#1
|
|||
|
|||
x64dbg - Find OEP by section hop
When trying to unpack samples, I from time to time use "Find OEP by section hop" with OllyDBG and OllyDump. But I've been trying to move away from Ollydbg in the last year or so and use x64dbg. But this feature is something I miss when using x64dbg / Ollydump.
Is there an equivalent or can anyone point me in the right direction? |
#2
|
|||
|
|||
Quote:
https://low-priority.appspot.com/ollydumpex/#overview Ask to have this support included in this plugin. Source code for Ollydump can be found here: https://github.com/JohnTroony/Plugme-Immunity/tree/master/OllyDump%20v3.00.110/OllyDump%20v3.00.110 |
The Following User Says Thank You to Stingered For This Useful Post: | ||
schrodyn (01-16-2018) |
#3
|
|||
|
|||
Thanks. I' consider asking them if they can implement it in OllyDumpEX. I'm not sure why it isn't already featured. If I find an alternative or hear back from them I'll update this thread with the information.
|
The Following User Says Thank You to schrodyn For This Useful Post: | ||
Stingered (01-17-2018) |
#4
|
|||
|
|||
From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).
|
#5
|
|||
|
|||
Quote:
Code:
int FindOEPbySectionHop(int tracemode) { int i; DWORD out0,out1,in0,in1,curEIP,curSectVA1,curSectVA2; t_reg reg; Deleteruntrace(); TraceFlag = TRUE; // Clear Section Info buffer if(lpSectInfo) { FreeSectInfo(); } // Get PE file header value GetPEInfo(); curEIP = GetCurrentEIP(); Addtolist(0,-1,"EP:%X ImageBase:%X SizeOfImage:%X Current EIP:%X",PEFileInfo.dwAddrOfEP,PEFileInfo.dwImageBase,PEFileInfo.dwSizeOfImage,curEIP); // Search a section the Entry Point belongs out0 = out1 = 0; for(i=0; i<PEFileInfo.woNumOfSect; i++) { //Addtolist(0,-1,"Sect%02d : %8X - %8X",i,lpSectInfo[i].dwVOffset,lpSectInfo[i].dwVOffset+lpSectInfo[i].dwVSize-1); curSectVA1 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase; curSectVA2 = curSectVA1 + lpSectInfo[i].dwVSize; if(curEIP >= curSectVA1 && curEIP < curSectVA2) { out0 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase; out1 = out0 + lpSectInfo[i].dwVSize - 1; break; } } if(out0 != 0 && out1 > out0) { Settracecondition(NULL,0,0,0,out0,out1); Addtolist(0,-1,"Current EIP\(%08X\) is in Section%02d %08X - %08X",curEIP,i,curSectVA1,curSectVA2); Addtolist(0,-1,"Trace Condition set out0:%X out1:%X",out0,out1); } else { in0 = lpSectInfo[0].dwVOffset + PEFileInfo.dwImageBase; in1 = lpSectInfo[PEFileInfo.woNumOfSect-1].dwVOffset + lpSectInfo[PEFileInfo.woNumOfSect-1].dwVSize + PEFileInfo.dwImageBase; Settracecondition(NULL,0,in0,in1,0,0); Addtolist(0,-1,"Current EIP\(%08X\) is out of Debuggee image",curEIP); Addtolist(0,-1,"Trace Condition set in0:%X in1:%X",in0,in1); } Startruntrace(®); switch(tracemode) { case ODP_TRACE_INTO: Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F11); // Trace into break; case ODP_TRACE_OVER: Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F12); // Trace over break; } return TRUE; } |
The Following User Gave Reputation+1 to Stingered For This Useful Post: | ||
mr.exodia (01-18-2018) |
The Following User Says Thank You to Stingered For This Useful Post: | ||
schrodyn (04-11-2018) |
#6
|
|||
|
|||
Yeah, the documentation says:
Code:
Settracecondition OllyDbg can pause run trace on a set of conditions. This function quickly sets pause on expression, on suspicious command and/or on EIP range and deactivates pause on command. void Settracecondition(char *cond,int onsuspicious,ulong in0,ulong in1,ulong out0,ulong out1); Parameters: cond - pointer to character string containing expression. Run trace will pause if expression is invalid or estimates to non-zero value; onsuspicious - activates (1) or deactivates (0) pause on suspicious command; in0, in1 - 'in range' request. Run trace will pause if EIP is in this range (in1 not included). To disable pause on 'in range', set both in0 and in1 to 0; out0, out1 - 'out of range' request. Run trace will pause if EIP is outside this range or equals to out1. To disable pause on 'out of range', set both out0 and out1 to 0. |
#7
|
|||
|
|||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
x64dbg | mr.exodia | Developer Section | 331 | 03-27-2024 17:01 |
nfd - x64dbg plugin | hors | Community Tools | 2 | 04-01-2018 08:18 |
CeAutoAsm-x64dbg Plugin | atom0s | Developer Section | 1 | 10-05-2017 09:30 |
x64dbg python | Storm Shadow | Developer Section | 6 | 08-04-2017 15:29 |