Comments on: R4ndom’s Tutorial #23: TLS Callbacks http://thelegendofrandom.com/blog/archives/2418 Programming and Reverse Engineering Thu, 19 Sep 2013 09:42:54 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: johnnycannuk http://thelegendofrandom.com/blog/archives/2418#comment-80001 johnnycannuk Wed, 07 Aug 2013 17:11:03 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-80001 Nice article..quite helpful. I have a weird one that I think might be a FAKE TLS callback:

CFF says there’s a call back and that the tables is located in the BSS section. But the offset actually puts the addressofCallbacks in the top of the .rdata section the value points to the sizeofZerofill segment, which when static is 0.

Perhaps its dynamic or perhaps its meant to make me waste my time…weird

]]> By: Walkfit Platinum Reviews http://thelegendofrandom.com/blog/archives/2418#comment-75947 Walkfit Platinum Reviews Mon, 08 Jul 2013 15:59:20 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-75947 It can also be done manually on a chiropractic table. Woodworking clubs,
furniture enthusiast groups, and other organizations can give or sell
you plans. Physical therapy generally involves stretching, strengthening and exercising the back in a safe and gentle manner.

]]> By: Dominique http://thelegendofrandom.com/blog/archives/2418#comment-75552 Dominique Fri, 05 Jul 2013 09:00:05 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-75552 My brother suggested I might like this web site.
He was once totally right. This put up actually made my day.

You cann’t imagine just how so much time I had spent for this info! Thanks!

]]> By: Shoes Outlet Store http://thelegendofrandom.com/blog/archives/2418#comment-73709 Shoes Outlet Store Fri, 21 Jun 2013 09:24:26 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-73709 Dude.. I am not considerably into looking through, but in some way I received to go through lots of content articles on your weblog. Its remarkable how exciting it is for me to check out you really often. -

]]> By: COX http://thelegendofrandom.com/blog/archives/2418#comment-23681 COX Fri, 08 Mar 2013 22:02:45 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-23681 Hi,

About one decade ago I was cracking dos programs.
Since then I got in the automotive business and lost the contact with CPP, C# and co.

Now, I was trying to reverse M a n i c T i m e for a colleague to get access to the pro features and I got lost in threads.

I have just a small request. When time is at hand, please have a look at the app and let me know how hard do you find it to break it.

I don’t want the solution maybe just some pointers to what to learn, to do it on my own.

Thank you for the excellent tutorials, I’ve read a few.

]]> By: D4ph1 http://thelegendofrandom.com/blog/archives/2418#comment-16894 D4ph1 Tue, 05 Feb 2013 22:53:04 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-16894 R4ndom you made a small mistake. In the .data section of your exe the TLS begins at 0×47 and NOT 0×46 as you say in the tutorial!
Cheers

]]> By: Jochen http://thelegendofrandom.com/blog/archives/2418#comment-13902 Jochen Sat, 26 Jan 2013 17:24:30 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-13902 ; Self-modifying TLS callbacks
; This PE has only one TLS callback active at load time.
; However, the callback executes 0×10 times because it modifies TLS table before returning.
; Copyleft (c) Omega Red 2007
; fasm source

; 32-bit executable
format PE GUI
entry start

include ‘win32a.inc’
include ‘\macro\proc32.inc’
;————————————————
section ‘all’ code data readable writable executable

start:
cinvoke printf, buf, fmt, [count]
invoke msgbox, 0, buf, t_main, 0
invoke exit, 0
;————————————————
tls_callback0:
inc dword [count]
cmp dword [count], 0×10 ; callback executed 0×10 times?
jge tls_end

; add another callback entry before returning
mov eax, [count]
mov dword [tls_callbacks+4*eax], tls_callback0

tls_end:
ret 0x0c
;————————————————
t_main db ‘main’,0
buf db 0×100 dup (0)
fmt db ‘tls count: %d’,0
count dd 0
;————————————————
; TLS directory
; !!! it’s possible to change tls table WHILE IN TLS CALLBACK itself,
; fex you have only 1 tls at first, but this tls adds some more -
; those added will execute normally (table is not cached by loader)!
align 0×10
data 9 ; tls
dd 0 ;Raw Data Start VA
dd 0 ;Raw Data End VA
dd tls_index ;Address of Index
dd tls_callbacks ;Address of Callbacks
dd 0 ;Size of Zero Fill
dd 0 ;Reserved

tls_index dd 0
tls_callbacks: ; only one callback is present initially
dd tls_callback0 ; callback proc
dd 0xff dup (0) ; space reserved for more callback entries (but null at load time)
dd 0
end data
;————————————————

; invoke ExitProcess, 0

data import

library user, ‘user32.dll’,\
kernel, ‘kernel32.dll’

import user,\
printf, ‘wsprintfA’,\
msgbox, ‘MessageBoxA’

import kernel,\
exit, ‘ExitProcess’
end data
;————————————————

]]> By: toTHOR2 (2T2) http://thelegendofrandom.com/blog/archives/2418#comment-6850 toTHOR2 (2T2) Sun, 04 Nov 2012 17:30:41 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-6850 Thank You for this in-depth explanation of TLS Callbacks.
As one would say “I have seen the light.”.
The time and effort you devote to these Tutorials is really appreciated. U B da Man!

2T2

]]> By: ator http://thelegendofrandom.com/blog/archives/2418#comment-5284 ator Thu, 11 Oct 2012 01:55:59 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-5284 Bah… Got that backwards..

409718 not 409781

]]> By: ator http://thelegendofrandom.com/blog/archives/2418#comment-5283 ator Thu, 11 Oct 2012 01:54:12 +0000 http://thelegendofrandom.com/blog/?p=2418#comment-5283 Address is not right.. Should be:

409781 not 409718

at least I think :-)

]]>