Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-17-2011, 05:43
RaptorX
 
Posts: n/a
Finding Correct EP

Hi guys,

Summary:
Quote:
Doing Lena's tutorial CP6
ImageBase + AddressOfEntryPoint info is not matching with real EP of program.

Q: Why is that?
I have been following Lena's tutorials on RE and I have understood everything up to now.

Im in chapter 6 at the moment and I got lost inside the PE while exploring it before watching the chapter, so I thought "nice timing for practicing what i have learned up to now"...

So I found out that I was inside one of the window modules (a dll i think) and as the EIP was pointing to part of the code inside that dll i searched my way out to the main program using Olly's "Executable Modules" window. Then used the "Memory" window to find the information about the EP and I got this:

Code:
00340118    DF310600    DD 000631DF          ;  AddressOfEntryPoint = 631DF
00340124    0000417E    DD 7E410000          ; ImageBase = 7E410000
The deal is that when i start the program the EP is located here:
Code:
0060A8EC p>/$  55                PUSH EBP
So, I double checked the other tutorial files and all of their EP's correspond to the ImageBase + AddressOfEntryPoint. This executable is not packed or anything so can somebody explain me what is going on? why is it differing in such a way?
Reply With Quote
  #2  
Old 02-17-2011, 09:16
D-Jester's Avatar
D-Jester D-Jester is offline
VIP
 
Join Date: Nov 2003
Location: Ohio, USA
Posts: 269
Rept. Given: 39
Rept. Rcvd 61 Times in 41 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
D-Jester Reputation: 61
Heya RaptorX

Ok I'll break this down for ya.

First: 60A8EC is the correct EP for that executable.

Code:
00400128    ECA82000    DD 0020A8EC          ;  AddressOfEntryPoint = 20A8EC
00400134    00004000    DD 00400000          ; ImageBase = 400000
Second what you have done mistakenly is looked at the PE header of a loaded DLL, not the executable you are debugging. Which is why the EP of your dubugged target doesn't match the PE header of the DLL.

Code:
00340118    DF310600    DD 000631DF          ;  AddressOfEntryPoint = 631DF
00340124    0000417E    DD 7E410000          ; ImageBase = E410000
I can go into further detail if you need it, let me know.
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
Reply With Quote
  #3  
Old 02-17-2011, 14:53
RaptorX
 
Posts: n/a
You can detail as much as you want cause the more details you give the more i learn

I did assume that i was looking at the EP of a loaded module but what i do not understand is the following... To get that information I open the "Memory Map" window right? isnt the information on that window relevant to the module that is currently loaded on the "CPU" window?

In other words, if the CPU window says that i am seeing the information for "My tools.exe" wouldnt the Memory Map window show me the info of that executable?

Because I am sure that i open the memory map while i have the program in question open on the CPU window and still i get the EP of the other module as you pointed out.

How did you get the correct info that you pasted in your reply?

Never mind, actually i just saw that there are several PE headers and each start with the name of the module... I was clicking blindly the first one all the time thinking that the first one is the one from the main program but in this case it belonged to "hhctrl"...

Thanks for your reply!

Last edited by JMI; 02-17-2011 at 15:23. Reason: Someone appears to be post padding.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding which packer has been used rcer General Discussion 16 11-03-2019 01:56
Finding API Address britedream General Discussion 5 10-05-2006 21:28


All times are GMT +8. The time now is 15:16.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX