|
|
#5
04-28-2003, 23:05
|
|||
|
|||
|
Yes I was unable to find OEP.
I tried your advise. I ultimately reached 00B65C58. Is this the OEP. I have marked in the code below(Soft Ice) How to confirm that. i also didnot understand the principle behind the breakpoints. ___________________________________________________________ EAX=0012F750 EBX=00CFC000 ECX=0012F798 EDX=00050001 ESI=0012F6F0 EDI=00000001 EBP=0012F6FC ESP=0012F6E0 EIP=00CFD550 CS=001B DS=0023 SS=0023 o d I a z a p c ES=0023 FS=0030 GS=0000 __________Mydll!.pec______________________________________ 001B:00CFBFF9 FFFF INVALID 001B:00CFBFFB FFFF INVALID 001B:00CFBFFD FFFF INVALID 001B:00CFBFFF FFEB JMP EBX //BREAK DUE TO EMBEDDED INT3 001B:00CFC001 06 PUSH ES 001B:00CFC002 68505C0D00 PUSH 000D5C58 001B:00CFC007 C3 MET 001B:00CFC000 9C PUSHFD //SAVE REGISTERS 001B:00CFC009 60 PUSHAD //SAVE REGISTERS 001B:00CFC00A E802000000 CALL 00CFC011 001B:00CFC00F 33CO XOR EAX , AH 001B:00CFC011 8BC4 MOV EAX, ESP 001B:00CFC013 83C004 ADD EAX , 04 001B:00CFC016 93 XCHG EAX, EBB 001B:00CFC017 8BE3 MOV ESP, EBB ________________________________________________________________ //snipped Break due to Getprocaddress [after F5] 001B:77E7A5D9 50 PUSH EAX 001B:77E7A5DA FF15AC1ZE677 CALL [ntdll!RtlImageNtHeader] 001B:77E7A5E0 05C0 TEST "EAX , EAX" 001B:77E7A5E2 0F04170FFFFF JZ 77E734FF 001B:77E7A5E0 6603705C03 CMP "WORD PTR [EAX+5C],03" 001B:77E7A5ED 0F050C0FFFFF JNZ 77E734FF 001B:77E7A5F3 33C0 XOR "EAX , EAX" 001B:77E7A5F5 40 INC EAX 001B:77E7A5F6 C3 RET 001B:77E7A5F7 FFZ57C13E677 JMP [ntdll!LdrGetProcedure Address] KERNEL32!GetProc Address 001B:77E7A5FD 55 PUSH EBP //Break due to Getprocaddress 001B:77E7A5FE 8BEC MOV "EBP, ESP" 001B:77E7A600 51 PUSH ECX 001B:77E7A601 51 PUSH ECX 001B:77E7A602 53 PUSH EBX ------------------------------------------------------------------- //snipped I put bpm 0012F6E0-4 bpm 0012F6E0-3 bpm 0012F6E0-2 bpm 0012F6E0-1 then pressed F5 Break due to BP 04: BPMB #001B:0012F6DF RW DR0 301B:00CFD52C 0D956BA14000 LEA "EDX, [EBP+0040A16B]" 301B:00CFD532 6A40 PUSH 40 301B:00CFD534 52 PUSH EDX 301B:00CFD535 FFB53D974000 PUSH DW0RD PTR [EBP+0040973D] 301B:00CFD53B FFB539974000 PUSH DW0RD PTR [EBP +00409739] 301B:00CFD541 E0F40A0000 CALL 00CFE03A 301B:00CFD546 05C0 TEST "EAX , EAX" 301B:00CFD540 0F059DFDFFFF JNZ 00CFD2EB 301B:00CFD54E 61 POPAD 301B:00CFD54F 9D POPFD ///Restore registers 301B:00CFD550 50 PUSH EAX 301B:00CFD551 60505CB600 PUSH 00B65C50 301B:00CFD556 C20400 RET 4 301B:00CFD559 0BB55B974000 MOV "ESI,[EBP+0040975B]" ---------------------------------------Mydll.pec+152C----------------------- //snipped Traced with F8 after that reaches here: 001B:00B65C58 55 PUSH EBP //??? OEP 001B:00B65C59 8BEC MOV "EBP, ESP" 001B:00B65C5B 03C4C4 ADD "ESP,-3C" 001B:00B65C5E B0B059B600 MOV "EAX,00B659B0" 001B:00B65C63 E0CC0CF3FF CALL 00A96934 001B:00B65C60 A1F47FB600 MOV "EAX,[00B67FF4]" 001B:00B65C6D 0B00 MOV "EAX, [EAX]" 001B:00B65C6F E05CCBF9FF CALL 00B027D0 001B:00B65C74 A1F47FB6GG MOV "EAX,[00B67FF4]" 001B:00B65C79 8B00 MOV "EAX, [EAX]" 001B:00B65C7B 33D2 XOR "EDX,EDX" 001B:00B65C7D EG46C7F9FF CALL 00B023C0 001B:00B65C02 GBGDDC7CB6GG MOV "ECX,[00B67CDC]" 001B:00B65C00 A1F47FB6GG MOV "EAX,[00B67FF4]" 001B:00B65C0D GB00 MOV "EAX, [EAX]" 001B:00B65C0F 0B151C7FB400 MOV "EDX,[00B47F1C]" 001B:00B65C95 E04ECBF9FF CALL 00B027E0 001B:00B65C9A E091E0F2FF CALL 00A94530 001B:00B65C9F 90 NOP 001B:00B65CA0 0 ADD "[EAX],AL" 001B:00B65CA2 0 ADD "[EAX],AL" 001B:00B65CA4 0 ADD "[EAX],AL" ------------------------------------------------------------------- Last edited by drasd_20002; 04-30-2003 at 12:59. 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Inline Patching | MaRKuS-DJM | General Discussion | 1 | 01-24-2004 23:03 |
| Inline patching for armadillo | annibal | General Discussion | 1 | 09-04-2003 14:24 |
Threaded Mode