Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

"Obsfucator" in OSR2 and Win98

Posted on 1999-07-28
14
Medium Priority
?
288 Views
Last Modified: 2013-12-03
In Matt Pietrek's "Windows 95 System Programming Secrets" he talks about how process and thread ID's are XOR'd with an "obsfucator" value to give a pointer to the process or thread's internal data structures. The code provided in his book does not appear to work on Windows 95 revision B (with USB supplement). I haven't tried it on Windows 98 yet, but I'm assuming that it probably does not work there, either.

Does anybody know if the method to retrieve the obfuscator has changed, or if it still even exists? I know in original betas of Chicago, the process ID was a direct pointer to the structure - no obfuscator existed. Could it have possibly (however unlikely) been removed outright?

I would really like to be able to walk the process and thread structures, just to see what's going on, and I think the only way I'll be able to do this is to find out what has changed with the "obsfucator" and how I can find the structures in OSR2 and 98.

Thanks in advance.
0
Comment
Question by:eppsman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 20

Expert Comment

by:Madshi
ID: 1403939
I have everything you need, but in Delphi code...   :-))
Is this a problem for you?
What do you need? "Only" how to calculate the "magic number", which you have to xor to the IDs? Or do you need more? What?

Regards, Madshi.
0
 

Author Comment

by:eppsman
ID: 1403940
I have the code to calculate the value, but it appears that using this value will only produce correct results under the original release of Windows 95. Trying to use the "obsfucator" under Win95B fails. I want to know if anybody has some obsfucator code that they know works under Win95 rev. B with USB supplement installed.
0
 
LVL 20

Accepted Solution

by:
Madshi earned 2600 total points
ID: 1403941
Well, I have one obfuscator code for win95 and win95osr2 (and it really works for both) and a different one for win98 and win98secondEdition. But - as I said - in Delphi. Ok, here it comes. I guess, you won't have any problems with the conversion...   :-)   If you have, please ask me.

type TPtid0 = ^Ttid0;
     Ttid0  = packed record
                dummy1, dummy2    : dword;
                win95pid          : dword;
                dummy3            : array [0..10] of dword;
                win98pid          : dword;
                dummy4            : array [0..21] of dword;
              end;

var magic      : cardinal = 0;
    magicReady : boolean = false;
function GetMagic : cardinal;
var tid,pid : cardinal;
begin
  if not magicReady then begin
    magicReady:=true;
    try
      if OS.enum in [osWin95,osWin95osr2] then begin
        tid:=GetCurrentThreadID;
        asm
          push ax
          push es
          push fs
          mov  ax, fs
          mov  es, ax
          mov  eax, 18h
          mov  eax, es:[eax]
          sub  eax, 10h
          xor  eax, [tid]
          mov  [magic], eax
          pop  fs
          pop  es
          pop  ax
        end;
        if TPtid0(tid xor magic)^.win95pid<>GetCurrentProcessID xor magic then magic:=0;
      end else begin
        pid:=GetCurrentProcessID;
        asm
          push ax
          push es
          push fs
          mov  ax, fs
          mov  es, ax
          mov  eax, 30h
          mov  eax, es:[eax]
          xor  eax, [pid]
          mov  [magic], eax
          pop  fs
          pop  es
          pop  ax
        end;
        if TPtid0(GetCurrentThreadID xor magic)^.win98pid xor magic<>pid then magic:=0;
      end;
    except magic:=0 end;
  end;
  result:=magic;
end;

Regards, Madshi.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:eppsman
ID: 1403942
Madshi,
Please standby, I'm going to try converting this stuff. It looks good!
Aaron
0
 

Author Comment

by:eppsman
ID: 1403943
Code looks good, I just have one question:
Do you know if the PROCESS_DATABASE structures have changed in 95B and 98? I have tried to retrieve some information from this structure after I have unobfuscated it, but I'm getting junk, so it appears that some fields may have been added to the structure or something...

I was just wondering if you knew, but if not, I'll award you the points anyway, of course.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1403944
This is the structure I'm using. The fields that I use, are "pHandleTable" and "parentPpid0" and these two fields are working correctly under all win9x systems.
Which values are you using and for which purpose? Perhaps I can help with finding out the differences.
I've already found a difference in the thread structure. You see that in the code I've posted in the answer.

type Tpid0  = packed record
                dwType            : dword;
                refCount          : dword;
                unk1,unk2         : dword;
                termStatus        : dword;          
                unk3              : dword;
                defaultHeap       : dword;
                memContext        : dword;
                flags             : dword;
                pPsp              : dword;
                pspSelector       : word;
                mteIndex          : word;
                nThreads          : word;
                nThreadsNotTerm   : word;
                unk5              : word;
                nROThreads        : word;
                ptrUnk3           : pointer;
                k16TDBSel         : word;
                unk6              : word;
                unk7              : pointer;
                pEDB              : pointer;
                pHandleTable      : PHANDLE_TABLE;
                parentPpid0       : TPpid0;
                modrefList        : pointer;
                threadList        : pointer;
                unk8,unk9,unk10   : pointer;
                z4Unk11           : pointer;
                unk12,unk13,unk14 : pointer;
                z1Unk15           : pointer;
              end;

Regards, Madshi.
0
 

Author Comment

by:eppsman
ID: 1403945
I was trying to take a peak at the flags field, but I was getting values that:
a) changed every time I ran the program, but the same program's data was being looked at every time;
b) the values were not valid values for the flags field.
Thanks in advance.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1403946
Please give me a description of the flags. Then I'll see if I can find something...
0
 

Author Comment

by:eppsman
ID: 1403947
Here's a description of the flags(All of these are in hexidecimal, of course.):

00000001 - fDebugSingle - Set if process is being debugged
00000002 - fCreateProcessEvent - Set in debugged processes after starting
00000004 - fExitProcessEvent - Might be set in debugged processes at exit time
00000008 - fWin16Process - Set if process is a Windows 3.x program
00000010 - fDosProcess - Set if process is a DOS program
00000020 - fConsoleProcess - Set if process is a Win32 console program
00000040 - fFileApisAreOem - See SetFileApisToOEM() in API documentation
00000080 - fNukeProcess - ?
00000100 - fServiceProcess - Processes like MSGSRV32
00000800 - fLoginScriptHack - Might be a Novell network login process(?)

There are others, but there is absolutely no documentation on what they do, and they're rare to find, anyway.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1403948
Well, I've written a little testprogram that looked something like this:

  c1 = GetProcessIdOfCalc;
  ShowFlagsOfCalc;
  RegisterServiceProcess(c1);
  ShowFlagsOfCalc;
  UnregisterServiceProcess(c1);
  ShowFlagsOfCalc;

And I let this program run under win95, win95osr2 and win98 (I have them all on my harddisk). And you know what? It worked perfectly on all 3 systems with the same pid0 structure!!   :-)

win95&win95 showed  0x0 -> 0x100 -> 0x0
win98 showed  0x200 -> 0x300 -> 0x200

So I guess, you must have done something wrong with either the conversion of my code or with the declaration of the structure. Let me see your code. Perhaps I'll find something.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1403949
Any progress?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1403950
P.S: Please don't forget to accept my answer...  :-))
0
 

Author Comment

by:eppsman
ID: 1403951
Sorry for the delay, I was out of town over the weekend. I'll take a peak at my code... Probably screwed up my pointers or something! Thanks, I'll accept your answer... :)
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1403952
Thanx for the A grade... Yam yam...   :-)
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
For a while now I'v been searching for a circular progress control, much like the one you get when first starting your Silverlight application. I found a couple that were written in WPF and there were a few written in Silverlight, but all appeared o…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question