| View previous topic :: View next topic |
| Author |
Message |
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
 Posted: Mon Aug 04, 2008 12:45 pm Post subject: Detecting OEP? |
 |
|
| Code: |
.model small
.stack
.data
correct db "Entry is correct", "$"
wrong db "Entry is incorrect", "$"
.code
main proc
lea ax, main
test ax, 00400000h ;400000h should be the OEP o.o
jne @f
xor ax,ax
mov ax, seg correct
mov ds, ax
mov ah, 09
lea dx, correct
int 21h
jmp exit
@@:
xor ax,ax
mov ax, seg wrong
mov ds, ax
mov ah, 09
lea dx, wrong
int 21h
exit:
mov ax, 4C00h
int 21h
main endp
end main
|
Feel free to criticize me on anything except my coding.
P.S I tried it, and it doesn't seem to work. Anyone knows why?
|
|
| Back to top |
|
 |
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Mon Aug 04, 2008 2:41 pm Post subject: |
|
|
400000h is should not be the OEP. This is the MS DOS header.
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Mon Aug 04, 2008 2:47 pm Post subject: |
|
|
| sponge wrote: | | 400000h is should not be the OEP. This is the MS DOS header. |
I know, I just put a random address
|
|
| Back to top |
|
|
oib111
I post too much
 Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Mon Aug 04, 2008 4:10 pm Post subject: |
|
|
w8 nvm...
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
Last edited by oib111 on Mon Aug 04, 2008 4:55 pm; edited 1 time in total |
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Mon Aug 04, 2008 4:29 pm Post subject: |
|
|
| oib111 wrote: | | x0r do you have to be so negative? I mean you're helpful, but still. And just wondering, whats the point of using APIs such as GetModuleHandle in a low level language such as assembly? |
... OMG /facepalm
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Mon Aug 04, 2008 10:59 pm Post subject: |
|
|
| x0r wrote: | LOL, time and time again you prove you know nothing about ASM.
I'm assuming you ripped that snippet of code and hacked it up a bit, as can be seen by your attempts to compare a 16-bit register with a 32-bit value.
Anyway, if you're at the entry-point you can use the $ identifier to get the address of the instruction. You could also use GetModuleHandle and get the module handle for the executable then go from there, since you don't mind sloppy and hackish code. |
I'm still learning about 16x registers.
| Code: |
Anyway, if you're at the entry-point you can use the [b]$[/b] identifier to get the address of the instruction. You could also use [b]GetModuleHandle[/b] and get the module handle for the executable then go from there
|
You know you could have said that instead of wasting your time to cast your useless opinion against me.
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Tue Aug 05, 2008 12:28 am Post subject: |
|
|
Why the hell are you using model small anyways?
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Tue Aug 05, 2008 1:10 am Post subject: |
|
|
| nog_lorp wrote: | | Why the hell are you using model small anyways? |
It looks great in debug :3
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Aug 05, 2008 9:31 am Post subject: |
|
|
| wait... Isn't OEP at 401000?
|
|
| Back to top |
|
|
Cx
Master Cheater
 Reputation: 0
Joined: 27 Jul 2007
Posts: 367
|
| Posted: Tue Aug 05, 2008 11:15 am Post subject: |
|
|
| dnsi0 wrote: | | wait... Isn't OEP at 401000? |
OEP varies.
_________________
armed with this small butterfly net
i will face the world alone
& never be lonely. |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Aug 05, 2008 11:20 am Post subject: |
|
|
| Cx wrote: | | dnsi0 wrote: | | wait... Isn't OEP at 401000? |
OEP varies. |
All unpacked or programs that does not have a packer's OEP is at 00401000
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Aug 05, 2008 11:46 am Post subject: |
|
|
| dnsi0 wrote: | | Cx wrote: | | dnsi0 wrote: | | wait... Isn't OEP at 401000? |
OEP varies. |
All unpacked or programs that does not have a packer's OEP is at 00401000 |
It depends on the linker/compiler. eg. I just made a simple program in Visual Studio and EP is 0x01041000.
|
|
| Back to top |
|
|
Ksbunker
Advanced Cheater
![]() Reputation: 0
Joined: 18 Oct 2006
Posts: 88
|
| Posted: Wed Aug 06, 2008 5:28 am Post subject: re: |
|
|
| Quote: | | All unpacked or programs that does not have a packer's OEP is at 00401000 |
Nope.
| Code: | .code
nop
start:
;...
end start |
EP = Offset 1001 or RVA 401001
|
|
| Back to top |
|
|
DoomsDay
Grandmaster Cheater
 Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Wed Aug 06, 2008 10:05 am Post subject: |
|
|
| Entry Point: specified in the PE header - IMAGE_OPTIONAL_HEADER32.AddressOfEntryPoint
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Fri Aug 15, 2008 3:16 am Post subject: |
|
|
DoomsDay to the rescue with FACT! People should try looking in Olly at the PE header section. FYI, ptr to PE header is at 0x3C
| Code: |
push 0
call GetModuleHandle
mov edx, eax
add eax, 0x3C ; Ptr to PE header
mov eax,[eax]
add eax, edx
add eax, 0x28 ; AddressOfEntryPoint
mov eax, [eax]
add eax, edx
|
eax now equals EP.
If you want do this
| Code: |
getNextAddress:
mov eax,[esp]
ret
call getNextAddress ; this must be first line of program
sub eax,5 ; sub size of call
mov ecx,eax
call getEP
cmp eax,ecx
jne errorz
|
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
