EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-16-2018, 02:31
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Location: ireland
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 107
Thanks Rcvd at 20 Times in 8 Posts
schrodyn Reputation: 0
Question x64dbg - Find OEP by section hop

When trying to unpack samples, I from time to time use "Find OEP by section hop" with OllyDBG and OllyDump. But I've been trying to move away from Ollydbg in the last year or so and use x64dbg. But this feature is something I miss when using x64dbg / Ollydump.

Is there an equivalent or can anyone point me in the right direction?
Reply With Quote
  #2  
Old 01-16-2018, 07:47
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 62 Times in 28 Posts
Stingered Reputation: 2
Quote:
Originally Posted by schrodyn View Post
When trying to unpack samples, I from time to time use "Find OEP by section hop" with OllyDBG and OllyDump. But I've been trying to move away from Ollydbg in the last year or so and use x64dbg. But this feature is something I miss when using x64dbg / Ollydump.

Is there an equivalent or can anyone point me in the right direction?
Haven't found it, myself. Hopefully someone has a plugin/script they can provide. To point you in the right direction... Maybe.

https://low-priority.appspot.com/ollydumpex/#overview

Ask to have this support included in this plugin.

Source code for Ollydump can be found here:

https://github.com/JohnTroony/Plugme-Immunity/tree/master/OllyDump%20v3.00.110/OllyDump%20v3.00.110

Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
schrodyn (01-16-2018)
  #3  
Old 01-16-2018, 20:01
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Location: ireland
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 107
Thanks Rcvd at 20 Times in 8 Posts
schrodyn Reputation: 0
Thanks. I' consider asking them if they can implement it in OllyDumpEX. I'm not sure why it isn't already featured. If I find an alternative or hear back from them I'll update this thread with the information.
Reply With Quote
The Following User Says Thank You to schrodyn For This Useful Post:
Stingered (01-17-2018)
  #4  
Old 01-17-2018, 02:08
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 855
Rept. Given: 496
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 92
Thanks Rcvd at 528 Times in 202 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
schrodyn (01-22-2018), Stingered (01-17-2018)
  #5  
Old 01-17-2018, 03:12
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 62 Times in 28 Posts
Stingered Reputation: 2
Quote:
Originally Posted by mr.exodia View Post
From what I gathered the "Find OEP by section hop" (over/into) are equivalent to tracing over/into with the break condition: "mem.base(cip) != xxxxxxxx" where xxxxxxxx is the memory base of the current section (type mem.base(cip) in the calculator to find this value).
I believe this is the relevant section of code in Ollydump:

Code:
int FindOEPbySectionHop(int tracemode)
{
  int i;
  DWORD out0,out1,in0,in1,curEIP,curSectVA1,curSectVA2;
  t_reg reg;

  Deleteruntrace();
  TraceFlag = TRUE;
  // Clear Section Info buffer
  if(lpSectInfo) {
    FreeSectInfo();
  }

  // Get PE file header value
  GetPEInfo();
  curEIP = GetCurrentEIP();
  Addtolist(0,-1,"EP:%X  ImageBase:%X  SizeOfImage:%X  Current EIP:%X",PEFileInfo.dwAddrOfEP,PEFileInfo.dwImageBase,PEFileInfo.dwSizeOfImage,curEIP);

  // Search a section the Entry Point belongs
  out0 = out1 = 0;
  for(i=0; i<PEFileInfo.woNumOfSect; i++) {
//Addtolist(0,-1,"Sect%02d : %8X - %8X",i,lpSectInfo[i].dwVOffset,lpSectInfo[i].dwVOffset+lpSectInfo[i].dwVSize-1);
    curSectVA1 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
    curSectVA2 = curSectVA1 + lpSectInfo[i].dwVSize;
    if(curEIP >= curSectVA1 && curEIP < curSectVA2) {
      out0 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
      out1 = out0 + lpSectInfo[i].dwVSize - 1;
      break;
    }
  }
  if(out0 != 0 && out1 > out0) {
    Settracecondition(NULL,0,0,0,out0,out1);
    Addtolist(0,-1,"Current EIP\(%08X\) is in Section%02d  %08X - %08X",curEIP,i,curSectVA1,curSectVA2);
    Addtolist(0,-1,"Trace Condition set out0:%X  out1:%X",out0,out1);
  }
  else {
    in0 = lpSectInfo[0].dwVOffset + PEFileInfo.dwImageBase;
    in1 = lpSectInfo[PEFileInfo.woNumOfSect-1].dwVOffset + lpSectInfo[PEFileInfo.woNumOfSect-1].dwVSize + PEFileInfo.dwImageBase;
    Settracecondition(NULL,0,in0,in1,0,0);
    Addtolist(0,-1,"Current EIP\(%08X\) is out of Debuggee image",curEIP);
    Addtolist(0,-1,"Trace Condition set in0:%X  in1:%X",in0,in1);
  }
  Startruntrace(&reg);
  switch(tracemode) {
  case ODP_TRACE_INTO:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F11); // Trace into
    break;
  case ODP_TRACE_OVER:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F12); // Trace over
    break;
  }
  return TRUE;
}
Reply With Quote
The Following User Gave Reputation+1 to Stingered For This Useful Post:
mr.exodia (01-18-2018)
The Following User Says Thank You to Stingered For This Useful Post:
schrodyn (04-11-2018)
  #6  
Old 01-18-2018, 20:42
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 855
Rept. Given: 496
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 92
Thanks Rcvd at 528 Times in 202 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Yeah, the documentation says:

Code:
Settracecondition

OllyDbg can pause run trace on a set of conditions. This function quickly sets pause on expression, on suspicious command and/or on EIP range and deactivates pause on command.


void Settracecondition(char *cond,int onsuspicious,ulong in0,ulong in1,ulong out0,ulong out1);


Parameters:


cond - pointer to character string containing expression. Run trace will pause if expression is invalid or estimates to non-zero value;


onsuspicious - activates (1) or deactivates (0) pause on suspicious command; 

 
in0, in1 - 'in range' request. Run trace will pause if EIP is in this range (in1 not included). To disable pause on 'in range', set both in0 and in1 to 0;


out0, out1 - 'out of range' request. Run trace will pause if EIP is outside this range or equals to out1. To disable pause on 'out of range', set both out0 and out1 to 0.
Calling this function like Ollydump does would be equivalent to the trace condition "eip < out0 || eip >= out1" in x64dbg where out0 and out1 are the section boundaries of the section that eip is currently in...
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 3 Users Say Thank You to mr.exodia For This Useful Post:
niculaita (01-19-2018), schrodyn (01-22-2018), Stingered (01-19-2018)
  #7  
Old 01-19-2018, 04:31
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 62 Times in 28 Posts
Stingered Reputation: 2
Quote:
Originally Posted by mr.exodia View Post
Yeah, the documentation says:

Code:
Settracecondition

OllyDbg can pause run trace on a set of conditions. This function quickly sets pause on expression, on suspicious command and/or on EIP range and deactivates pause on command.


void Settracecondition(char *cond,int onsuspicious,ulong in0,ulong in1,ulong out0,ulong out1);


Parameters:


cond - pointer to character string containing expression. Run trace will pause if expression is invalid or estimates to non-zero value;


onsuspicious - activates (1) or deactivates (0) pause on suspicious command; 

 
in0, in1 - 'in range' request. Run trace will pause if EIP is in this range (in1 not included). To disable pause on 'in range', set both in0 and in1 to 0;


out0, out1 - 'out of range' request. Run trace will pause if EIP is outside this range or equals to out1. To disable pause on 'out of range', set both out0 and out1 to 0.
Calling this function like Ollydump does would be equivalent to the trace condition "eip < out0 || eip >= out1" in x64dbg where out0 and out1 are the section boundaries of the section that eip is currently in...
Okay, this makes more sense to me now. I'll add this to my cheat sheet.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
x64dbg mr.exodia Developer Section 307 04-03-2019 07:48
nfd - x64dbg plugin hors Community Tools 2 04-01-2018 08:18
CeAutoAsm-x64dbg Plugin atom0s Developer Section 1 10-05-2017 09:30
x64dbg python Storm Shadow Developer Section 6 08-04-2017 15:29


All times are GMT +8. The time now is 04:29.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX