Flag: Tornado! Hurricane!


Technique Name Category Analysis By Download Added On Last Updated
PeID GenOEP Spoofing Analyzing ap0x AntiGenOEP.zip March 11 2006
Description:
; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################
      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
      
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
      
; #########################################################################  
    .data
       MsgTitle db "AntiGenOEP:",0h
       MsgText db "AntiGenOEP finder!",0h
    .code

start:

; MASM32 antiPeID example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; To make PeID`s GenOepFinder.dll detect false OEP I reversed it`s algorithm.
; Then I came to a conclusion. GenOEP waits for target to break in main section,
; and then performes a search for standard OEP signatures (VC++, Delphi...)
; If we would enter one of these signatures we would make GenOEP brake at
; false OEP.

; Fake VC++ OEP code at 0x00401000

AntiGenOEP db 55h,8Bh,0ECh,6Ah,0FFh,68h,0F8h,40h,40h,00h,68h,0F4h
db 1Dh,40h,00h,64h,0A1h,00,00,00,00,50h,64h,89h,25h,00
db 00,00,00,83h,0ECh,58h,53h,56h,57h,89h,65h,0E8h,0FFh
db 15h,58h,40h,40h,00,33h,0D2h,8Ah,0D4h

; Change Entry point {OEP} to 0x00401030 with LordPE or xPELister

PUSH 40h
PUSH offset MsgTitle
PUSH offset MsgText
PUSH 0
CALL MessageBox
RET

end start

There are 31,041 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit