0137call ExitProcess, 1 ;ends the program;Your new SEH service (xhandler);xhandler:push ebp ;sets the stackmov ebp,esp ;and finds its addresspush ebxpush ecxmov ebx,ebp+8 ;reads the addres
22、s containing the information;about the error, which is the exception;location or address.cmp dword ptr ebx, 80000003h ;tests to see if EXCEPTION_BREAKPOINT was the;error caused by INT 3hjne end ;if not the program jumpsmov eax,ebp+10h ;reads the address of the beginning of the;contextmovzx ecx, word
23、 ptr eax+0bch ;reads Seg.Cs from the Contextmov eax+0ach,ecx ;saves .ECX into the Context (this value will;be in the ECX after switching into RING0)mov dword ptr eax+0bch,28h ;saves Seg.Cs into the Context (this value will;be in the CS register). This will secure switch;over into RING0.movzx ecx, wo
24、rd ptr eax+0c8h ;reads Seg.SS from the Contextmov eax+0a8h,ecx ;saves .EDX into the Context (this value will be;in the EDX after switching into the RING3)mov dword ptr eax+0c8h,30h ;saves Seg.SS into the Context (this value will;be in the SS register). This will secure a;switch over into RING0.or dw
25、ord ptr eax+0c0h,0200h ;sets CLI into the Context.EFLAGS (this value;will be in the EFLAGS register)mov eax,0 ;nulls EAXend:pop ecx ;clears the stackpop ebxmov esp,ebppop ebpretn ;jumps back into the program, but the example;program will continue running in RING0endsend StartTop freedimension Post s
26、ubject: Posted: Fri Dec 12, 2003 7:35 pm EnthusiastJoined: Tue May 06, 2003 2:50 pmPosts: 620Location: Germany Please, can someone enlighten me as to what this whole ringX Stuff means? Are they some kind of runlevels or what?thxTop Proteus Post subject: Posted: Fri Dec 12, 2003 7:50 pm EnthusiastJoi
27、ned: Wed Sep 17, 2003 8:04 pmPosts: 113Location: The Netherlands RingX things are processor privilege levels. At least, thats what it says here: http:/en2.wikipedia.org/wiki/Ring_0_P4 2.4GHz, 256 MB, WinXP Pro, onboard video http:/ there are kernel debuggers out there (im not using softice, but i th
28、ink it got such part as well afterall; there is a Numega DriverStudio the name speaks for itself ) wich will allow you to snurk around in ring0. Dont think ring0 will make you 100% secure. Of course it will scare newbie crackers away, however if you risk that the software wont work on some windowses and so on And it CAN and WILL be cracked anyway :p and; if possible the cracker will simply avoid even looking in ring0. You gotta build the other stuff up around it so they cant just hook the protection off outside ring0
