Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Finding Correct EP (https://forum.exetools.com/showthread.php?t=13296)

RaptorX 02-17-2011 05:43
Finding Correct EP
 
Hi guys,

Summary:
Quote:
Doing Lena's tutorial CP6
ImageBase + AddressOfEntryPoint info is not matching with real EP of program.

Q: Why is that?
I have been following Lena's tutorials on RE and I have understood everything up to now.

Im in chapter 6 at the moment and I got lost inside the PE while exploring it before watching the chapter, so I thought "nice timing for practicing what i have learned up to now"...

So I found out that I was inside one of the window modules (a dll i think) and as the EIP was pointing to part of the code inside that dll i searched my way out to the main program using Olly's "Executable Modules" window. Then used the "Memory" window to find the information about the EP and I got this:

Code:
00340118    DF310600    DD 000631DF          ;  AddressOfEntryPoint = 631DF
00340124    0000417E    DD 7E410000          ; ImageBase = 7E410000
The deal is that when i start the program the EP is located here:
Code:
0060A8EC p>/$  55                PUSH EBP
So, I double checked the other tutorial files and all of their EP's correspond to the ImageBase + AddressOfEntryPoint. This executable is not packed or anything so can somebody explain me what is going on? why is it differing in such a way?

D-Jester 02-17-2011 09:16
Heya RaptorX

Ok I'll break this down for ya.

First: 60A8EC is the correct EP for that executable.

Code:
00400128    ECA82000    DD 0020A8EC          ;  AddressOfEntryPoint = 20A8EC
00400134    00004000    DD 00400000          ; ImageBase = 400000
Second what you have done mistakenly is looked at the PE header of a loaded DLL, not the executable you are debugging. Which is why the EP of your dubugged target doesn't match the PE header of the DLL.

Code:
00340118    DF310600    DD 000631DF          ;  AddressOfEntryPoint = 631DF
00340124    0000417E    DD 7E410000          ; ImageBase = E410000
I can go into further detail if you need it, let me know.

RaptorX 02-17-2011 14:53
You can detail as much as you want cause the more details you give the more i learn :D

I did assume that i was looking at the EP of a loaded module but what i do not understand is the following... To get that information I open the "Memory Map" window right? isnt the information on that window relevant to the module that is currently loaded on the "CPU" window?

In other words, if the CPU window says that i am seeing the information for "My tools.exe" wouldnt the Memory Map window show me the info of that executable?

Because I am sure that i open the memory map while i have the program in question open on the CPU window and still i get the EP of the other module as you pointed out.

How did you get the correct info that you pasted in your reply?

Never mind, actually i just saw that there are several PE headers and each start with the name of the module... I was clicking blindly the first one all the time thinking that the first one is the one from the main program but in this case it belonged to "hhctrl"... :p

Thanks for your reply!


All times are GMT +8. The time now is 14:55.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX