Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   x64dbg - Find OEP by section hop (https://forum.exetools.com/showthread.php?t=18603)

schrodyn 01-16-2018 02:31

x64dbg - Find OEP by section hop
 
When trying to unpack samples, I from time to time use "Find OEP by section hop" with OllyDBG and OllyDump. But I've been trying to move away from Ollydbg in the last year or so and use x64dbg. But this feature is something I miss when using x64dbg / Ollydump.

Is there an equivalent or can anyone point me in the right direction?

Stingered 01-16-2018 07:47

Quote:

Originally Posted by schrodyn (Post 111897)
When trying to unpack samples, I from time to time use "Find OEP by section hop" with OllyDBG and OllyDump. But I've been trying to move away from Ollydbg in the last year or so and use x64dbg. But this feature is something I miss when using x64dbg / Ollydump.

Is there an equivalent or can anyone point me in the right direction?

Haven't found it, myself. Hopefully someone has a plugin/script they can provide. To point you in the right direction... Maybe.

https://low-priority.appspot.com/ollydumpex/#overview

Ask to have this support included in this plugin.

Source code for Ollydump can be found here:

https://github.com/JohnTroony/Plugme-Immunity/tree/master/OllyDump%20v3.00.110/OllyDump%20v3.00.110

:(

schrodyn 01-16-2018 20:01

Thanks. I' consider asking them if they can implement it in OllyDumpEX. I'm not sure why it isn't already featured. If I find an alternative or hear back from them I'll update this thread with the information.

mr.exodia 01-17-2018 02:08

From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).

Stingered 01-17-2018 03:12

Quote:

Originally Posted by mr.exodia (Post 111914)
From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).

I believe this is the relevant section of code in Ollydump:

Code:

int FindOEPbySectionHop(int tracemode)
{
  int i;
  DWORD out0,out1,in0,in1,curEIP,curSectVA1,curSectVA2;
  t_reg reg;

  Deleteruntrace();
  TraceFlag = TRUE;
  // Clear Section Info buffer
  if(lpSectInfo) {
    FreeSectInfo();
  }

  // Get PE file header value
  GetPEInfo();
  curEIP = GetCurrentEIP();
  Addtolist(0,-1,"EP:%X  ImageBase:%X  SizeOfImage:%X  Current EIP:%X",PEFileInfo.dwAddrOfEP,PEFileInfo.dwImageBase,PEFileInfo.dwSizeOfImage,curEIP);

  // Search a section the Entry Point belongs
  out0 = out1 = 0;
  for(i=0; i<PEFileInfo.woNumOfSect; i++) {
//Addtolist(0,-1,"Sect%02d : %8X - %8X",i,lpSectInfo[i].dwVOffset,lpSectInfo[i].dwVOffset+lpSectInfo[i].dwVSize-1);
    curSectVA1 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
    curSectVA2 = curSectVA1 + lpSectInfo[i].dwVSize;
    if(curEIP >= curSectVA1 && curEIP < curSectVA2) {
      out0 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
      out1 = out0 + lpSectInfo[i].dwVSize - 1;
      break;
    }
  }
  if(out0 != 0 && out1 > out0) {
    Settracecondition(NULL,0,0,0,out0,out1);
    Addtolist(0,-1,"Current EIP\(%08X\) is in Section%02d  %08X - %08X",curEIP,i,curSectVA1,curSectVA2);
    Addtolist(0,-1,"Trace Condition set out0:%X  out1:%X",out0,out1);
  }
  else {
    in0 = lpSectInfo[0].dwVOffset + PEFileInfo.dwImageBase;
    in1 = lpSectInfo[PEFileInfo.woNumOfSect-1].dwVOffset + lpSectInfo[PEFileInfo.woNumOfSect-1].dwVSize + PEFileInfo.dwImageBase;
    Settracecondition(NULL,0,in0,in1,0,0);
    Addtolist(0,-1,"Current EIP\(%08X\) is out of Debuggee image",curEIP);
    Addtolist(0,-1,"Trace Condition set in0:%X  in1:%X",in0,in1);
  }
  Startruntrace(&reg);
  switch(tracemode) {
  case ODP_TRACE_INTO:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F11); // Trace into
    break;
  case ODP_TRACE_OVER:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F12); // Trace over
    break;
  }
  return TRUE;
}


mr.exodia 01-18-2018 20:42

Yeah, the documentation says:

Code:

Settracecondition

OllyDbg can pause run trace on a set of conditions. This function quickly sets pause on expression, on suspicious command and/or on EIP range and deactivates pause on command.


void Settracecondition(char *cond,int onsuspicious,ulong in0,ulong in1,ulong out0,ulong out1);


Parameters:


cond - pointer to character string containing expression. Run trace will pause if expression is invalid or estimates to non-zero value;


onsuspicious - activates (1) or deactivates (0) pause on suspicious command;

 
in0, in1 - 'in range' request. Run trace will pause if EIP is in this range (in1 not included). To disable pause on 'in range', set both in0 and in1 to 0;


out0, out1 - 'out of range' request. Run trace will pause if EIP is outside this range or equals to out1. To disable pause on 'out of range', set both out0 and out1 to 0.

Calling this function like Ollydump does would be equivalent to the trace condition "eip < out0 || eip >= out1" in x64dbg where out0 and out1 are the section boundaries of the section that eip is currently in...

Stingered 01-19-2018 04:31

Quote:

Originally Posted by mr.exodia (Post 111938)
Yeah, the documentation says:

Code:

Settracecondition

OllyDbg can pause run trace on a set of conditions. This function quickly sets pause on expression, on suspicious command and/or on EIP range and deactivates pause on command.


void Settracecondition(char *cond,int onsuspicious,ulong in0,ulong in1,ulong out0,ulong out1);


Parameters:


cond - pointer to character string containing expression. Run trace will pause if expression is invalid or estimates to non-zero value;


onsuspicious - activates (1) or deactivates (0) pause on suspicious command;

 
in0, in1 - 'in range' request. Run trace will pause if EIP is in this range (in1 not included). To disable pause on 'in range', set both in0 and in1 to 0;


out0, out1 - 'out of range' request. Run trace will pause if EIP is outside this range or equals to out1. To disable pause on 'out of range', set both out0 and out1 to 0.

Calling this function like Ollydump does would be equivalent to the trace condition "eip < out0 || eip >= out1" in x64dbg where out0 and out1 are the section boundaries of the section that eip is currently in...

Okay, this makes more sense to me now. I'll add this to my cheat sheet.


All times are GMT +8. The time now is 09:53.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX