|
Yes I was unable to find OEP.
I tried your advise.
I ultimately reached 00B65C58.
Is this the OEP. I have marked in the code below(Soft Ice)
How to confirm that.
i also didnot understand the principle behind the breakpoints.
___________________________________________________________
EAX=0012F750 EBX=00CFC000 ECX=0012F798 EDX=00050001 ESI=0012F6F0
EDI=00000001 EBP=0012F6FC ESP=0012F6E0 EIP=00CFD550 CS=001B DS=0023
SS=0023 o d I a z a p c
ES=0023 FS=0030 GS=0000
__________Mydll!.pec______________________________________
001B:00CFBFF9 FFFF INVALID
001B:00CFBFFB FFFF INVALID
001B:00CFBFFD FFFF INVALID
001B:00CFBFFF FFEB JMP EBX //BREAK DUE TO EMBEDDED INT3
001B:00CFC001 06 PUSH ES
001B:00CFC002 68505C0D00 PUSH 000D5C58
001B:00CFC007 C3 MET
001B:00CFC000 9C PUSHFD //SAVE REGISTERS
001B:00CFC009 60 PUSHAD //SAVE REGISTERS
001B:00CFC00A E802000000 CALL 00CFC011
001B:00CFC00F 33CO XOR EAX , AH
001B:00CFC011 8BC4 MOV EAX, ESP
001B:00CFC013 83C004 ADD EAX , 04
001B:00CFC016 93 XCHG EAX, EBB
001B:00CFC017 8BE3 MOV ESP, EBB
________________________________________________________________
//snipped
Break due to Getprocaddress [after F5]
001B:77E7A5D9 50 PUSH EAX
001B:77E7A5DA FF15AC1ZE677 CALL [ntdll!RtlImageNtHeader]
001B:77E7A5E0 05C0 TEST "EAX , EAX"
001B:77E7A5E2 0F04170FFFFF JZ 77E734FF
001B:77E7A5E0 6603705C03 CMP "WORD PTR [EAX+5C],03"
001B:77E7A5ED 0F050C0FFFFF JNZ 77E734FF
001B:77E7A5F3 33C0 XOR "EAX , EAX"
001B:77E7A5F5 40 INC EAX
001B:77E7A5F6 C3 RET
001B:77E7A5F7 FFZ57C13E677 JMP [ntdll!LdrGetProcedure Address]
KERNEL32!GetProc Address
001B:77E7A5FD 55 PUSH EBP //Break due to Getprocaddress
001B:77E7A5FE 8BEC MOV "EBP, ESP"
001B:77E7A600 51 PUSH ECX
001B:77E7A601 51 PUSH ECX
001B:77E7A602 53 PUSH EBX
-------------------------------------------------------------------
//snipped
I put
bpm 0012F6E0-4
bpm 0012F6E0-3
bpm 0012F6E0-2
bpm 0012F6E0-1
then pressed F5
Break due to BP 04: BPMB #001B:0012F6DF RW DR0
301B:00CFD52C 0D956BA14000 LEA "EDX, [EBP+0040A16B]"
301B:00CFD532 6A40 PUSH 40
301B:00CFD534 52 PUSH EDX
301B:00CFD535 FFB53D974000 PUSH DW0RD PTR [EBP+0040973D]
301B:00CFD53B FFB539974000 PUSH DW0RD PTR [EBP +00409739]
301B:00CFD541 E0F40A0000 CALL 00CFE03A
301B:00CFD546 05C0 TEST "EAX , EAX"
301B:00CFD540 0F059DFDFFFF JNZ 00CFD2EB
301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50
301B:00CFD556 C20400 RET 4
301B:00CFD559 0BB55B974000 MOV "ESI,[EBP+0040975B]"
---------------------------------------Mydll.pec+152C-----------------------
//snipped
Traced with F8 after that reaches here:
001B:00B65C58 55 PUSH EBP //??? OEP
001B:00B65C59 8BEC MOV "EBP, ESP"
001B:00B65C5B 03C4C4 ADD "ESP,-3C"
001B:00B65C5E B0B059B600 MOV "EAX,00B659B0"
001B:00B65C63 E0CC0CF3FF CALL 00A96934
001B:00B65C60 A1F47FB600 MOV "EAX,[00B67FF4]"
001B:00B65C6D 0B00 MOV "EAX, [EAX]"
001B:00B65C6F E05CCBF9FF CALL 00B027D0
001B:00B65C74 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C79 8B00 MOV "EAX, [EAX]"
001B:00B65C7B 33D2 XOR "EDX,EDX"
001B:00B65C7D EG46C7F9FF CALL 00B023C0
001B:00B65C02 GBGDDC7CB6GG MOV "ECX,[00B67CDC]"
001B:00B65C00 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C0D GB00 MOV "EAX, [EAX]"
001B:00B65C0F 0B151C7FB400 MOV "EDX,[00B47F1C]"
001B:00B65C95 E04ECBF9FF CALL 00B027E0
001B:00B65C9A E091E0F2FF CALL 00A94530
001B:00B65C9F 90 NOP
001B:00B65CA0 0 ADD "[EAX],AL"
001B:00B65CA2 0 ADD "[EAX],AL"
001B:00B65CA4 0 ADD "[EAX],AL"
-------------------------------------------------------------------
Last edited by drasd_20002; 04-30-2003 at 12:59.
|