View Single Post
  #14  
Old 04-09-2011, 19:21
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
yeah, but not always, it's sometimes after last add esp, 04. e.g.:
Quote:
00D98E7D POP ESP
00D98E85 MOV DWORD PTR [EBP+0xbf03541],0x5857cdb0
00D98ECC PUSH DWORD PTR [ESP]
00D98ED8 MOV EBP,DWORD PTR [ESP]
00D98EEB ADD ESP,0x4
00D98F14 ADD ESP,0x4
00D98F32 MOV ECX,DWORD PTR [EBP+0xfffffe98]
00D98F6B PUSH ECX
00D98F81 MOV EDX,DWORD PTR [EBP+0xfffffeb8]

The real code is located few lines after something like this:

Quote:
00D984F3 SUB EBP,0x4b6a5494
00D98537 PUSH EDX
00D98540 MOV EDX,0x27e976fd
00D98550 SUB EDX,0x6e14c4d2
But the plugin need a little fix.

In DLL with the dump it is not in its original imagebase, the plugin writes 16 bytes of NOP at the end, which usually overwites 3 bytes of real code.

Quote:
00B0908E 83C1 FF ADD ECX,-1
00B09091 8A95 E7FEFFFF MOV DL,BYTE PTR SS:[EBP-119]
00B09097 88940D F0FEFFFF MOV BYTE PTR SS:[EBP+ECX-110],DL
00B0909E - E9 0C00500F JMP 100090AF
00B090A3 90 NOP
00B090A4 90 NOP
00B090A5 90 NOP
00B090A6 90 NOP
00B090A7 90 NOP
00B090A8 90 NOP
00B090A9 90 NOP
00B090AA 90 NOP
00B090AB 90 NOP
00B090AC 90 NOP
00B090AD 90 NOP
00B090AE 90 NOP
00B090AF 90 NOP
00B090B0 90 NOP
00B090B1 90 NOP
00B090B2 90 NOP
00B090B3 ? BF 00000F85 MOV EDI,850F0000
00B090B8 ? EA 030000B9 0001 JMP FAR 0100:B9000003
00B090BF ? 0000 ADD BYTE PTR DS:[EAX],AL
00B090C1 . 33C0 XOR EAX,EAX
00B090C3 . BF E06EBE00 MOV EDI,Dumped2_.00BE6EE0
As you see, the end of unvirtualized code has JMP 100090AF, but in new imagebase, it have to disassembled manually to JMP 0B090AF. Unfortunately, 00B090AF has been overwritten with NOP by plugin.
__________________
In memory of UnREal RCE...

Last edited by Newbie_Cracker; 04-09-2011 at 19:31.
Reply With Quote
The Following User Gave Reputation+1 to Newbie_Cracker For This Useful Post:
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
Indigo (07-19-2019)