Flag: Tornado! Hurricane!


Technique Name Category Analysis By Download Added On Last Updated
PeID GenOEP Spoofing Analyzing ap0x AntiGenOEP.zip March 11 2006
Description:
; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################
      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
      
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
      
; #########################################################################  
    .data
       MsgTitle db "AntiGenOEP:",0h
       MsgText db "AntiGenOEP finder!",0h
    .code

start:

; MASM32 antiPeID example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; To make PeID`s GenOepFinder.dll detect false OEP I reversed it`s algorithm.
; Then I came to a conclusion. GenOEP waits for target to break in main section,
; and then performes a search for standard OEP signatures (VC++, Delphi...)
; If we would enter one of these signatures we would make GenOEP brake at
; false OEP.

; Fake VC++ OEP code at 0x00401000

AntiGenOEP db 55h,8Bh,0ECh,6Ah,0FFh,68h,0F8h,40h,40h,00h,68h,0F4h
db 1Dh,40h,00h,64h,0A1h,00,00,00,00,50h,64h,89h,25h,00
db 00,00,00,83h,0ECh,58h,53h,56h,57h,89h,65h,0E8h,0FFh
db 15h,58h,40h,40h,00,33h,0D2h,8Ah,0D4h

; Change Entry point {OEP} to 0x00401030 with LordPE or xPELister

PUSH 40h
PUSH offset MsgTitle
PUSH offset MsgText
PUSH 0
CALL MessageBox
RET

end start

There are 31,134 total registered users.


Recently Created Topics
Information on the t...
Feb/08
Information on the m...
Feb/07
Order Finax, Fincar ...
Feb/07
Information on the m...
Feb/07
Order Proscar (Finas...
Feb/07
Order Proscar, Finax...
Feb/07
Order Finasteride, F...
Feb/07
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21


Recent Forum Posts
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
ComPuer on:
May/14
Android Application Reversing

nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit