Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2004, 05:01
yaa
 
Posts: n/a
Question Stupid question: module has entry point outside of code???

Hello,

sorry for posting this (probably most stupid) question but not having been able to understand it alone .....
Anyway, I have an application that loaded with ollydbg makes it display the usual "Module xxxxxx has entry point outside code (as specified in the PE header). Maybe ....". Now, the application isn't packed .... but this is not the point, the point is why the message??? I mean, what does ollydbg display such a message??? I thought it was due to the entry point's section characteristics and in fact the section containing the EP does not have a CODE and a MEM_EXECUTE flag. Unfortunately changing its characteristics assigning both of them to it (going from C0000040 to E000020) has no sort of effect. What then maked ollydbg state that the entry point is outside code???

Also, I was wondering, in ollydbg's Memory Map what determines what is displayed in the "Contains" column??? I thought ollydbg analyzed all section's characteristics but by changing them with a tool such as LordPE or PETools does not cause any changes in what get displayed in that column!!!


yaa
Reply With Quote
  #2  
Old 04-10-2004, 08:43
bart
 
Posts: n/a
i guess entrypoint is just outside first section (packed/protected/infected), ignore it
Reply With Quote
  #3  
Old 04-11-2004, 01:30
abccc
 
Posts: n/a
Thankz for both of you I got same problem .. I could not analyze it also with CTRL+A .. any advice about that..
Reply With Quote
  #4  
Old 04-11-2004, 03:07
yaa
 
Posts: n/a
bart,

it is not a question of EP being or not inside the first section but of EP being inside a section that is not marked as being code. And as I already said, the application is not packed (it was initially packed with UPX). Can it be that UPX does not reset PE header to its original values when used to decompress a packed app???

Anyhow, what I still don't get is how sections that are both not marked as code and as executable (based on their section flags) and that are also not marked as code (based on PE header values) can still be executed as code without problems!!



yaa

Last edited by yaa; 04-11-2004 at 03:16.
Reply With Quote
  #5  
Old 04-11-2004, 15:42
phax
 
Posts: n/a
UPX decompression is not 100%

I just tested compression and decompression with UPX 1.24 and not even the PE header of the resulting file was equal.
Seems like the relocations are stripped anyway.
And in my special case, the "Base relocation table", the "Debug table" and the "Import address table" have been cut apart.
The flags of the sections are the same.
regards
PHaX
Reply With Quote
  #6  
Old 04-11-2004, 16:32
archphase
 
Posts: n/a
if you set the BaseOfCode field w/ yielding alignment to the Memory Alignment that adheres to AddrOfEntrypoint field then you wont get that message.

so like..you get this message typically w/ Packed/Protected files or viriis...anyways heres example:

3 sections:
.text
.data
.foo

So if the file was assemblded normally the entrypoint would be in .text like 1000h or something and baseofcode would prolly by rva of 1000h so if .foo is at rva 4000h just set baseofcode to that and then keep the ep of .foo like what it might be like 4028h...anyways PE loader dont give rats ass about BaseOfCode field..ive never seen it in use atleast.
Reply With Quote
  #7  
Old 04-11-2004, 20:14
yaa
 
Posts: n/a
Sorry guys but when you talk PE stuff to me you must be more clear.

phax, are you saying that UPX packing and upacking left PE section flags untouched but it did alter relocation, debug and import table values in PE header?

archphase, I suppose you are saying that olly's message disappears if BaseOfCode and SizeOfCode are such that the EP is included in what PE header declares being code.
But I did not understand the following sentences in your post:

1) yielding alignment to the Memory Alignment that adheres to AddrOfEntrypoint field
2) so if .foo is at rva 4000h just set baseofcode to that and then keep the ep of .foo like what it might be like 4028h

Could you please clarify their meaning?


yaa
Reply With Quote
  #8  
Old 04-12-2004, 11:56
archphase
 
Posts: n/a
OK, well like say our original EP was like 1010h which could be in our .text section, you'd also notice that OptionalHeader field .BaseOfCode would be 1000h or the RVA of .text in memory -- you can check this w/ .text Section Header field aswell..

Anyways if the file is packed and a new section is added like e.g: .foo at RVA 4000h and entrypoint is now 4010h in .foo and BaseOfCode is not updated then you get your info message from olly.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I move Entry Point to the middle of the codz ? netxman General Discussion 11 11-23-2005 08:51
how to get the address of the entry point in an API Warren General Discussion 6 08-30-2005 16:18
Is it possable breakpoint on entry point of DLL jadesk99 General Discussion 17 01-18-2004 12:08
How to make sure this is really the Entry Point merursinecury General Discussion 7 04-13-2003 08:20


All times are GMT +8. The time now is 12:35.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )