|
|
|
|
#1
01-17-2005, 05:48
|
|||
|
|||
|
i could write any program in VC++ (any version) and you will not find the const bytes... i only give a simple masm compiled object - as entry to winmain vc++ function and, your method fill fail..
btw. in manually methods good metgod is to find a GetModuleHandle or a HeapCreare/HeapAlloc in VC, you can user other apis that apper in entry procedure to find OEP manually.. 
|
|
#2
01-21-2005, 03:16
|
|||
|
|||
|
". in manually methods good metgod is to find a GetModuleHandle "
This is absolutelly true. For example: look for the address where is stored GetModulehandleA address. With olly > Find References....... Let's suppose olly finds 6 different places Double click and look upper......... It's easy to recognize the good place: 004913F0 55 PUSH EBP<<<<<<< 004913F1 8BEC MOV EBP,ESP 004913F3 6A FF PUSH -1 004913F5 68 68FB4C00 PUSH INSTALL_.004CFB68 004913FA 68 A0764900 PUSH INSTALL_.004976A0 004913FF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00491405 50 PUSH EAX 00491406 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 0049140D 83EC 58 SUB ESP,58 00491410 53 PUSH EBX 00491411 56 PUSH ESI 00491412 57 PUSH EDI 00491413 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00491416 FF15 C0924B00 CALL DWORD PTR DS:[4B92C0] ; KERNEL32.GetVersion 0049141C 33D2 XOR EDX,EDX 0049141E 8AD4 MOV DL,AH 00491420 8915 146F5100 MOV DWORD PTR DS:[516F14],EDX 00491426 8BC8 MOV ECX,EAX 00491428 81E1 FF000000 AND ECX,0FF 0049142E 890D 106F5100 MOV DWORD PTR DS:[516F10],ECX 00491434 C1E1 08 SHL ECX,8 00491437 03CA ADD ECX,EDX 00491439 890D 0C6F5100 MOV DWORD PTR DS:[516F0C],ECX 0049143F C1E8 10 SHR EAX,10 00491442 A3 086F5100 MOV DWORD PTR DS:[516F08],EAX 00491447 6A 01 PUSH 1 00491449 E8 D64F0000 CALL INSTALL_.00496424 0049144E 59 POP ECX 0049144F 85C0 TEST EAX,EAX 00491451 75 08 JNZ SHORT INSTALL_.0049145B 00491453 6A 1C PUSH 1C 00491455 E8 C3000000 CALL INSTALL_.0049151D 0049145A 59 POP ECX 0049145B E8 AC3D0000 CALL INSTALL_.0049520C 00491460 85C0 TEST EAX,EAX 00491462 75 08 JNZ SHORT INSTALL_.0049146C 00491464 6A 10 PUSH 10 00491466 E8 B2000000 CALL INSTALL_.0049151D 0049146B 59 POP ECX 0049146C 33F6 XOR ESI,ESI 0049146E 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 00491471 E8 46740000 CALL INSTALL_.004988BC 00491476 FF15 B8914B00 CALL DWORD PTR DS:[4B91B8] ; KERNEL32.GetCommandLineA 0049147C A3 14865100 MOV DWORD PTR DS:[518614],EAX 00491481 E8 04730000 CALL INSTALL_.0049878A 00491486 A3 D06E5100 MOV DWORD PTR DS:[516ED0],EAX 0049148B E8 AD700000 CALL INSTALL_.0049853D 00491490 E8 EF6F0000 CALL INSTALL_.00498484 00491495 E8 4E110000 CALL INSTALL_.004925E8 0049149A 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI 0049149D 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] 004914A0 50 PUSH EAX 004914A1 FF15 E8914B00 CALL DWORD PTR DS:[4B91E8] ; KERNEL32.GetStartupInfoA 004914A7 E8 806F0000 CALL INSTALL_.0049842C 004914AC 8945 9C MOV DWORD PTR SS:[EBP-64],EAX 004914AF F645 D0 01 TEST BYTE PTR SS:[EBP-30],1 004914B3 74 06 JE SHORT INSTALL_.004914BB 004914B5 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C] 004914B9 EB 03 JMP SHORT INSTALL_.004914BE 004914BB 6A 0A PUSH 0A 004914BD 58 POP EAX 004914BE 50 PUSH EAX 004914BF FF75 9C PUSH DWORD PTR SS:[EBP-64] 004914C2 56 PUSH ESI 004914C3 56 PUSH ESI 004914C4 FF15 D4924B00 CALL DWORD PTR DS:[4B92D4] <<getmodulehandlea ; INSTALL_.0052016F Thanks for the two answers. Anyway i didn't mean the method i suggested to be an always-working-method, but i guess it's nice trying to look for different patters......we don't know when they can be useful......isn't it?? 
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Free portable programs | CodeCracker | General Discussion | 12 | 03-22-2018 17:17 |
| Programs kills itself - how to avoid that? | aldente | General Discussion | 10 | 09-22-2005 11:15 |
Hybrid Mode
