|
|
|
|
#1
11-04-2004, 16:29
|
|||
|
|||
|
Damn i am writting this second time 'coz my comp didn't respond
 Well , let's go : In Ollydbg select Debugging option > SFX > Trace real entry bytewise Pass all exceptions with Shift+F9 Example of OEP with Stolen bytes: 004010CD 0000 ADD BYTE PTR DS:[EAX],AL 004010CF 0000 ADD BYTE PTR DS:[EAX],AL 004010D1 0000 ADD BYTE PTR DS:[EAX],AL 004010D3 0000 ADD BYTE PTR DS:[EAX],AL 004010D5 0000 ADD BYTE PTR DS:[EAX],AL 004010D7 0000 ADD BYTE PTR DS:[EAX],AL 004010D9 0000 ADD BYTE PTR DS:[EAX],AL 004010DB 0000 ADD BYTE PTR DS:[EAX],AL 004010DD 0000 ADD BYTE PTR DS:[EAX],AL 004010DF 75 13 JNZ SHORT NOTEPAD.004010F4 ; Real entry point of SFX code Ollydbg stops at 004010DF . Those ADD BYTE PTR DS:[EAX],AL are Stolen bytes I think you can get Original bytes like with Aspr (Trace Esp==Ebp) and fix the OEP of dumped file. But if there is no Stolen bytes , Ollydbg stops at the OEP  IAT fixing: In Imprec you will have to manually input infos about RVA , Size , 'coz Imprec itseft won't find anything . Do a Binary Search in Ollydbg for FF25 , right click FOLLOW IN DUMP-MEMORY ADDRESS on any of them and in the dump we have the iat table. Now you only have to find the beginning and finish of the IAT in order to get it's Size  Example of those FF25 : 00404E72 - FF25 14654000 JMP NEAR DWORD PTR DS:[406514] ; COMDLG32.CommDlgExtendedError 00404E78 - FF25 10654000 JMP NEAR DWORD PTR DS:[406510] ; COMDLG32.GetSaveFileNameA 00404E7E - FF25 0C654000 JMP NEAR DWORD PTR DS:[40650C] ; COMDLG32.PageSetupDlgA I think your target has Stolen bytes
Last edited by hosiminh; 11-04-2004 at 16:36. 
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| PESpin x64 | cyberbob | x64 OS | 13 | 01-20-2022 15:53 |
Hybrid Mode
