Hi owl

I have a little problem with tracex command on a proggy textdropper (lo Hz).

Page : h**p://www.powerup.com.au/~marver/home2000/22/textdropper.htm
Download : h**p://www.powerup.com.au/~marver/dl/textdrop103.exe

It's packed/protected, and i have used tracex to find EOP.
(How nice is this command !)
Then /tracex 401000 463000 (first section)
Softice break on 401aa0 : seems not to be EOP

EAX=00490078 EBX=00000020 ECX=81634E98 EDX=00490000 ESI=006BF9D4
EDI=00000017 EBP=006BF994 ESP=006BF988 EIP=00401AA0 o d I s z a p c
CS=015F DS=0167 SS=0167 ES=0167 FS=44DF GS=3ECE DS:00465488=00000000
--------------------------------------------------byte--------------PROT---(0)--
015F:00401A9B E8DCF8FFFF CALL KERNEL32!GlobalAlloc
015F:00401AA0 A388544600 MOV [00465488],EAX <---------- Here
015F:00401AA5 833D8854460000 CMP DWORD PTR [00465488],00
------------------------------------TEXTDROPPER!CODE+0A9B-----------------------
ICEDUMP: LOG: CS:EIP: 015F:BFF7B4CE, SS:ESP: 0167:006BF97C, R0TCB: CA5091C0
ICEDUMP: LOG: instruction count: 00000000:01C2CB2A, R0TCB: CA5091C0

Then i have tracing manually and found EOP with old method
right EOP : 462bdc.
To verify i have put 2 bpms on execute (401aa0 & 462bdc).
Ice break on 462bdc first.
versions are:
icedump v6.0.2.1 for winice v4.05 build 334 on Win98.
I have same problem on 2 differents systems.

I would like to know your sentiment.

Regards
SV

I'd not call this a problem... u know with some layers u have to execute TRACEX several times (IE VBOX). I am about to check but well...

Anyway 6.0.22 will come soon (Poor Owl...so much stuff to do .

Cheers,
G-RoM

Hi G-Rom

I have already experimented layers with ASprotect and i know this kind of problem.
But here, when i put only 2 bpms on execute, it break first on real EOP and after on 'tracex location' !

Regards

SV

Hi SV,

I used Icedump 6.020 on Win95 and didn't have any problems. I traced the 'old-fashioned' way and confirmed there was a JMP EAX at 482096. Then I used /tracex 401000 463000 and after a time got:


ICEDUMP: LOG: CS:EIP: 0137:00482096, SS:ESP: 013F:006BFE3C, R0TCB: C4620E24
ICEDUMP: LOG: instruction count: 00000000:01E20F34, R0TCB: C4620E24

EAX=00462BDC EBX=0048211B ECX=00000000 EDX=0046820E ESI=815E1D40
EDI=815DF4BC EBP=006BFF78 ESP=006BFE3C EIP=00462BDC

Maybe v6.020 instead of 6.021 might work better?

http://ghiribizzo.virtualave.net/icedump/id6020.zip

Regards,

Kayaker

Hmmm, seems this might be a Win98 issue, at least with this PECrypt32 proggy. I repeated the /Tracex 401000 463000 on Win98 with
icedump v6.0.2.0 and v6.0.2.1 for winice v4.05 build 334
and got the same results as SV, Tracex breaking at 401AA0


:00401A9B E8DCF8FFFF CALL KERNEL32!GlobalAlloc
:00401AA0 A388544600 MOV [00465488],EAX

EAX=00490078 EBX=00000020 ECX=81706D84 EDX=00490000 ESI=006BF9D4
EDI=00000017 EBP=006BF994 ESP=006BF988 EIP=00401AA0


instead of

//******************** Program Entry Point ********
:00462BDC 55 push ebp


which /Tracex correctly broke on with icedump v6.0.2.0 for winice v4.05 build 334 loader on Win95.

Regards,
Kayaker