From Collaborative RCE Knowledge Library

Jump to: navigation, search

Tidbits

This master category contains tidbits of knowledge.

The definition of "tidbit of knowledge" here is any kind of text note (usually of small to medium size), mainly aimed at documenting and conveying theoretical knowledge of different kinds, often specific to a certain situation, problem or technical area of relevance within the field of reversing.

An important difference between a tidbit and an article is that a tidbit will never refer to any kind of independent document or other written work, but all the information of the tidbit will rather be contained in the description text of the library entry itself. This does not mean that this description information cannot refer to any other information sources though, it just means that the main subject of the information has to be the library entry itself, not any third-party knowledge entity that it merely "points to".

Tidbits are typically used for documenting and archiving useful pieces of information that have been picked up from different kinds of discussions or personal notes, without having their origin in any specific document or other kind of written work.


Item name: Anti-debugging trick: ZwSetInformationThread with ThreadHideFromDebugger
Rating: 0.0 (0 votes)
Author: jstorme                        
Home URL: http://www.woodmann.com/forum/showthread.php?t=13438
Last updated: February 23, 2010
Version (if appl.):
Direct D/L link: N/A
Description: The function ZwSetInformationThread can be used with the ThreadHideFromDebugger parameter to prevent any attached debuggers of a thread to receive any exceptions from it.
Also listed in: Windows Anti Reversing Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: GDB Reference Card
Rating: 0.0 (0 votes)
Author: Free Software Foundation                        
Home URL: http://www.fsf.org/
Last updated: 1998
Version (if appl.): v4
Direct D/L link: http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf
Description: This reference card immediately gives you the needed options to master GDB on every UNIX-like platforms.
Also listed in: Linux Tool Tidbits, Mac OS Tool Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Pinczakko's guide to Award BIOS reverse engineering
Rating: 0.0 (0 votes)
Author: Pinczakko                        
Home URL: http://sites.google.com/site/pinczakko/
Last updated: 2010
Version (if appl.):
Direct D/L link: http://sites.google.com/site/pinczakko/pinczakko-s-guide-to-award-bios-reverse-engineering
Description: 1. Foreword
2. Prerequisite
2.1. PCI BUS
2.2. ISA BUS
3. Some Hardware Peculiarities
3.1. BIOS Chip Addressing
3.2. Obscure Hardware Port
3.3. "Relocatable" Hardware Port
3.4. Expansion ROM Handling
4. Some Software Peculiarities
4.1. Call Instruction Peculiarity
4.2. Retn Instruction Peculiarity
5. Our Tools of Trade
5.1. What do we need anyway?
5.2. Intro to IDA Pro Techniques
5.2.1. Introducing IDA Pro
5.2.2. IDA Pro Scripting and Key Bindings
6. Award BIOS File Structure
6.1. The Compressed Components
6.2. The Pure Binary Components
6.3. The Memory Map In The Real System (Mainboard)
7. Disassembling the BIOS
7.1. Bootblock
7.1.1. "Virtual Shutdown" routine
7.1.2. Chipset_Reg_Early_Init routine
7.1.3. Init_Interrupt_n_PwrMgmt routine
7.1.4. Call To "Early Silicon Support" Routine
7.1.5. Bootblock Is Copied And Executed In RAM
7.1.6. Call to bios decompression routine and the jump into decompressed system bios
7.1.6.1. Enable FFF80000h-FFFDFFFFh decoding
7.1.6.2. Copy lower 128KB of BIOS code from ROM chip into RAM
7.1.6.3. Disable FFF8_0000h-FFFD_FFFFh decoding
7.1.6.4. Verify checksum of the whole compressed BIOS image
7.1.6.5. Look for the decompression engine
7.1.6.6. Decompress the compressed BIOS components
7.1.6.6.a. The format of the LZH level-1 compressed bios components
7.1.6.6.b. The location of various checksums
7.1.6.6.c. The key parts of the decompression routine
7.1.6.7. Shadow the BIOS code
7.1.6.8. Enable the microprocessor cache then jump into the decompressed system BIOS
7.2. System BIOS a.k.a Original.tmp
7.2.1. Entry point from "Bootblock in RAM"
7.2.2. The awardext.rom and Extension BIOS Components (lower 128KB bios-code) Relocation Routine
7.2.3. Call to the POST routine a.k.a "POST jump table execution"
7.2.4. The "segment vector" Routines
7.2.5. "chksum_ROM" Procedure
7.2.6. Original.tmp Decompression Routine for The "Extension_BIOS Components"
7.2.7. Microcode Update Routine
8. Rants and Raves
9. Closing
Also listed in: X86 Internals Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Using OllyDbg as an API logger
Rating: 0.0 (0 votes)
Author: arebc                        
Home URL: http://www.woodmann.com/forum/showthread.php?13706-How-can-I-learn-to-make-an-auto-unpacking-script-for-programs-I-have-unpacked&p=86997&viewfull=1#post86997
Last updated: June 25, 2010
Version (if appl.):
Direct D/L link: N/A
Description: To use Ollydbg as an api logger right click > search for > All Intermodular Calls > right click on the calls > Set Log Breakpoint on every command > Select option to Log Value of expression on Condition.
Also listed in: Windows Reversing Technique Tidbits, Windows Tool Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views