ASPR 1.2 question

[JMI]

gabri3l:

You need to review R@dier's tut, found here:

http://www.exetools.com/forum/showthread.php?t=3594

Now, if you look at the first graphic, you will find a section of code that looks remarkably like yours, except that it has an extra RETN where I indicate:

00A60019 3100 XOR DWORD PTR DS:[EAX],EAX
00A6001B 64:8F05 00000000 POP DWORD PTR FS:[0]
00A60022 58 POP EAX
00A60023 833D D839A600 00 CMP DWORD PTR DS:[A639D8],0
00A6002A 74 14 JE SHORT 00A60040
00A6002C 6A 0C PUSH 0C
00A6002E B9 D839A600 MOV ECX,0A639D8
00A60033 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00A60036 BA 04000000 MOV EDX,4
00A6003B E8 30C4FFFF CALL 00A5C470
00A60040 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00A60043 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00A60046 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00A60049 8338 00 CMP DWORD PTR DS:[EAX],0
00A6004C 74 02 JE SHORT 00A60050
00A6004E FF30 PUSH DWORD PTR DS:[EAX]
00A60050 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00A60053 FF65 EC JMP DWORD PTR SS:[EBP-14] <--- THIS JUMP IS NOT IN ADDRESSED IN ANY TUTORIALS
ADDRESS RETN <-----------------------
00A60056 5F POP EDI
00A60057 5E POP ESI
00A60058 5B POP EBX
00A60059 8BE5 MOV ESP,EBP
00A6005B 5D POP EBP
00A6005C C3 RETN

In R@dier's tut he says to mark the "last" RETN with F2 THEN hit Shift+F9, one more time, which takes you to the RETN.

THEN you are supposed to go to the Memory window [you can click the "M" button at the top of Olly or ALT M] and highlight the ".code" section of your target. Then Right Click and choose "Set Memory Breakpoint on Access." You then go back to the CPU window and hit CTRL+F11. You are now at the EIP, somewhere in the 00400000+ range. Here you should do a CTRL +A to "Analyse" code.

To determine how many stolen bytes you may need, also follow the tut and look in the stack window. Sitting at the EIP [after your CTRL+F11] you should have something which looks like:

ADDRESS $-FF25 18E36300 JMP DWORD PTR DS:[ADDRESS]

Now another R@dier reported trick (don't know who started this technique): Remove the analysis. "Right Click" in the CPU window, Analysis--> Remove Analysis. Now do Alt+K to bring up the STACK window. If you did not remove the Analysis, you will probably have no entries or only one entry. If you did remove the Analysis, you will probably have one entry or two.

If you Double click on the last address [or the only one if Analysis Removed], it will open the CPU window again at that location. This may be kind of tricky, because if it's at an odd address, and if you scroll up, the view shifts to an even address. [In OllyDBG you can move the display up or down, one bit at a time by using the CTRL + up or down arrow.] Generally your Stolen Bytes go right above this address and you can count the number of total bytes which need to be placed there.

Now finding the Stolen Bytes can be accomplished by tooking in the Trace Window. View --> Run Trace. If you set your Debugging Options in the TRACE tab to check "Log Commands" and "Show ESP," when you open the TRACE by going to Window --> Run Trace, the window will open. Next Right Click on the window --> Highlight Register --> EBP.

Now if you scroll down to the bottom of the TRACE Window, you will see alot of "REP STOS BYTE PTR ES:[EDI]" code which was used to erase the Stolen Bytes and other things. Now if you look above this section, you should have a red section in the command window. Keep looking up and you will eventually see a red highlighted EBP (Generally around 600 or less) which is identical to ESP. Look into the Command Window side, opposite the ESP, which is immediately above the highlited EBP.

Here you may need some basic understanding of start-up code for various compilers, but in general, the Stolen Bytes you need are "limited" by the amount of "empty" space available above the ADDRESS you found in the bottom call in the STACK Window [look at the example in R@dier's tut if this isn't clear]. It would be a good idea to start a file of "Stolen Byte" Sequences you see in the tuts and in your efforts and save them for use at this point, as described by R@dier.

Now in figuring out what the Stolen Bytes might be, you must remember that [at the moment] the last "stolen" instruction seems to usually be:

MOVE EAX, target,ADDRESS

This ADDRESS is generally to be found in "either" the EAX or EBX register, when the program first breaks in the EIP, after executing the proper number of SHIFT+F9's and the CTRL+F11 described in R@dier's tut.

So, knowing that your "last" Stolen Byte group is probably:

MOVE EAX, target,[the address shown in "either" EAX or EBX when break at EIP] or B8 ADDRESS [and remember the address is reversed, if the ADDRESS is 0063516C, it would be written in as B8 6C516300]. So this sequence takes 5 BYTES of the available space.

Since you did not identify your target, this is a general approach, not necessarily specific for the target you are working on, but it should be generally correct.

Regards,