kernel mode seh
breakpoint on kernel32.isdebuggerpresnt
single step through, after ret set eax=0
004096A1 FFD0 CALL EAX ;isdebuggerpresent
004096A3 0BC0 OR EAX,EAX ;test
004096A5 74 02 JE SHORT 004096A9 ;jmp if eax 0 (no debugger)
004096A7 61 POPAD
004096A8 C3 RETN
004096A9 F785 6C254000 01>TEST DWORD PTR SS:[EBP+40256C],1
004096B3 74 4F JE SHORT 00409704 ;jmps for me
004096B5 8DB5 E4264000 LEA ESI,DWORD PTR SS:[EBP+4026E4]
004096BB 8D85 6C244000 LEA EAX,DWORD PTR SS:[EBP+40246C]
004096C1 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
004096C4 33DB XOR EBX,EBX
004096C6 8D85 33254000 LEA EAX,DWORD PTR SS:[EBP+402533]
004096CC 50 PUSH EAX ;4097A6 (err handler routine)
004096CD 64:FF33 PUSH DWORD PTR FS:[EBX] ;install err handler
004096D0 64:8923 MOV DWORD PTR FS:[EBX],ESP
004096D3 8BFD MOV EDI,EBP
004096D5 B8 00440000 MOV EAX,4400
004096DA EB 01 JMP SHORT 004096DD
004096DC C7 ???
004096DD CD 68 INT 68 ;throw error
shift-f7 single step into ntdll err handler
debug -> execute till user code
004097A6 55 PUSH EBP
004097A7 8BEC MOV EBP,ESP
004097A9 57 PUSH EDI
004097AA 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
004097AD 8BB8 9C000000 MOV EDI,DWORD PTR DS:[EAX+9C]
004097B3 FFB7 EC264000 PUSH DWORD PTR DS:[EDI+4026EC] ;4096DF --bpx
004097B9 8F80 B8000000 POP DWORD PTR DS:[EAX+B8]
004097BF 89B8 B4000000 MOV DWORD PTR DS:[EAX+B4],EDI
004097C5 C780 9C000000 00>MOV DWORD PTR DS:[EAX+9C],0
004097CF B8 00000000 MOV EAX,0
004097D4 5F POP EDI
004097D5 C9 LEAVE
004097D6 C3 RETN
returns back into ntdll, then you loose trace with
kernel mode and int 2e call
you re-emerge here (from push above)
004096DF 33DB XOR EBX,EBX
004096E1 64:8F03 POP DWORD PTR FS:[EBX]
004096E4 83C4 04 ADD ESP,4
004096E7 66:81FF 9712 CMP DI,1297
004096EC 74 0E JE SHORT 004096FC
004096EE 66:81FF 7712 CMP DI,1277
004096F3 74 07 JE SHORT 004096FC
004096F5 66:81FF 3013 CMP DI,1330
004096FA 75 08 JNZ SHORT 00409704
004096FC EB 01 JMP SHORT 004096FF
004096FE FF61 EB JMP DWORD PTR DS:[ECX-15]
00409701 01E8 ADD EAX,EBP
00409703 C3 RETN
00409704 8D85 CB244000 LEA EAX,DWORD PTR SS:[EBP+4024CB]
0040970A 50 PUSH EAX ;40973E change fx ret addr
0040970B C3 RETN
0040973E 32C0 XOR AL,AL
00409740 8DBD ED1D4000 LEA EDI,DWORD PTR SS:[EBP+401DED]
00409746 B9 AC060000 MOV ECX,6AC
0040974B AA STOS BYTE PTR ES:[EDI]
0040974C ^E2 FD LOOPD SHORT 0040974B ;zeroing out memory
0040974E 8DBD F6244000 LEA EDI,DWORD PTR SS:[EBP+4024F6]
00409754 B9 C0020000 MOV ECX,2C0
00409759 AA STOS BYTE PTR ES:[EDI]
0040975A ^E2 FD LOOPD SHORT 00409759 ;zeroing out memory
0040975C 61 POPAD ;-bpx here and run
0040975D 50 PUSH EAX ;40970c (bpx err handler)
0040975E 33C0 XOR EAX,EAX
00409760 64:FF30 PUSH DWORD PTR FS:[EAX] ;install err handler
00409763 64:8920 MOV DWORD PTR FS:[EAX],ESP
00409766 EB 01 JMP SHORT 00409769
00409768 87 db 87
00409769 0000 ADD BYTE PTR DS:[EAX],AL ;throw error
shift-f7 single step into ntdll err handler
debug -> execute till user code (or better bpx on err handler olly slips some on till usercode)
0040970C 55 PUSH EBP
0040970D 8BEC MOV EBP,ESP
0040970F 57 PUSH EDI
00409710 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00409713 8BB8 C4000000 MOV EDI,DWORD PTR DS:[EAX+C4]
00409719 FF37 PUSH DWORD PTR DS:[EDI]
0040971B 33FF XOR EDI,EDI
0040971D 64:8F07 POP DWORD PTR FS:[EDI]
00409720 8380 C4000000 08 ADD DWORD PTR DS:[EAX+C4],8
00409727 8BB8 A4000000 MOV EDI,DWORD PTR DS:[EAX+A4]
0040972D C1C7 07 ROL EDI,7
00409730 89B8 B8000000 MOV DWORD PTR DS:[EAX+B8],EDI ; ----- EDI = OEP (401048)
00409736 B8 00000000 MOV EAX,0
0040973B 5F POP EDI
0040973C C9 LEAVE
0040973D C3 RETN
back to ntdll, zwcontinue and kernelmode before hitting OEP
|
// Y0da Crypter 1.2 OEP Finder v0.1
// by FEUERRADER [AHTeam]
// http://ahteam.org
var s
var k
eob Break
mov s, esp
sub s, 04
bphws s, "r"
run
Break:
eob Break2
eoe expp
run
Break2:
eob B21
eoe expp
run
expp:
esto
B21:
eoe expp
bphwc s
eob B3
eoe expp1
mov k, eax
bp k
run
expp1:
esto
esto
B3:
bphwc k
eob Br4
findop eip, #C1C7#
bphws $RESULT, "x"
run
Br4:
bphwc $RESULT
sto
sto
eob Br5
mov k, edi
bp k
run
Br5:
bphwc k
cmt eip, "OEP"
ret
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}