#1
|
|||
|
|||
Finding Correct EP
Hi guys,
Summary: Quote:
Im in chapter 6 at the moment and I got lost inside the PE while exploring it before watching the chapter, so I thought "nice timing for practicing what i have learned up to now"... So I found out that I was inside one of the window modules (a dll i think) and as the EIP was pointing to part of the code inside that dll i searched my way out to the main program using Olly's "Executable Modules" window. Then used the "Memory" window to find the information about the EP and I got this: Code:
00340118 DF310600 DD 000631DF ; AddressOfEntryPoint = 631DF 00340124 0000417E DD 7E410000 ; ImageBase = 7E410000 Code:
0060A8EC p>/$ 55 PUSH EBP |
#2
|
||||
|
||||
Heya RaptorX
Ok I'll break this down for ya. First: 60A8EC is the correct EP for that executable. Code:
00400128 ECA82000 DD 0020A8EC ; AddressOfEntryPoint = 20A8EC 00400134 00004000 DD 00400000 ; ImageBase = 400000 Code:
00340118 DF310600 DD 000631DF ; AddressOfEntryPoint = 631DF 00340124 0000417E DD 7E410000 ; ImageBase = E410000
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. |
#3
|
|||
|
|||
You can detail as much as you want cause the more details you give the more i learn
I did assume that i was looking at the EP of a loaded module but what i do not understand is the following... To get that information I open the "Memory Map" window right? isnt the information on that window relevant to the module that is currently loaded on the "CPU" window? In other words, if the CPU window says that i am seeing the information for "My tools.exe" wouldnt the Memory Map window show me the info of that executable? Because I am sure that i open the memory map while i have the program in question open on the CPU window and still i get the EP of the other module as you pointed out. How did you get the correct info that you pasted in your reply? Never mind, actually i just saw that there are several PE headers and each start with the name of the module... I was clicking blindly the first one all the time thinking that the first one is the one from the main program but in this case it belonged to "hhctrl"... Thanks for your reply! Last edited by JMI; 02-17-2011 at 15:23. Reason: Someone appears to be post padding. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Finding which packer has been used | rcer | General Discussion | 16 | 11-03-2019 01:56 |
Finding API Address | britedream | General Discussion | 5 | 10-05-2006 21:28 |