Last 5 News Posts:

This was a topic that was brought up on Tuts4You here:
https://forum.tuts4you.com/topic/39503- ... -peb-in-c/

I Google'd around and could not find a single instance of doing this in C# within the parameters given by the poster so I took to some ideas in mind of how I could allocate memory without any imports.

Some ideas that came to mind were:
- Marshal.AllocHGlobal
- Marshal.AllocCoTaskMem
- MemoryStream

Sadly, all three of these options only allocate the memory that have protection flags of PAGE_READ and PAGE_WRITE with no ability to execute.

Next, I thought of memory mapped files, these are a way to share memory between processes. This API allows you to specify the access type of the file, including execution permissions. C# has this built-in via the 'System.IO.MemoryMappedFiles' namespace within the System.Core.dll module.

Using this namespace, we can create a mapped file in memory, write our shellcode to it, create a function delegate to the function and invoke it. Here's an example of doing this, getting the PEB of the process (32bit):
  1. /**
  2.  * C# Shellcode Example
  3.  * (c) 2017 atom0s [atom0s@live.com]
  4.  *
  5.  * Demonstrates how to invoke shellcode within C# using a memory mapped file.
  6.  */
  7.  
  8. namespace ShellcodeExample
  9. {
  10.     using System;
  11.     using System.IO.MemoryMappedFiles;
  12.     using System.Runtime.InteropServices;
  13.  
  14.     class Program
  15.     {
  16.         /// <summary>
  17.         /// Function delegate to invoke the shellcode.
  18.         /// </summary>
  19.         /// <returns></returns>
  20.         private delegate IntPtr GetPebDelegate();
  21.  
  22.         /// <summary>
  23.         /// Shellcode function used to obtain the PEB of the process.
  24.         /// </summary>
  25.         /// <returns></returns>
  26.         private unsafe static IntPtr GetPeb()
  27.         {
  28.             var shellcode = new byte[]
  29.                 {
  30.                     0x64, 0xA1, 0x30, 0x00, 0x00, 0x00,         // mov eax, dword ptr fs:[30]
  31.                     0xC3                                        // ret
  32.                 };
  33.  
  34.             MemoryMappedFile mmf = null;
  35.             MemoryMappedViewAccessor mmva = null;
  36.  
  37.             try
  38.             {
  39.                 // Create a read/write/executable memory mapped file to hold our shellcode..
  40.                 mmf = MemoryMappedFile.CreateNew("__shellcode", shellcode.Length, MemoryMappedFileAccess.ReadWriteExecute);
  41.  
  42.                 // Create a memory mapped view accessor with read/write/execute permissions..
  43.                 mmva = mmf.CreateViewAccessor(0, shellcode.Length, MemoryMappedFileAccess.ReadWriteExecute);
  44.  
  45.                 // Write the shellcode to the MMF..
  46.                 mmva.WriteArray(0, shellcode, 0, shellcode.Length);
  47.  
  48.                 // Obtain a pointer to our MMF..
  49.                 var pointer = (byte*)0;
  50.                 mmva.SafeMemoryMappedViewHandle.AcquirePointer(ref pointer);
  51.  
  52.                 // Create a function delegate to the shellcode in our MMF..
  53.                 var func = (GetPebDelegate)Marshal.GetDelegateForFunctionPointer(new IntPtr(pointer), typeof(GetPebDelegate));
  54.  
  55.                 // Invoke the shellcode..
  56.                 return func();
  57.             }
  58.             catch
  59.             {
  60.                 return IntPtr.Zero;
  61.             }
  62.             finally
  63.             {
  64.                 mmva?.Dispose();
  65.                 mmf?.Dispose();
  66.             }
  67.         }
  68.  
  69.         /// <summary>
  70.         /// Entry point.
  71.         /// </summary>
  72.         /// <param name="args"></param>
  73.         static void Main(string[] args)
  74.         {
  75.             var peb = GetPeb();
  76.             Console.WriteLine("PEB is located at: {0:X8}", peb.ToInt32());
  77.         }
  78.     }
  79. }
Thanks to evlncrn8 for his adjustments to the shellcode itself to trim things down.
Hello everyone,

I have done some reorganization on the site and forum which was much overdue. I am aiming to make the forums a bit more public-use friendly and have done some cleanup and updates.

Forums Updated
  • I have started by updating the forums to the latest version of phpBB. While upgrades are a great thing this did land up breaking some of the previous plugins I was using and some custom edits etc. I have done my best to find alternatives and fill in the gaps myself where possible. Casual users should not notice any difference in the forums on that end though, most things were admin-only features.

    I also changed the forum theme due to the upgrade to the latest forum version. The previous theme was no longer supported, so I had to find something different. I made some modifications to this new theme to fit my preference in how I like the forum system to look. If you find any issues, feel free to let me know.
Changing Forum Sections
  • I have renamed the 'My Blog' section to better fit its purpose. The idea of having it as a blog is no longer fitting to the purpose of the forums. Because of that I have also added a new section 'Rants / Opinions' and moved all relevant posts from the original blog section there. These no longer fit the "front-page" aspect I have planned for the new site when I have time to work on it. I would rather the main website contain posts and information regarding my actual work and site news rather than me bashing a company/brand I dislike.

    I plan to add and redo some other sections in time as well. So this is an ongoing change that will continue over the next several weeks.
New Forum Features (Upcoming)
  • While most of my work is free and released here with nothing more than a donation link somewhere in the project, I want to test the waters on bringing in some more money to continue my incentive to work on various projects. I plan on creating a Patreon page in the near future and with that, I may add some perks for various donation levels that will affect this site in one way or another. Such as Patreon pledgers being added to special user groups, gaining access to certain apps before others (like closed-beta testers) and so on. So there may be some upcoming changes that will alter how some content is handled on this site/forum in the future.
Full credits for this go to dudu2002 from bios-mods.com, I am just sharing the info on how this was done for anyone else with this same laptop.

This past month has been a downhill struggle with my Lenovo laptop, my previous post already expressed my utter hatred for this company. After the issues with the graphics and having no way to fix that, my wifi card finally decided to start kicking the bucket. I would constantly drop connection or speeds would constantly drop from a full 144.4Mbps down to under 10. This was getting extremely frustrating because of the way I work on my laptop at times. I tend to remote into my desktop and work via VNC to have full performance without any lag.

I went and purchased a new wifi card for the laptop, an Intel Dual Band Wireless-AC 3160. After a huge fiasco with Fedex and the delivery I finally got the card and went to plug it in. Standard stuff, removing the old one and replacing it, one thing I will give Lenovo is their laptops are setup in a nice manner to upgrade things if need be, but that does not help with the next part..

Once the card was replaced, I booted up the machine and was greeted with a lovely black screen message showing:
"Unauthorized Wireless network card is plugged in. Power off and remove it"

Immediately I was like wtf?? and hit the web to research the error. Within a few minutes I found dozens of sites complaining about how Lenovo has a "whitelist" restriction in their BIOS' to prevent users from upgrading certain parts of their machine that are not Lenovo-qualified parts. Yet again does Lenovo dictate MY device after I purchased it. Best yet? It's out of warranty and they refuse to help at all. So not only do they lock your system down without telling you, they refuse to help you with this when problems like this happen after the fact. Yes, that's right. Lenovo has 0 mention of the whitelist in their BIOS. None of the documentation for the laptop has any info about this. Their websites help center, nothing. This seriously has to be illegal..

So now frustrations aside, here is how to fix this. Please note, this information is specific to the Lenovo Ideapad z710!
This may/may not work for other models!
This can brick your laptop as well! (Meaning it will no longer work.)
You are doing this at your own risk. I AM NOT RESPONSIBLE FOR WHAT HAPPENS!


1. Download The Attachment
  • Download the attachment that is with this post. Once the download is finished, extract to a new folder on your desktop. Something such as:
    C:\Users\atom0s\Desktop\z710\
2. Create Bootable EFI USB Drive
  • Next, we need to create a USB drive that can be bootable to EFI. This is very simple to do. Plug in your USB drive (into a USB 2.0 port) then open 'My Computer' or 'This PC' or whatever your OS calls it. Right-click on the drive and choose 'Format'. Change the format type to 'Fat32' and format the drive. You can use 'Quick Format' to format the drive fast if need be.

    Once done, open the new folder on your desktop from before and locate the EFI Shell.rar file. Extract this to the new formatted USB drive.
    It should create a new file like this:
    F:\EFI\BOOT\BOOTX64.EFI
3. Reboot Into BIOS For Configurations
  • Next, the last preparation step to do is to set BIOS to allow legacy booting.
    Restart the system and mash the F2 button until you are in BIOS.

    Once in, you are going to want to make sure that boot mode and such are all set to Legacy support.
    Afterward, you can exit out of bios ensuring to save all settings.
4. Boot Into the EFI USB Drive
  • After you exit out of BIOS saving your changes, mash F12 until you get the boot list.
    Once the list shows, there should be an option to boot from an EFI USB disk. Choose this option.

    If done correctly, you should be greeted with a message saying something like:

    Code: Select all

    Welcome to GRUB!
    Entering rescue mode...
    error: file not found
    grub rescue>
5. Enter Needed Variable Overrides
  • Now that we have the GRUB console, we need to enter the following two commands:
    setup_var 0x4ab 0x0
    setup_var 0x1ee 0x1

    Please note: Your system may seem to lockup after you enter each of these commands. The first setup_var may never seem to finish. Give it a few minutes and if nothing happens, force-reboot the machine and redo step 4 to get back to the GRUB console. Once there, enter the second setup_var command and allow the same to happen. If nothing happens again, just give it a few minutes then force restart the machine.

    After you have done both of these commands restart the machine and boot into Windows as normal.
6. Flashing The Bios
  • Almost done! Last step is to flash the BIOS. This requires us to use a glitch with Windows and it's Sleep mode.

    To do this, be sure to follow the steps carefully! Open the folder we made on the desktop.
    Copy EVERYTHING from this folder and place it directly into your C:\ drive.

    Once done, open up a command prompt as Administrator. (IT MUST BE ADMINSTRATIVE LEVEL PERMISSIONS!)
    You can do this via opening the start menu, type in cmd then right-click and choose 'Run as Administrator' on the cmd program to start an instance of it as an admin.

    Once the prompt is open, navigate to C:\ You can do this via typing:
    cd ..

    Until you see the prompt show as:
    C:\

    Next, force the system to sleep. You can do this via the start menu. In the power options choose 'Sleep'.
    Once the system is asleep, wake it up as normal. (Press the power button.)

    Now the system should restore to what it was, go to the command window we opened and enter the following command:
    fptw64 -f bios.rom -bios

    The system should now flash the BIOS and complete within a few minutes. Once done, reboot and your system should restart without issue.

    After you have restarted, restart again and press F2 until you are in BIOS again. You should now see all the new unlocked options and the whitelisting should now be removed!

Again, HUGE thanks to bubu2002 from bios-mods.com for helping me with this. Without him I'd still be going insane trying to unlock the BIOS.
I recently released the newest version of my Steamless project (v3) which has brought some major changes to the project as a whole. I wanted to go over some of Steamless' life as a project to help others understand my intentions with the project, its source code, and its future. But for that, I will give some background to the project as well as some info on each version.

Steamless - The Beginning
  • Steamless was created after I was beginning to see a huge increase in the games I had on Steam using a custom packer. Given that I am a game hacker at heart, my first instincts when getting a new game is to almost immediately check out the files. The intent is not always to hack the game immediately, but more or less my curiosity getting the best of me and wondering about the files. Things such as what they are written in, what they are packed with (if anything), what they are obfuscated with (if anything) and so on. It's just more or less me being interested in how something was made.

    More and more I started seeing files with some similar characteristics and annoying things to deal with such as anti-debugging techniques and static file analysis prevention due to packed sections. So I set out to learn more about the protection and possibly ways to remove it if something already existed. Through searching, I found some vague articles discussing the protection (mostly on crack forums/sites). But I couldn't find any solid information on unpacking the protections or any automated tools for the process.

    Because of this, I set out and began working on Steamless as a handful of games I was interested in hacking basically needed it. I spent about a week or so working on the unpacking analysis, jotting down information that I learned from how the file(s) worked for the few games I tested with from the start. After learning some key points of the protection I had a better understanding of what to look for online in terms of potential tools and dumps of similar information. This is when I stumbled upon Golem's wiki page found here: http://pcgamingwiki.com/wiki/User:Cyanic/Steam_DRM

    His wiki article at the time covered some basic information about the protection and a great database of games protected with the DRM. This was a helping push in the right direction on some of the parts of the DRM I was still working on reversing.
Steamless v1
  • The first iteration of Steamless was a simple console window that only supported SteamStub v3.0 (as I have dubbed it). It was very 'static' in terms of how it was implemented and it worked on a handful of games only. It had issues with certain situations and was more or less just a start of the project. This version was coded in C/C++ and was not really well designed or optimized for how the DRM was designed. Given that I had only really tackled the 32bit version of the 3.0 DRM, the project was lacking in features and support.

    During this time I had talked with Golem directly about his work with the packer, got some insight on the earlier versions of the DRM and begun reworking some of the internals of Steamless. Him and I exchanged some of our personal progress and overall was a great push to keep the project going and begin working on supporting other versions of the DRM.

Steamless v2 / Steamless.NET
  • At this point of the project, I had begun rewriting Steamless to be more scalable towards supporting other versions of the DRM. The C/C++ version was rewritten to include support for both SteamStub v2 and SteamStub v3. (As well as detection for v1 but no support.) My work on the SteamStub v2 variant was still really fresh and rough. The variant required using some disassembling to pull the required data which included the usage of the BEA disassembly engine for the C/C++ version of the project. It was a rough start to supporting the 32bit variant but was a fun time reversing and learning more about the older versions of the DRM.

    This was also the time I felt the project was getting some reputation but not much contributions back. Mainly because most of the people commenting on it and discussing it were not developers that used the C/C++ languages. From my experience with various reversing forums and peers, I felt it was best to move the project to C# as .NET is a fairly popular language in the reversing scene for making tools and such. I ported the current code base of Steamless to C# and dubbed the project Steamless.NET. When I did this, the idea was to maintain two projects for Steamless. The original C/C++ version and the new C# version, however that was fairly short lived after taking a step back and realizing that any contributions to one or the other would have to be ported to the other to keep both projects on the same level. I felt this was going to cause the project to become stagnant over time and one or the other would becoming the dominating project either way.

    Because of this, I decided it was best to just drop the C/C++ version and stick to the .NET (C#) version instead.
Steamless v3
  • While Steamless v2 was working great for many games, I was not happy with the code base. It was fairly rough to add support for other versions of the DRM and was not really friendly in terms of having more developers contribute to the project. I also was not happy with the license choice was it felt it didn't serve the project well. I also had failed to bring the full v2 support to the public version that was released due to a lack of free time. Another issue I was having was a large influx of help/support requests on how to use it as many people were not really familiar with using a command line tool.

    I felt it was a good time to really revamp the project by doing a few major changes to it:
    1. A full overhaul of the code, making it much cleaner and modular for others to create their own packers in the form of a plugin.
    2. Make Steamless have a UI instead of being a command line tool to help with those that were struggling to use it.
    3. Add support for the v2 packer in the public release.
    4. Add support for the new v3.1 variant of the DRM that was introduced recently.
    5. Prep the code base to be able to support 64bit versions of the DRM.
    6. Change the projects license to something more suitable for its nature.
    Thus, Steamless v3 was born. I dropped the '.NET' part of the name as I no longer supported the C/C++ version and just titled the project Steamless. A full rewrite of the code base was done and a UI written in WPF was born.

    Image


    Steamless v3 introduced a module setup for the unpackers of each variant version which makes updating things as well as adding support for other versions of the DRM a breeze.
    The UI was designed to be simple, to the point, and easy to use for anyone.

    I decided on the 'Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License' licensing system as well as the new license of the source code for the project as I felt the Creative Commons licenses better suited the project than the GNU GPL. The idea behind Steamless was more or less an educational project for myself, and I wanted to share that knowledge and information about DRM to others.
Gitlab vs. Github
  • During the Steamless project, I had moved from Github to Gitlab due to how Github's internal workings was happening. Employees were treated horribly and a full overhaul of the companies original motto and purpose was done. The CEO had become more or less a puppet to his investors and was more interested in money than his family he had created. I really disliked this and opt'd to move all my projects to Gitlab, a fully open source project similar to Github. While I still use Gitlab as my main repository site of choice for off-site hosting, Steamless felt like it was being neglected for not being on the 'mainstream' platform of choice by most developers. (You can read more about Githubs corruption here: http://www.businessinsider.com/github-t ... ory-2016-2)

    When I released Steamless v3's source code this past week, I felt it was in the best interest of the project to move it back to Github. Not because I like using Github or have changed my opinion about their company, but simply because Steamless was not getting the same level of attention it was before I moved it to Gitlab.
The Future of Steamless
  • From here forward, I would personally like to get Steamless to a point where it can support most, if not all, of the Steam DRM protected games. Along with that, I want to be able to have support for 32bit as well as 64bit in a single project. (Given that loading the file is not required, a single 32bit version of Steamless can cover both 32bit and 64bit unpacking.) However, my free time (or lack thereof) really prevents me from handling most of this. Which is why I opt'd to make Steamless an open source project from the start.

    I would love to see others interested in the topic of DRM as well as how packers work. While SteamStub DRM is not anything super amazing, it is a great DRM for beginners to get their feet wet in understanding and reversing. (The way I would describe it to people would be is that it is a glorified version of UPX with some customizations and anti-debugging protections.)

    My wishlist for Steamless going forward would be the following:
    • Support for SteamStub variant 1.
    • 32bit support for all variants.
    • 64bit support for all variants.
    • Proper support for TLS callbacks and options to handle those files as desired. (My newest commits to variant 3.1 demonstrate what I mean here.)
    • Some cleanup to the UI, nothing major as I made it basic to begin with.
Hello everyone,

This morning my server was backed up and moved to new hardware and then reimported on a new setup as my host is upgrading. Because of this, the last handful of hours has been 'lost' and a rollback to this mornings clone is now live.

Some posts / pm's may have bene lost.

Overall this should not impact nearly anyone and everything should continue to work as normal.