|
|
#4
01-31-2005, 00:56
|
|||
|
|||
|
Me again, I have try with PEiD found Armadillo 1.xx - 2.xx, and Stud_PE found Armadillo 2.5x - 2.6x, then I used ollyDbg 1.10 with hidedebuger open Atrex32.exe v11.02, dump child process with ollydump. I now get all the code at 00401000 but the OEP still point to 009916E3.
009916E3 >/$ 55 PUSH EBP 009916E4 |. 8BEC MOV EBP,ESP 009916E6 |. 6A FF PUSH -1 009916E8 |. 68 20BB9B00 PUSH dumped.009BBB20 009916ED |. 68 20149900 PUSH dumped.00991420 ; SE handler installation 009916F2 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 009916F8 |. 50 PUSH EAX 009916F9 |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP 00991700 |. 83EC 58 SUB ESP,58 00991703 |. 53 PUSH EBX 00991704 |. 56 PUSH ESI 00991705 |. 57 PUSH EDI 00991706 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00991709 |. FF15 88619B00 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion 0099170F |. 33D2 XOR EDX,EDX 00991711 |. 8AD4 MOV DL,AH 00991713 |. 8915 A4D19B00 MOV DWORD PTR DS:[9BD1A4],EDX 00991719 |. 8BC8 MOV ECX,EAX 0099171B |. 81E1 FF000000 AND ECX,0FF 00991721 |. 890D A0D19B00 MOV DWORD PTR DS:[9BD1A0],ECX 00991727 |. C1E1 08 SHL ECX,8 0099172A |. 03CA ADD ECX,EDX 0099172C |. 890D 9CD19B00 MOV DWORD PTR DS:[9BD19C],ECX 00991732 |. C1E8 10 SHR EAX,10 00991735 |. A3 98D19B00 MOV DWORD PTR DS:[9BD198],EAX 0099173A |. 33F6 XOR ESI,ESI 0099173C |. 56 PUSH ESI 0099173D |. E8 78160000 CALL dumped.00992DBA 00991742 |. 59 POP ECX 00991743 |. 85C0 TEST EAX,EAX 00991745 |. 75 08 JNZ SHORT dumped.0099174F 00991747 |. 6A 1C PUSH 1C 00991749 |. E8 B0000000 CALL dumped.009917FE 0099174E |. 59 POP ECX 0099174F |> 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 00991752 |. E8 43130000 CALL dumped.00992A9A 00991757 |. FF15 8C609B00 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA 0099175D |. A3 A4E79B00 MOV DWORD PTR DS:[9BE7A4],EAX 00991762 |. E8 01120000 CALL dumped.00992968 00991767 |. A3 F8D19B00 MOV DWORD PTR DS:[9BD1F8],EAX 0099176C |. E8 AA0F0000 CALL dumped.0099271B 00991771 |. E8 EC0E0000 CALL dumped.00992662 00991776 |. E8 2DFAFFFF CALL dumped.009911A8 0099177B |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI 0099177E |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] 00991781 |. 50 PUSH EAX ; /pStartupinfo 00991782 |. FF15 90609B00 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA 00991788 |. E8 7D0E0000 CALL dumped.0099260A 0099178D |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX 00991790 |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1 00991794 |. 74 06 JE SHORT dumped.0099179C 00991796 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C] 0099179A |. EB 03 JMP SHORT dumped.0099179F 0099179C |> 6A 0A PUSH 0A 0099179E |. 58 POP EAX 0099179F |> 50 PUSH EAX ; /Arg4 009917A0 |. FF75 9C PUSH DWORD PTR SS:[EBP-64] ; |Arg3 009917A3 |. 56 PUSH ESI ; |Arg2 009917A4 |. 56 PUSH ESI ; |/pModule 009917A5 |. FF15 4C609B00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; |\GetModuleHandleA 009917AB |. 50 PUSH EAX ; |Arg1 009917AC |. E8 7FC7FEFF CALL dumped.0097DF30 ; \dumped.0097DF30 009917B1 |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX 009917B4 |. 50 PUSH EAX 009917B5 |. E8 1BFAFFFF CALL dumped.009911D5 009917BA |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 009917BD |. 8B08 MOV ECX,DWORD PTR DS:[EAX] 009917BF |. 8B09 MOV ECX,DWORD PTR DS:[ECX] 009917C1 |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX 009917C4 |. 50 PUSH EAX 009917C5 |. 51 PUSH ECX 009917C6 |. E8 BB0C0000 CALL dumped.00992486 009917CB |. 59 POP ECX 009917CC |. 59 POP ECX 009917CD \. C3 RETN The Register Dialog are inside somewhere .CODE 00439E00 .... can't find the real OEP and can't trace the Register Dialog running. Help me please. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Armadillo 2.85 Custom + CopyMem & Nanomites | TmC | General Discussion | 16 | 01-08-2005 10:46 |
Threaded Mode