Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Manual unpacking ESP hardware breakpoint (https://forum.exetools.com/showthread.php?t=5441)

hosiminh 09-20-2004 15:33
Manual unpacking ESP hardware breakpoint
 
Hello

I have noticed that in many tutorials about MUP with OllyDbg (Manual unpacking) people use this method : press F7 until you see that ESP register has changed (become red) and then you right click on ESP and choose the Follow in Dump ->then you select some bytes and put
Breakpoint -> Hardware, on Access -> Word then press F9 (x times) and you are at OEP (original entry point)
This technique can be used with y0da's Crypter 1.x , Aspack 2.xx ,Virogen Crypt ... but not with Asprotect ,Armadillo ,SVKP .


I am asking i anyone know why put bp here on ESP (i know that means "Extended Stack Pointer") ; what exactly happen by putting bp on ESP ?

upb 09-21-2004 03:31
i'm not 100% sure on this, but if you consider that calling a function builds up a new frame on the stack and exiting a function destroys it, then setting a breakpoint on esp at the start of a function would trigger the breakpoint when the execution reaches the epilogue of the same function.

Michel 09-21-2004 05:41
Very often procedures are started by this patern :

PUSH EBP
MOV EBP,ESP
............

This is done in order to have the possibility to index the arguments (sample : MOVE EAX,[EBP-4]) even if ESP is moving.

So, when you break on EBP, you have some chance to go near the beginning of some procedure.

But if you break on ESP as you says, I think you go directly into hell... try it :eek:

doug 09-21-2004 10:39
Protectors add a protective layer that executes before the real application.
But, when the application gets the control, the cpu registers need to be the same as if the OS invoked it directly!

The general layout is:
<save all registers>
execute protection code
<restore all registers>
go to application

Usually, this is implemented as:
pushad
<protection code>
popad
<go to application>

The basic idea, is that if you set the breakpoint on ESP (and you can't bpm esp at any time); it will break at the "restore all registers" stage (when they are poped back from the stack), which is normally very close to the point where the protection goes to the Original Entry Point (OEP)

This assumes that once the registers are saved on the stack they aren't used until the time where they are poped back. It's fairly easy for a protection to fool this method or to generate so many hits that it becomes useless.


All times are GMT +8. The time now is 21:15.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX