Re[2]: Re:IDA Pro help required!

hello

Friday, February 4, 2005, 12:57:06 PM, you wrote:
RD> Disassembling is also required when some hacker emulates your driver and
RD> replaces it with its our own for various reasons. And this is what has
RD> happened with one of our products. So was just trying to disassemble and
RD> analysing what all the hacker’s driver has done.
hehe, just out of curiosity: it’s some kind of a dongle?

rat

yes, its a dongle
“Ratter” wrote in message news:xxxxx@ntfsd…
> hello
>
> Friday, February 4, 2005, 12:57:06 PM, you wrote:
> RD> Disassembling is also required when some hacker emulates your driver
> and
> RD> replaces it with its our own for various reasons. And this is what
> has
> RD> happened with one of our products. So was just trying to disassemble
> and
> RD> analysing what all the hacker’s driver has done.
> hehe, just out of curiosity: it’s some kind of a dongle?
>
> rat
>
>

Not sure if I’m crossing the line !. If so, then I’m sorry. Based on the
trust that you have a legitimate driver, and some other whaked it out, so
you want to know …

First, if you want to read the static dissassembled code then IDA Pro ( use
PE option ), only a couple try could have gotton U there already. Once you
get it loaded, rest is your choice for navigation, by line, by function, by
imports etc.,etc. BUT THE BIG HURDEL IS would it make sense to you when you
look at the static code.

One alternative might be to try on windbg, and look thru the loaded modules
( lm ), and get the offset of most of the std. assemble proglog for function
starts, try setting bp either from the command line (bp 0xdeadbeef ) then
see some actions on running system.

OllyDbg is good for this kind of thing on the application space.

-pro
----- Original Message -----
From: “Drohit”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Friday, February 04, 2005 4:33 AM
Subject: Re:[ntfsd] Re[2]: Re:IDA Pro help required!

> yes, its a dongle
> “Ratter” wrote in message news:xxxxx@ntfsd…
> > hello
> >
> > Friday, February 4, 2005, 12:57:06 PM, you wrote:
> > RD> Disassembling is also required when some hacker emulates your
driver
> > and
> > RD> replaces it with its our own for various reasons. And this is what
> > has
> > RD> happened with one of our products. So was just trying to disassemble
> > and
> > RD> analysing what all the hacker’s driver has done.
> > hehe, just out of curiosity: it’s some kind of a dongle?
> >
> > rat
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

if you want to dissassembled the dirver(a pe file),you may study may
undocument struct (like someone at above to say) in the kernel .i had do it
many time ,but i have less useful things! if you realy want to do it, please
use the softice to trace it .and in the first you may use the ida make a map
file ,and tranform the map file to a *.nms (some hacker had write some
plugin for ida to make the nms ),so you can esaily to bpx the point an
anylise the dissassem code.if you tracing the fsd driver ,you may change
the driver 's boot sequence.

best wish for you !:slight_smile:
sorry for my poor english!

“Prokash Sinha” ??? news:xxxxx@ntfsd…
> Not sure if I’m crossing the line !. If so, then I’m sorry. Based on the
> trust that you have a legitimate driver, and some other whaked it out, so
> you want to know …
>
> First, if you want to read the static dissassembled code then IDA Pro (
use
> PE option ), only a couple try could have gotton U there already. Once you
> get it loaded, rest is your choice for navigation, by line, by function,
by
> imports etc.,etc. BUT THE BIG HURDEL IS would it make sense to you when
you
> look at the static code.
>
> One alternative might be to try on windbg, and look thru the loaded
modules
> ( lm ), and get the offset of most of the std. assemble proglog for
function
> starts, try setting bp either from the command line (bp 0xdeadbeef ) then
> see some actions on running system.
>
> OllyDbg is good for this kind of thing on the application space.
>
> -pro
> ----- Original Message -----
> From: “Drohit”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Friday, February 04, 2005 4:33 AM
> Subject: Re:[ntfsd] Re[2]: Re:IDA Pro help required!
>
>
> > yes, its a dongle
> > “Ratter” wrote in message news:xxxxx@ntfsd…
> > > hello
> > >
> > > Friday, February 4, 2005, 12:57:06 PM, you wrote:
> > > RD> Disassembling is also required when some hacker emulates your
> driver
> > > and
> > > RD> replaces it with its our own for various reasons. And this is
what
> > > has
> > > RD> happened with one of our products. So was just trying to
disassemble
> > > and
> > > RD> analysing what all the hacker’s driver has done.
> > > hehe, just out of curiosity: it’s some kind of a dongle?
> > >
> > > rat
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@garlic.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>