emulder
March 23rd, 2001, 11:01
Hi!
I'm quite new to unpacking and this stuff.
I've got a question about unpacking an ASProtected programm,
esp. finding the right Entry Point (OEP).
So let me tell you what I did so far:
1) set a bpx getprocaddress and started the program
2) when SI pops and the program's code appears, I did bc*
3) I watched at the sections with the map32-command and guessed
that the section with the biggest Virtual size must be the code
section, where the OEP sits. So I used icedumps /tracex command
with low eip=start of code section and high eip=end of code section.
4) I let the program run and when it breaks the second time, I traced
a bit down until there's a jump with leads to this code:
0167:004B56C8 55 PUSH EBP
0167:004B56C9 8BEC MOV EBP,ESP
0167:004B56CB 83C4F4 ADD ESP,-0C
0167:004B56CE 53 PUSH EBX
0167:004B56CF 56 PUSH ESI
0167:004B56D0 57 PUSH EDI
0167:004B56D1 8B7508 MOV ESI,[EBP+08]
0167:004B56D4 8B4610 MOV EAX,[ESI+10]
0167:004B56D7 83E001 AND EAX,01
0167:004B56DA A3E4114C00 MOV [004C11E4],EAX
0167:004B56DF E8ACD1FFFF CALL 004B2890
0167:004B56E4 8B5620 MOV EDX,[ESI+20] <crash
0167:004B56E7 52 PUSH EDX
0167:004B56E8 8B4E1C MOV ECX,[ESI+1C]
....
5) Now I thought that 4b56c8 must be the OEP; I used the "jmp eip",
switched to Procdump and dumped the process to disk.
6) I used Revirgin to get the IT.bin and pasted it into the dump.exe using
SV's tool, corrected the values for Entry Point and IT RVA and length.
7) But now when I start the dump.exe the program crashes at the marked
line (esi==0).
Well, my question is how can I find the OEP?
And am I on the right way, how i described it?
And one more stoopid question: What's the difference between IT and IAT?
I hope there's someone out, who feels like to help me and answer me
newbie questions...
regards
e.
I'm quite new to unpacking and this stuff.
I've got a question about unpacking an ASProtected programm,
esp. finding the right Entry Point (OEP).
So let me tell you what I did so far:
1) set a bpx getprocaddress and started the program
2) when SI pops and the program's code appears, I did bc*
3) I watched at the sections with the map32-command and guessed
that the section with the biggest Virtual size must be the code
section, where the OEP sits. So I used icedumps /tracex command
with low eip=start of code section and high eip=end of code section.
4) I let the program run and when it breaks the second time, I traced
a bit down until there's a jump with leads to this code:
0167:004B56C8 55 PUSH EBP
0167:004B56C9 8BEC MOV EBP,ESP
0167:004B56CB 83C4F4 ADD ESP,-0C
0167:004B56CE 53 PUSH EBX
0167:004B56CF 56 PUSH ESI
0167:004B56D0 57 PUSH EDI
0167:004B56D1 8B7508 MOV ESI,[EBP+08]
0167:004B56D4 8B4610 MOV EAX,[ESI+10]
0167:004B56D7 83E001 AND EAX,01
0167:004B56DA A3E4114C00 MOV [004C11E4],EAX
0167:004B56DF E8ACD1FFFF CALL 004B2890
0167:004B56E4 8B5620 MOV EDX,[ESI+20] <crash
0167:004B56E7 52 PUSH EDX
0167:004B56E8 8B4E1C MOV ECX,[ESI+1C]
....
5) Now I thought that 4b56c8 must be the OEP; I used the "jmp eip",
switched to Procdump and dumped the process to disk.
6) I used Revirgin to get the IT.bin and pasted it into the dump.exe using
SV's tool, corrected the values for Entry Point and IT RVA and length.
7) But now when I start the dump.exe the program crashes at the marked
line (esi==0).
Well, my question is how can I find the OEP?
And am I on the right way, how i described it?
And one more stoopid question: What's the difference between IT and IAT?
I hope there's someone out, who feels like to help me and answer me
newbie questions...
regards
e.
