Manko
February 13th, 2003, 20:10
Since someone asked, though it dissappeared...
Exestealth 2.6 - Not so good protector...
558BEC578B45108BB8C4000000FF3733FF648F078380C400000088BB8A4000000C1C70789B8B8000000B8000000005FC9C3
This proc will reveil OEP in exestealth...
Take out a signature and search with winhex, when proggy is running.
Note down adress and rerun program and break on this adress to get OEP!
When dumping, with procdump, don't forget, rightclick, correct imagesize!
When rebuilding IAT, put in oep, search and get imports and click show invalid and rightclick+tracelvl1. All good!
How did I find proc?
Pack an app you know's OEP. Break on OEP. Walk the stack backwards, looking real carefull as some things are not simply returnadress, making new breakpoints as you go along, and reach this proc. Trace it down to mov [eax+0B8h], edi and say heureka!
You SHOULD practice this!
!!! ? !!!
Remember, I have hidden my softice... You need to do that too! (Don't really know that since I haven't tried without it.) Info about that can be found elsewhere on fraviaMB if you search! Ask how, if you can't manage it...
(But don't be lazy and not try yourself!)
!!! ? !!!
Also, let's hope the author will now improve it.
/Manko
Exestealth 2.6 - Not so good protector...

558BEC578B45108BB8C4000000FF3733FF648F078380C400000088BB8A4000000C1C70789B8B8000000B8000000005FC9C3
Code:
55 push ebp
8B EC mov ebp, esp
57 push edi
8B 45 10 mov eax, [ebp+10h]
8B B8 C4 00 00 00 mov edi, [eax+0C4h]
FF 37 push dword ptr [edi]
33 FF xor edi, edi
64 8F 07 pop dword ptr fs:[edi]
83 80 C4 00 00 00 08 add dword ptr [eax+0C4h], 8
8B B8 A4 00 00 00 mov edi, [eax+0A4h]
C1 C7 07 rol edi, 7
89 B8 B8 00 00 00 mov [eax+0B8h], edi <<==--- !!! NOW OEP is in edi. !!!
B8 00 00 00 00 mov eax, 0 """"""""""""""""""""""""""
5F pop edi """ """
C9 leave
C3 retn
This proc will reveil OEP in exestealth...

Take out a signature and search with winhex, when proggy is running.
Note down adress and rerun program and break on this adress to get OEP!
When dumping, with procdump, don't forget, rightclick, correct imagesize!
When rebuilding IAT, put in oep, search and get imports and click show invalid and rightclick+tracelvl1. All good!
How did I find proc?
Pack an app you know's OEP. Break on OEP. Walk the stack backwards, looking real carefull as some things are not simply returnadress, making new breakpoints as you go along, and reach this proc. Trace it down to mov [eax+0B8h], edi and say heureka!

You SHOULD practice this!

!!! ? !!!
Remember, I have hidden my softice... You need to do that too! (Don't really know that since I haven't tried without it.) Info about that can be found elsewhere on fraviaMB if you search! Ask how, if you can't manage it...

!!! ? !!!
Also, let's hope the author will now improve it.

/Manko