Finding OEP manually on win2k [Archive] - RCE Messageboard's Regroupment

crUsAdEr

February 6th, 2002, 00:02

Spl/\j,

u 've been mentioning about ur method of setting interrupt breakpoint to find OEP of Asp prog.. could u enlighten me please cos BPM [address of pushad, jmp eax] does not stick at all....

Yeah Tsep's tracer works great... even faster than icedump :>.. thanx Tsep.... but somehow i feel the nag to noe how to do it manually...

Solomon

February 6th, 2002, 01:59

I often use "BPX ntdll!NtContinue" to find the OEP of ASProtected progs. Quite fast

Alex uses SEH to hide OEP, then we can use SEH to locate the OEP

Once this breakpoint is hit, just press F8 to trace into INT 2Eh. Try to find the IRETD instruction inside NtContinue(). Clear all breakpoints and set a BPX at this instruction.

Code:



001B:80464BE5  MOV       FS:[00000000],EDX

001B:80464BEC  MOV       ECX,[ESP+48]

001B:80464BF0  MOV       ESI,FS:[00000124]

001B:80464BF7  MOV       [ESI+00000134],CL

001B:80464BFD  TEST      EBX,0000000F

001B:80464C03  JNZ       80464C52

001B:80464C05  TEST      DWORD PTR [ESP+70],00020000

001B:80464C0D  JNZ       80464CBA

001B:80464C13  TEST      WORD PTR [ESP+6C],FFF8

001B:80464C1A  JZ        80464CC5

001B:80464C20  MOV       EAX,[ESP+44]

001B:80464C24  MOV       EDX,[EBP+3C]

001B:80464C27  MOV       ECX,[EBP+40]

001B:80464C2A  CMP       WORD PTR [EBP+6C],08

001B:80464C2F  JZ        80464C3D

001B:80464C31  LEA       ESP,[EBP+30]

001B:80464C34  POP       GS

001B:80464C36  POP       ES

001B:80464C37  POP       DS

001B:80464C38  LEA       ESP,[EBP+50]

001B:80464C3B  POP       FS

001B:80464C3D  LEA       ESP,[EBP+54]

001B:80464C40  POP       EDI

001B:80464C41  POP       ESI

001B:80464C42  POP       EBX

001B:80464C43  POP       EBP

001B:80464C44  CMP       WORD PTR [ESP+08],0080

001B:80464C4B  JA        80464C96

001B:80464C4D  ADD       ESP,04

001B:80464C50  IRETD                            <-------------set a BPX here

Then keep pressing F5(20 times or so, you konw Alex uses many SEHs

). Every time when softice pops up at this instruction, just press F8 to return to ASPR. If you see a JMP [EBP-14] below, you are close to OEP(sure you have to bypass several self-decrypt loops to reach OEP after this).

Code:



001B:00E400E1  XOR       [EAX],EAX                       <------- famous for raising exception

001B:00E400E3  POP       DWORD PTR FS:[00000000] <-------we land here right after IRETD(NtContinue)

001B:00E400EA  POP       EAX

001B:00E400EB  CMP       DWORD PTR [00E439DC],00

001B:00E400F2  JZ        00E40108

001B:00E400F4  PUSH      0C

001B:00E400F6  MOV       ECX,00E439DC

001B:00E400FB  LEA       EAX,[EBP-08]

001B:00E400FE  MOV       EDX,00000004

001B:00E40103  CALL      00E3C49C

001B:00E40108  PUSH      DWORD PTR [EBP-04]

001B:00E4010B  PUSH      DWORD PTR [EBP-08]

001B:00E4010E  MOV       EAX,[EBP-0C]

001B:00E40111  CMP       DWORD PTR [EAX],00

001B:00E40114  JZ        00E40118

001B:00E40116  PUSH      DWORD PTR [EAX]

001B:00E40118  PUSH      DWORD PTR [EBP-10]

001B:00E4011B  JMP       [EBP-14]                        <--------- see this?

001B:00E4011E  POP       EDI

001B:00E4011F  POP       ESI

001B:00E40120  POP       EBX

001B:00E40121  MOV       ESP,EBP

001B:00E40123  POP       EBP

001B:00E40124  RET

I think the good breakpoints to defeat SEH are KiUserExceptionDispatcher/NtContinue/NtRaiseException.

Alex may change it to give us more fun if he reads this

crUsAdEr

February 6th, 2002, 04:57

Thanx Solomon.. shall try that ASAP :>

Yep.. it works like wonder....

i could even bpx and bpm on the "popad" instruction and watch it decrypt itself :>... thanx a lot