Log in

View Full Version : figuring out new eip


jomamameister
January 22nd, 2002, 17:54
hello all,
would like to get some feedback in trying to figure out the new eip of a packed program. it's obvious you can get it if you manually trace. we also know that unpackers do this themselves. i would appreciate anyone sharing this info. where do we start? can we do this without really unpacking the prog, or can we do it after a dump that we did not manually follow while looking for the eip. obviously, the packer is following some algorithm or set of algorithms to do this whenever it reaches its time to load the new eip so the old prog can load and run. thanks for any input. packing and unpacking is a fascinating area of learning right now and as i've said before, i believe we need to become familiar with these tricks.
thanks,
jomamameister

blackos
January 23rd, 2002, 05:55
hello !

Answering your question is, of course, too long to be done here, but, in fact, there is some little tricks.

packed programs must jump to the real entry point of the application once it's totally unpacked.

There is many ways to do such thing, for example, if you need to jump to offset XXXXXXXX, you can try :

jmp XXXXXXXX

or

XOR EAX, EAX
TEST AL, AL
JZ xxxxxxxx

or

mov EBX, XXXXXXXX
JMP [EBX]

or

PUSH XXXXXXXX
RET

...

as you see, we cannot try to find an EXACT way to process this jump, so we have to trace the program until it does it.


Nethertheless, many application begin like this

PUSH EBP
MOV EBP, ESP
.
.
.
CALL GETVERSION

So, if you put a breakpoint on GETVERSION API, you'll probably land in an 'interresting' area which can be the real beginning of the unpacked file.

bye.

blak.

jomamameister
January 23rd, 2002, 09:23
thanks for the assist blackos.
j