Thread: OEP in Visual C++ 6.0 packed programs
View Single Post
  #4  
Old 01-21-2005, 03:16
crkelbery
 
Posts: n/a
". in manually methods good metgod is to find a GetModuleHandle "

This is absolutelly true. For example:

look for the address where is stored GetModulehandleA address.
With olly > Find References.......

Let's suppose olly finds 6 different places

Double click and look upper.........
It's easy to recognize the good place:

004913F0 55 PUSH EBP<<<<<<<
004913F1 8BEC MOV EBP,ESP
004913F3 6A FF PUSH -1
004913F5 68 68FB4C00 PUSH INSTALL_.004CFB68
004913FA 68 A0764900 PUSH INSTALL_.004976A0
004913FF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00491405 50 PUSH EAX
00491406 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0049140D 83EC 58 SUB ESP,58
00491410 53 PUSH EBX
00491411 56 PUSH ESI
00491412 57 PUSH EDI
00491413 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00491416 FF15 C0924B00 CALL DWORD PTR DS:[4B92C0] ; KERNEL32.GetVersion
0049141C 33D2 XOR EDX,EDX
0049141E 8AD4 MOV DL,AH
00491420 8915 146F5100 MOV DWORD PTR DS:[516F14],EDX
00491426 8BC8 MOV ECX,EAX
00491428 81E1 FF000000 AND ECX,0FF
0049142E 890D 106F5100 MOV DWORD PTR DS:[516F10],ECX
00491434 C1E1 08 SHL ECX,8
00491437 03CA ADD ECX,EDX
00491439 890D 0C6F5100 MOV DWORD PTR DS:[516F0C],ECX
0049143F C1E8 10 SHR EAX,10
00491442 A3 086F5100 MOV DWORD PTR DS:[516F08],EAX
00491447 6A 01 PUSH 1
00491449 E8 D64F0000 CALL INSTALL_.00496424
0049144E 59 POP ECX
0049144F 85C0 TEST EAX,EAX
00491451 75 08 JNZ SHORT INSTALL_.0049145B
00491453 6A 1C PUSH 1C
00491455 E8 C3000000 CALL INSTALL_.0049151D
0049145A 59 POP ECX
0049145B E8 AC3D0000 CALL INSTALL_.0049520C
00491460 85C0 TEST EAX,EAX
00491462 75 08 JNZ SHORT INSTALL_.0049146C
00491464 6A 10 PUSH 10
00491466 E8 B2000000 CALL INSTALL_.0049151D
0049146B 59 POP ECX
0049146C 33F6 XOR ESI,ESI
0049146E 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
00491471 E8 46740000 CALL INSTALL_.004988BC
00491476 FF15 B8914B00 CALL DWORD PTR DS:[4B91B8] ; KERNEL32.GetCommandLineA
0049147C A3 14865100 MOV DWORD PTR DS:[518614],EAX
00491481 E8 04730000 CALL INSTALL_.0049878A
00491486 A3 D06E5100 MOV DWORD PTR DS:[516ED0],EAX
0049148B E8 AD700000 CALL INSTALL_.0049853D
00491490 E8 EF6F0000 CALL INSTALL_.00498484
00491495 E8 4E110000 CALL INSTALL_.004925E8
0049149A 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0049149D 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
004914A0 50 PUSH EAX
004914A1 FF15 E8914B00 CALL DWORD PTR DS:[4B91E8] ; KERNEL32.GetStartupInfoA
004914A7 E8 806F0000 CALL INSTALL_.0049842C
004914AC 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
004914AF F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
004914B3 74 06 JE SHORT INSTALL_.004914BB
004914B5 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
004914B9 EB 03 JMP SHORT INSTALL_.004914BE
004914BB 6A 0A PUSH 0A
004914BD 58 POP EAX
004914BE 50 PUSH EAX
004914BF FF75 9C PUSH DWORD PTR SS:[EBP-64]
004914C2 56 PUSH ESI
004914C3 56 PUSH ESI
004914C4 FF15 D4924B00 CALL DWORD PTR DS:[4B92D4] <<getmodulehandlea ; INSTALL_.0052016F


Thanks for the two answers. Anyway i didn't mean the method i suggested
to be an always-working-method, but i guess it's nice trying to look for different patters......we don't know when they can be useful......isn't it??
Reply With Quote