Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page x64dbg - Find OEP by section hop
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #5  
Old 01-17-2018, 03:12
Stingered Stingered is offline
Banned User
  
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
Quote:
Originally Posted by mr.exodia View Post
From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).
I believe this is the relevant section of code in Ollydump:

Code:
int FindOEPbySectionHop(int tracemode)
{
  int i;
  DWORD out0,out1,in0,in1,curEIP,curSectVA1,curSectVA2;
  t_reg reg;

  Deleteruntrace();
  TraceFlag = TRUE;
  // Clear Section Info buffer
  if(lpSectInfo) {
    FreeSectInfo();
  }

  // Get PE file header value
  GetPEInfo();
  curEIP = GetCurrentEIP();
  Addtolist(0,-1,"EP:%X  ImageBase:%X  SizeOfImage:%X  Current EIP:%X",PEFileInfo.dwAddrOfEP,PEFileInfo.dwImageBase,PEFileInfo.dwSizeOfImage,curEIP);

  // Search a section the Entry Point belongs
  out0 = out1 = 0;
  for(i=0; i<PEFileInfo.woNumOfSect; i++) {
//Addtolist(0,-1,"Sect%02d : %8X - %8X",i,lpSectInfo[i].dwVOffset,lpSectInfo[i].dwVOffset+lpSectInfo[i].dwVSize-1);
    curSectVA1 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
    curSectVA2 = curSectVA1 + lpSectInfo[i].dwVSize;
    if(curEIP >= curSectVA1 && curEIP < curSectVA2) {
      out0 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
      out1 = out0 + lpSectInfo[i].dwVSize - 1;
      break;
    }
  }
  if(out0 != 0 && out1 > out0) {
    Settracecondition(NULL,0,0,0,out0,out1);
    Addtolist(0,-1,"Current EIP\(%08X\) is in Section%02d  %08X - %08X",curEIP,i,curSectVA1,curSectVA2);
    Addtolist(0,-1,"Trace Condition set out0:%X  out1:%X",out0,out1);
  }
  else {
    in0 = lpSectInfo[0].dwVOffset + PEFileInfo.dwImageBase;
    in1 = lpSectInfo[PEFileInfo.woNumOfSect-1].dwVOffset + lpSectInfo[PEFileInfo.woNumOfSect-1].dwVSize + PEFileInfo.dwImageBase;
    Settracecondition(NULL,0,in0,in1,0,0);
    Addtolist(0,-1,"Current EIP\(%08X\) is out of Debuggee image",curEIP);
    Addtolist(0,-1,"Trace Condition set in0:%X  in1:%X",in0,in1);
  }
  Startruntrace(&reg);
  switch(tracemode) {
  case ODP_TRACE_INTO:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F11); // Trace into
    break;
  case ODP_TRACE_OVER:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F12); // Trace over
    break;
  }
  return TRUE;
}
Reply With Quote
The Following User Gave Reputation+1 to Stingered For This Useful Post:
mr.exodia (01-18-2018)
The Following User Says Thank You to Stingered For This Useful Post:
schrodyn (04-11-2018)
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
x64dbg mr.exodia Developer Section 347 09-22-2025 13:07
Add .lib file on x64dbg ? LaDidi General Discussion 0 02-18-2022 14:39
nfd - x64dbg plugin hors Community Tools 2 04-01-2018 08:18
x64dbg python Storm Shadow Developer Section 6 08-04-2017 15:29


All times are GMT +8. The time now is 03:29.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )