Stingered |
01-17-2018 03:12 |
Quote:
Originally Posted by mr.exodia
(Post 111914)
From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).
|
I believe this is the relevant section of code in Ollydump:
Code:
int FindOEPbySectionHop(int tracemode)
{
int i;
DWORD out0,out1,in0,in1,curEIP,curSectVA1,curSectVA2;
t_reg reg;
Deleteruntrace();
TraceFlag = TRUE;
// Clear Section Info buffer
if(lpSectInfo) {
FreeSectInfo();
}
// Get PE file header value
GetPEInfo();
curEIP = GetCurrentEIP();
Addtolist(0,-1,"EP:%X ImageBase:%X SizeOfImage:%X Current EIP:%X",PEFileInfo.dwAddrOfEP,PEFileInfo.dwImageBase,PEFileInfo.dwSizeOfImage,curEIP);
// Search a section the Entry Point belongs
out0 = out1 = 0;
for(i=0; i<PEFileInfo.woNumOfSect; i++) {
//Addtolist(0,-1,"Sect%02d : %8X - %8X",i,lpSectInfo[i].dwVOffset,lpSectInfo[i].dwVOffset+lpSectInfo[i].dwVSize-1);
curSectVA1 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
curSectVA2 = curSectVA1 + lpSectInfo[i].dwVSize;
if(curEIP >= curSectVA1 && curEIP < curSectVA2) {
out0 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
out1 = out0 + lpSectInfo[i].dwVSize - 1;
break;
}
}
if(out0 != 0 && out1 > out0) {
Settracecondition(NULL,0,0,0,out0,out1);
Addtolist(0,-1,"Current EIP\(%08X\) is in Section%02d %08X - %08X",curEIP,i,curSectVA1,curSectVA2);
Addtolist(0,-1,"Trace Condition set out0:%X out1:%X",out0,out1);
}
else {
in0 = lpSectInfo[0].dwVOffset + PEFileInfo.dwImageBase;
in1 = lpSectInfo[PEFileInfo.woNumOfSect-1].dwVOffset + lpSectInfo[PEFileInfo.woNumOfSect-1].dwVSize + PEFileInfo.dwImageBase;
Settracecondition(NULL,0,in0,in1,0,0);
Addtolist(0,-1,"Current EIP\(%08X\) is out of Debuggee image",curEIP);
Addtolist(0,-1,"Trace Condition set in0:%X in1:%X",in0,in1);
}
Startruntrace(®);
switch(tracemode) {
case ODP_TRACE_INTO:
Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F11); // Trace into
break;
case ODP_TRACE_OVER:
Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F12); // Trace over
break;
}
return TRUE;
}
|