|
Me again, I have try with PEiD found Armadillo 1.xx - 2.xx, and Stud_PE found Armadillo 2.5x - 2.6x, then I used ollyDbg 1.10 with hidedebuger open Atrex32.exe v11.02, dump child process with ollydump. I now get all the code at 00401000 but the OEP still point to 009916E3.
009916E3 >/$ 55 PUSH EBP
009916E4 |. 8BEC MOV EBP,ESP
009916E6 |. 6A FF PUSH -1
009916E8 |. 68 20BB9B00 PUSH dumped.009BBB20
009916ED |. 68 20149900 PUSH dumped.00991420 ; SE handler installation
009916F2 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
009916F8 |. 50 PUSH EAX
009916F9 |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00991700 |. 83EC 58 SUB ESP,58
00991703 |. 53 PUSH EBX
00991704 |. 56 PUSH ESI
00991705 |. 57 PUSH EDI
00991706 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00991709 |. FF15 88619B00 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
0099170F |. 33D2 XOR EDX,EDX
00991711 |. 8AD4 MOV DL,AH
00991713 |. 8915 A4D19B00 MOV DWORD PTR DS:[9BD1A4],EDX
00991719 |. 8BC8 MOV ECX,EAX
0099171B |. 81E1 FF000000 AND ECX,0FF
00991721 |. 890D A0D19B00 MOV DWORD PTR DS:[9BD1A0],ECX
00991727 |. C1E1 08 SHL ECX,8
0099172A |. 03CA ADD ECX,EDX
0099172C |. 890D 9CD19B00 MOV DWORD PTR DS:[9BD19C],ECX
00991732 |. C1E8 10 SHR EAX,10
00991735 |. A3 98D19B00 MOV DWORD PTR DS:[9BD198],EAX
0099173A |. 33F6 XOR ESI,ESI
0099173C |. 56 PUSH ESI
0099173D |. E8 78160000 CALL dumped.00992DBA
00991742 |. 59 POP ECX
00991743 |. 85C0 TEST EAX,EAX
00991745 |. 75 08 JNZ SHORT dumped.0099174F
00991747 |. 6A 1C PUSH 1C
00991749 |. E8 B0000000 CALL dumped.009917FE
0099174E |. 59 POP ECX
0099174F |> 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
00991752 |. E8 43130000 CALL dumped.00992A9A
00991757 |. FF15 8C609B00 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
0099175D |. A3 A4E79B00 MOV DWORD PTR DS:[9BE7A4],EAX
00991762 |. E8 01120000 CALL dumped.00992968
00991767 |. A3 F8D19B00 MOV DWORD PTR DS:[9BD1F8],EAX
0099176C |. E8 AA0F0000 CALL dumped.0099271B
00991771 |. E8 EC0E0000 CALL dumped.00992662
00991776 |. E8 2DFAFFFF CALL dumped.009911A8
0099177B |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0099177E |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00991781 |. 50 PUSH EAX ; /pStartupinfo
00991782 |. FF15 90609B00 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
00991788 |. E8 7D0E0000 CALL dumped.0099260A
0099178D |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
00991790 |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00991794 |. 74 06 JE SHORT dumped.0099179C
00991796 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
0099179A |. EB 03 JMP SHORT dumped.0099179F
0099179C |> 6A 0A PUSH 0A
0099179E |. 58 POP EAX
0099179F |> 50 PUSH EAX ; /Arg4
009917A0 |. FF75 9C PUSH DWORD PTR SS:[EBP-64] ; |Arg3
009917A3 |. 56 PUSH ESI ; |Arg2
009917A4 |. 56 PUSH ESI ; |/pModule
009917A5 |. FF15 4C609B00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; |\GetModuleHandleA
009917AB |. 50 PUSH EAX ; |Arg1
009917AC |. E8 7FC7FEFF CALL dumped.0097DF30 ; \dumped.0097DF30
009917B1 |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
009917B4 |. 50 PUSH EAX
009917B5 |. E8 1BFAFFFF CALL dumped.009911D5
009917BA |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
009917BD |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
009917BF |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
009917C1 |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
009917C4 |. 50 PUSH EAX
009917C5 |. 51 PUSH ECX
009917C6 |. E8 BB0C0000 CALL dumped.00992486
009917CB |. 59 POP ECX
009917CC |. 59 POP ECX
009917CD \. C3 RETN
The Register Dialog are inside somewhere .CODE 00439E00 .... can't find the real OEP and can't trace the Register Dialog running. Help me please.
|