as OllyDump’s guess at the OEP. However, there are several reasons this doesn’t look like the OEP. The most obvious is that it accesses values above the base pointer at ❶. If this were the file’s entry point, any data above the base pointer would not have been initialized., we eventually come to some code that looks like a tail jump. This code is a retn instruction followed by a bunch of zero bytes. We know that the code can’t go past this point... Now we need to find the value of the stack pointer to set a breakpoint. To do so, we examine the registers window, as shown on the top right of .. To set a breakpoint, we first load that address in the memory dump by right-clicking ❶ and selecting Follow in Dump. This will make the memory dump window at ❷ appear as it does in .To set a breakpoint on the last piece of data pushed onto the stack, we right-click the first data element on the stack at ❸ in and select Breakpoint ▸ Memory on Access. We then run our program. Unfortunately, it reaches an unhandled exception similar to when we set a breakpoint before. Next, we set the breakpoint with Breakpoint ▸ Hardware, on Access ▸ Dword. When we start our program, our breakpoint is triggered. The program will break at the instructions shown in .
. This looks like the original code; the call to GetVersion at ❷ is a dead giveaway.00401577 ❶PUSH EBP 00401578 MOV EBP,ESP 0040157A PUSH -1 0040157C PUSH Lab18-03.004040C0 00401581 PUSH Lab18-03.0040203C ; SE handler installation 00401586 MOV EAX,DWORD PTR FS:[0] 0040158C PUSH EAX 0040158D MOV DWORD PTR FS:[0],ESP 00401594 SUB ESP,10 00401597 PUSH EBX 00401598 PUSH ESI 00401599 PUSH EDI 0040159A MOV DWORD PTR SS:[EBP-18],ESP 0040159D ❷CALL DWORD PTR DS:[404030] ; kernel32.GetVersion
Now, with EIP pointing to the first instruction at ❶, we select Plugins ▸ OllyDump ▸ Dump Debugged Process. We click the Get EIP as OEP button, leaving all the other options with their default settings, and then click Dump. In the dialog, we enter a filename to save a copy of our unpacked program.
When we’re finished, we run the program and open it in IDA Pro to verify that it has been unpacked successfully. A brief analysis of the program reveals that the functionality is the same as Lab09-02.exe.
This packer uses a variety of techniques to make it difficult to unpack and recognize the tail jump. Several of the usual strategies were ineffective because the packer takes explicit steps to thwart them. If using a particular technique seems difficult on a packed program, try different approaches until one works. In rare cases, none of the techniques will work easily.
Назад: Lab 18-2 Solutions
Дальше: Lab 18-4 Solutions
Войти в систему
Войти с помощью соц. сетей:
retn instruction followed by a bunch of zero bytes. We know that the code can’t go past this point.To set a breakpoint on the last piece of data pushed onto the stack, we right-click the first data element on the stack at ❸ in and select Breakpoint ▸ Memory on Access. We then run our program. Unfortunately, it reaches an unhandled exception similar to when we set a breakpoint before. Next, we set the breakpoint with Breakpoint ▸ Hardware, on Access ▸ Dword. When we start our program, our breakpoint is triggered. The program will break at the instructions shown in .
GetVersion at ❷ is a dead giveaway.00401577 ❶PUSH EBP 00401578 MOV EBP,ESP 0040157A PUSH -1 0040157C PUSH Lab18-03.004040C0 00401581 PUSH Lab18-03.0040203C ; SE handler installation 00401586 MOV EAX,DWORD PTR FS:[0] 0040158C PUSH EAX 0040158D MOV DWORD PTR FS:[0],ESP 00401594 SUB ESP,10 00401597 PUSH EBX 00401598 PUSH ESI 00401599 PUSH EDI 0040159A MOV DWORD PTR SS:[EBP-18],ESP 0040159D ❷CALL DWORD PTR DS:[404030] ; kernel32.GetVersion
00401577 ❶PUSH EBP 00401578 MOV EBP,ESP 0040157A PUSH -1 0040157C PUSH Lab18-03.004040C0 00401581 PUSH Lab18-03.0040203C ; SE handler installation 00401586 MOV EAX,DWORD PTR FS:[0] 0040158C PUSH EAX 0040158D MOV DWORD PTR FS:[0],ESP 00401594 SUB ESP,10 00401597 PUSH EBX 00401598 PUSH ESI 00401599 PUSH EDI 0040159A MOV DWORD PTR SS:[EBP-18],ESP 0040159D ❷CALL DWORD PTR DS:[404030] ; kernel32.GetVersion
Now, with EIP pointing to the first instruction at ❶, we select Plugins ▸ OllyDump ▸ Dump Debugged Process. We click the Get EIP as OEP button, leaving all the other options with their default settings, and then click Dump. In the dialog, we enter a filename to save a copy of our unpacked program.
When we’re finished, we run the program and open it in IDA Pro to verify that it has been unpacked successfully. A brief analysis of the program reveals that the functionality is the same as Lab09-02.exe.
This packer uses a variety of techniques to make it difficult to unpack and recognize the tail jump. Several of the usual strategies were ineffective because the packer takes explicit steps to thwart them. If using a particular technique seems difficult on a packed program, try different approaches until one works. In rare cases, none of the techniques will work easily.
Войти в систему
Войти с помощью соц. сетей: