Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Manual unpacking ESP hardware breakpoint
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-20-2004, 15:33
hosiminh hosiminh is offline
Friend
  
Join Date: Aug 2004
Posts: 202
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
Manual unpacking ESP hardware breakpoint
Hello

I have noticed that in many tutorials about MUP with OllyDbg (Manual unpacking) people use this method : press F7 until you see that ESP register has changed (become red) and then you right click on ESP and choose the Follow in Dump ->then you select some bytes and put
Breakpoint -> Hardware, on Access -> Word then press F9 (x times) and you are at OEP (original entry point)
This technique can be used with y0da's Crypter 1.x , Aspack 2.xx ,Virogen Crypt ... but not with Asprotect ,Armadillo ,SVKP .


I am asking i anyone know why put bp here on ESP (i know that means "Extended Stack Pointer") ; what exactly happen by putting bp on ESP ?
Reply With Quote
  #2  
Old 09-21-2004, 03:31
upb's Avatar
upb upb is offline
Friend
  
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
i'm not 100% sure on this, but if you consider that calling a function builds up a new frame on the stack and exiting a function destroys it, then setting a breakpoint on esp at the start of a function would trigger the breakpoint when the execution reaches the epilogue of the same function.
Reply With Quote
  #3  
Old 09-21-2004, 05:41
Michel Michel is offline
Friend
  
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
Very often procedures are started by this patern :

PUSH EBP
MOV EBP,ESP
............

This is done in order to have the possibility to index the arguments (sample : MOVE EAX,[EBP-4]) even if ESP is moving.

So, when you break on EBP, you have some chance to go near the beginning of some procedure.

But if you break on ESP as you says, I think you go directly into hell... try it
Reply With Quote
  #4  
Old 09-21-2004, 10:39
doug
 
Posts: n/a
Protectors add a protective layer that executes before the real application.
But, when the application gets the control, the cpu registers need to be the same as if the OS invoked it directly!

The general layout is:
<save all registers>
execute protection code
<restore all registers>
go to application

Usually, this is implemented as:
pushad
<protection code>
popad
<go to application>

The basic idea, is that if you set the breakpoint on ESP (and you can't bpm esp at any time); it will break at the "restore all registers" stage (when they are poped back from the stack), which is normally very close to the point where the protection goes to the Original Entry Point (OEP)

This assumes that once the registers are saved on the stack they aren't used until the time where they are poped back. It's fairly easy for a protection to fool this method or to generate so many hits that it becomes useless.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 22:06.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )