Log in

View Full Version : Different Entry Points - IDA and Olly 2.01


live_dont_exist
April 4th, 2012, 08:26
Hi All,
I was reversing a piece of malware keeping in mind the tips in the previous thread ("http://www.woodmann.com/forum/showthread.php?14500-Static-Disassembly-Best-way-forward&p=92152#post92152") I started and have come a long way thanks to that.

While reversing however I came upon an interesting thing. The Entry Point of the program seemed to be differently detected in Olly 2.01 and IDA Pro. Olly was configured to stop on WinMain if it was known but it seemed to stop at a point much before IDA did.

So I'm saying... Olly stopped at 404EDD while IDA stopped at 403D50. Now the interesting thing was, if I started at the Entry Point detected by Olly and worked my way forward from there, I eventually arrive at 403D50 [The IDA entry point] and then everything is similar. Also, all that code till 403D50 did not seem to be too important from a "malware behavior" perspective.

So it seems that there is some intelligence built into IDA which is detecting known assembly code and not "showing" it to the user directly, giving him a better point to start analyzing from.

Could someone confirm this behaviour please? What is correct and why?

Thanks
Arvind

Aimless
April 4th, 2012, 10:34
One is "START"

Other is "WINMAIN"

Your turn to figure out which is which.

Have Phun

live_dont_exist
April 4th, 2012, 12:07
Ha Ha thanks a lot basically telling me to RTFM

I'll try and read more and all that. But I always thought both tools should stop at Entry Point? That's what all the PE header documentation says too..rt? Code starting from entry point? So why did IDA ignore all that and go to WinMain?

I remember one field called 'Start of Code' too. But I am not sure that is relevant here

Arvind

bilbo
April 4th, 2012, 16:01
Quote:
So it seems that there is some intelligence built into IDA which is detecting known assembly code and not "showing" it to the user directly, giving him a better point to start analyzing from.

Correct!
Go to last line of IDA disassembly ("end start": that's the true entry point. Click on it and you will be teletransported to its address: that must be the same as Olly entry point.

Best regards, bilbo

live_dont_exist
April 5th, 2012, 00:46
Yes that's correct Bilbo ..there is a start and exit in IDA which takes me to those places.

However, the question is...in future analysis can I just look at IDA and simply start where it tells me to? So for example I wasted 1 or 2 hours looking at the code from the real entry point to WinMain in Olly on this malware sample.

Thanks
Arvind

Aimless
April 5th, 2012, 03:41
And, of course, I am assuming you are aware that an app can also have multiple entry points, right?

Have Phun

live_dont_exist
April 5th, 2012, 08:01
Ooops aimless...no not at all... I was always under the impression that an app has 1 entry point only. Packed yes and hidden and you have to find the "real" entry point and then use plugins to dump the "real" executable...but no...I didn't know anything else.

A quick Google search gives lots of terrible unrelated results... .. will dig more... If there is a good read though you have in mind do drop it in here.

Thnx
Arvind

Aimless
April 5th, 2012, 09:19
You can "begin" your "journey" using the following links:

http://service1.symantec.com/legal/publishedpatents.nsf/0/FCF9F85991044261882570410057EF6C/$FILE/United%20States%20Patent%206,851,057.htm

AND

http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CDcQFjAC&url=http%3A%2F%2Fimpact.crhc.illinois.edu%2Fftp%2Freport%2Fms-thesis-michael-thiems.pdf&ei=Uah9T9uzLMblrAeTlsD2DA&usg=AFQjCNEB_3NwKmEkQoiwaK3fuvhMGml0Mw&sig2=MLhAm1dNXTqhghznpnPzSg

ALSO

Download ThinApp461_manual.pdf for a definition of how multiple entry points can be implemented. Note that this is just "one" of the ways in which it can be implemented.

And so many more....

Have Phun

live_dont_exist
April 5th, 2012, 09:21
Awesome thanks. I will go through all of these in time. You guys rock