| FSG 1.33 |
dulek |
Compressor |
quig |
June 15 2005 |
 |
| PE Header (sect 1) |
yes |
yes |
[blank] |
N/A
|
|
IAT built at runtime, all DLLs explicitly loaded with calls to LoadLibrary().
Stub is basically straight line logic with some built in functions that it calls out to them returns back to mainline stub.
JE to OEP stands out because of its address range see above block..it is close to end of stub.
offsets should line up in sample
|
|
JE in middle of loop
00405FAA 79 05 JNS SHORT length2.00405FB1
00405FAC 46 INC ESI
00405FAD AD LODS DWORD PTR DS:[ESI]
00405FAE 50 PUSH EAX
00405FAF EB 09 JMP SHORT length2.00405FBA
00405FB1 FE0E DEC BYTE PTR DS:[ESI]
00405FB3 -0F84 B3B2FFFF JE length2.0040126C -----OEP-------
00405FB9 56 PUSH ESI
00405FBA 55 PUSH EBP
00405FBB FF53 04 CALL DWORD PTR DS:[EBX+4]
00405FBE AB STOS DWORD PTR ES:[EDI]
00405FBF ^EB E0 JMP SHORT length2.00405FA1
00405FC1 33C9 XOR ECX,ECX
00405FC3 41 INC ECX
00405FC4 FF13 CALL DWORD PTR DS:[EBX]
00405FC6 13C9 ADC ECX,ECX
00405FC8 FF13 CALL DWORD PTR DS:[EBX]
00405FCA ^72 F8 JB SHORT length2.00405FC4
00405FCC C3 RETN
00405FCD 02D2 ADD DL,DL
00405FCF 75 05 JNZ SHORT length2.00405FD6
00405FD1 8A16 MOV DL,BYTE PTR DS:[ESI]
00405FD3 46 INC ESI
00405FD4 12D2 ADC DL,DL
00405FD6 C3 RETN
00405FD7 FF5F 00 CALL FAR FWORD PTR DS:[EDI]
00405FDA 0000 ADD BYTE PTR DS:[EAX],AL
00405FDC 0000 ADD BYTE PTR DS:[EAX],AL
00405FDE 0000 ADD BYTE PTR DS:[EAX],AL
00405FE0 0000 ADD BYTE PTR DS:[EAX],AL
00405FE2 005401 00 ADD BYTE PTR DS:[ECX+EAX],DL
00405FE6 00FF ADD BH,BH
00405FE8 5F POP EDI
00405FE9 0000 ADD BYTE PTR DS:[EAX],AL
00405FEB 0000 ADD BYTE PTR DS:[EAX],AL
00405FED 0000 ADD BYTE PTR DS:[EAX],AL
00405FEF 0000 ADD BYTE PTR DS:[EAX],AL
00405FF1 0000 ADD BYTE PTR DS:[EAX],AL
00405FF3 0000 ADD BYTE PTR DS:[EAX],AL
00405FF5 0000 ADD BYTE PTR DS:[EAX],AL
00405FF7 0000 ADD BYTE PTR DS:[EAX],AL
00405FF9 0000 ADD BYTE PTR DS:[EAX],AL
00405FFB 0000 ADD BYTE PTR DS:[EAX],AL |
|
|
BE [4Bytes] MOV ESI,Address
AD LODS DWORD PTR DS:[ESI]
93 XCHG EAX,EBX
AD LODS DWORD PTR DS:[ESI]
97 XCHG EAX,EDI
AD LODS DWORD PTR DS:[ESI]
56 PUSH ESI
96 XCHG EAX,ESI
B2 80 MOV DL,80 |
|
|
/*
//////////////////////////////////////////////////
FSG 1.33 OEP Finder v0.2
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.62
Date : 2004-4-2
Config: N/A
Note :If you have one or more question
email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var addr1
gpa \"LoadLibraryA\",\"kernel32.dll\"
bp $RESULT
run
lbl1:
bc $RESULT
rtu
gpa \"GetProcAddress\",\"kernel32.dll\"
bp $RESULT
eob lbl2
run
lbl2:
bc $RESULT
eob lbl3
rtu
lbl3:
mov addr,eip
sub addr,B
bp addr
eob lbl4
run
lbl4:
sto
mov addr1,eip
sub addr1,6
cmp addr1,addr
jne lblend
loop:
run
jmp lbl4
lblend:
bc addr
cmt eip,\"OEP Found,please dumped it!\"
msg \"Script by loveboom[DFCG],Thank you for using my Script!\"
ret
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}