Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Search Forums
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Showing results 1 to 25 of 41
Search took 0.00 seconds.
Search: Posts Made By: rwid
Forum: Reverse Code Engineering 07-12-2007, 01:33 AM
Replies: 1
Views: 3,870
Posted By rwid
If some portion of program logic you seek to...

If some portion of program logic you seek to modify is contained within the Dll and not the Exe, well then you need to modify the Dll :p . Quite often in larger client/server-based games, the bulk of...
Forum: General Forum 02-27-2007, 12:17 AM
Replies: 0
Views: 4,609
Posted By rwid
patching DllMain

Hi guys,
I wish to monitor calls to global constructors during DllMain...

Is there any way to break on DllMain with the Visual Studio debugger? (I'm using vs2003, and I don't have the source code...
Forum: Reverse Code Engineering 11-24-2006, 05:08 AM
Replies: 13
Views: 19,435
Posted By rwid
yeah actually without the linux-ntfs...

yeah actually without the linux-ntfs documentation i couldn't have reversed this in the first place... very thorough information :)
Forum: Reverse Code Engineering 11-02-2006, 07:16 AM
Replies: 13
Views: 19,435
Posted By rwid
Hi dude, see the attachment at the end of this...

Hi dude, see the attachment at the end of this post... (http://www.reteam.org/board/index.php?showtopic=374&view=findpost&p=1384)

The document contains a disassembly of my bootsector and ntfs...
Forum: Reverse Code Engineering 09-21-2006, 04:38 AM
Replies: 1
Views: 3,935
Posted By rwid
Hopefully ur target doesn't use the crypto++...

Hopefully ur target doesn't use the crypto++ library. Lots of c++ programs seem to use this nowadays... it's a bitch to reverse with all the pure virtual functions, class inheritance and...
Forum: Reverse Code Engineering 05-03-2006, 09:51 PM
Replies: 1
Views: 5,670
Posted By rwid
aaaaaaaaahhh! i've gotta stop promising...

aaaaaaaaahhh!

i've gotta stop promising things i am not truly cabable of doing.. hehe..

i'm lazy, going slow at this, finding it a bit overwhelming to explain it all..

so here's...
Forum: Reverse Code Engineering 04-24-2006, 11:16 PM
Replies: 1
Views: 5,670
Posted By rwid
is coming along, albeit slowly... hope to have...

is coming along, albeit slowly... hope to have the article completed a week from now!
Forum: General Forum 04-23-2006, 03:01 AM
Replies: 1
Views: 5,403
Posted By rwid
mmm do you mean 'does the osloader.exe in...

mmm do you mean 'does the osloader.exe in ntldr have the IMAGE_DOS_HEADER and PE signature?'...

You are quoting NT4/Win2k source code, right? I don't know if this applies to ntdlr for...
Forum: General Forum 04-01-2006, 05:28 AM
Replies: 1
Views: 5,705
Posted By rwid
I don't think it's wise to post source...

I don't think it's wise to post source code, even though it may be helpful...

this 'HvInitializeHive()' function appears to match the function from my disassembly at virtual address...
Forum: General Forum 03-29-2006, 06:38 PM
Replies: 6
Views: 10,614
Posted By rwid
yes (!!!!!!!!!!!!!!!!1) ;)

yes (!!!!!!!!!!!!!!!!1)

;)
Forum: Reverse Code Engineering 03-28-2006, 08:45 PM
Replies: 13
Views: 19,435
Posted By rwid
I've just realized the debug version of ntldr...

I've just realized the debug version of ntldr 'ntldr_dbg' can be found in the xp ddk. It's easier to follow since there are various debug strings referenced in the code. I'm now...
Forum: General Forum 03-28-2006, 07:39 PM
Replies: 6
Views: 10,614
Posted By rwid
osloader.exe is the PE file image embedded in...

osloader.exe is the PE file image embedded in ntldr. You need to splice it from ntldr using a hex editor. The file's properties show its internal name is osloader.exe.

see this post......
Forum: General Forum 03-27-2006, 07:46 AM
Replies: 9
Views: 11,648
Posted By rwid
thanks 0x517A5D, that's what i needed, a nice...

thanks 0x517A5D, that's what i needed, a nice simple breakdown of the statement, showing its constituents.




mmm I'm guessing it creates a function main() that contains the same 0x0F 0x0B...
Forum: Reverse Code Engineering 03-21-2006, 10:53 PM
Replies: 13
Views: 19,435
Posted By rwid
To locate the firmware function vector table, go...

To locate the firmware function vector table, go back to NtProcessStartup again and look at the call immediately following the call to DoGlobalInitialization. This function initializes the firmware...
Forum: Reverse Code Engineering 03-21-2006, 10:36 AM
Replies: 13
Views: 19,435
Posted By rwid
Okay about this other function table I mentioned....

Okay about this other function table I mentioned. It exists due to the fact that the boot loader code was written not only for Intel x86-based architectures, but also for RISC-based architectures....
Forum: General Forum 03-21-2006, 02:00 AM
Replies: 9
Views: 11,648
Posted By rwid
((void(*)())("...

((void(*)())("\x0F\x0B"))();



just curious ... i've never seen that method of embedding bytes directly in C code before... can you describe why this syntax works in C ??
Forum: Reverse Code Engineering 03-20-2006, 01:58 AM
Replies: 13
Views: 19,435
Posted By rwid
Oops did I say a few days? I meant a few weeks ...

Oops did I say a few days? I meant a few weeks :D

I don't have time to post it all right now, but I'll make a start...


Okay the ntldr binary I'm looking at comes from XP with SP2...
Forum: Reverse Code Engineering 03-05-2006, 11:01 PM
Replies: 12
Views: 10,127
Posted By rwid
hi este, i'm not sure if u're still...

hi este,

i'm not sure if u're still reading this but if the code is using "shrd/shld" instructions, it may be the case that the "temp1" variable above is being treated or is supposed to be a...
Forum: Reverse Code Engineering 03-05-2006, 08:29 PM
Replies: 13
Views: 19,435
Posted By rwid
hi hasper, Give me a few days and i'll post...

hi hasper,

Give me a few days and i'll post what I know about ntldr and the approach i've used to disassemble/reverse it.
Forum: Reverse Code Engineering 02-21-2006, 08:02 AM
Replies: 2
Views: 4,928
Posted By rwid
Hi there! The 16-bit ".com"...

Hi there!

The 16-bit ".com" portion of XP's NtLoader has a minimum memory check that ensures that at least 512Kb of low memory is present before continuing. The 16-bit portion of NtLoader...
Forum: Reverse Code Engineering 02-14-2006, 04:02 AM
Replies: 15
Views: 14,928
Posted By rwid
Hi JHZ, I'm not sure that the info I have...

Hi JHZ,

I'm not sure that the info I have will help you, I have only completed the mbr code and ntfs bootsector code study. If you still want it I guess I could clean up my ida file and give you...
Forum: Reverse Code Engineering 02-04-2006, 01:42 AM
Replies: 15
Views: 14,928
Posted By rwid
Hi 0x517A5D! I have understood all along...

Hi 0x517A5D!

I have understood all along that an unnamed $DATA attribute HAD to be present in $MFT's base file record, and indeed the bootsector makes this assumption when locating...
Forum: Reverse Code Engineering 02-03-2006, 04:33 AM
Replies: 15
Views: 14,928
Posted By rwid
If it's an NT4 bootsector, you might be...

If it's an NT4 bootsector, you might be having this problem --> Windows NT Does Not Boot with Highly Fragmented MFT (http://support.microsoft.com/kb/q228734/)
Forum: Reverse Code Engineering 02-03-2006, 12:02 AM
Replies: 15
Views: 14,928
Posted By rwid
I should note that if the problem lies in...

I should note that if the problem lies in NTLDR's handling of the $MFT file record, not in the bootsector's code, then I probably can't help you, as I haven't reversed/studied...
Forum: Reverse Code Engineering 02-02-2006, 11:39 PM
Replies: 15
Views: 14,928
Posted By rwid
...

...
Showing results 1 to 25 of 41

 
Forum Jump




Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.