12 replies to this topic

[Ryan M]

I'm diving into to basic ASM right now more or less, just chanign EP's and what not...I'm having this weird problem though.

Entry Point:004100AC
ImageBase:00400000 (Seems to be a standard ImageBase? I've opened up a few programs with that IB)

1ST RETN:410266 <--Added By Me
2ND RETN:410267 <--Added By Me

RETN <--Added By Me
RETN <--Added By Me
PUSH EBP <--Added By Me
MOV EBP,ESP <--Added By Me
SUB ESP,8 <--Added By Me
PUSH 004100AC  <--Added By Me -- Existing Entry Point
PUSH 00410266 <--Added By Me -- 1st RETN
MOV EAX,00410267 <--Added By Me -- 2nd Retn
Jmp eax <--Added By Me
NOP <--Added By Me

Then you do PUSH EBP Addres-ImageBase=New Entry Point ?

So I open up ProcDump32, and change the EntryPoint value, to the one I calculated...still good.

When I go to run the EXE it crashes. Anyone shed some light here?

[Ender]

Lets say you got this code and all you want to do is simply relocate the EP from old address to new one and thats all.

004074ED >/$ 55 PUSH EBP <==== EP and you want to move it you can nop this later or just leave it like it is your call..
004074EE |. 8BEC MOV EBP,ESP( you can nop this and replace it just after the new ep down, used to work 3-4 years ago very well against all AVs ) *2
004074F0 |. 83EC 44 SUB ESP,44 (and this ) *3
004074F3 |. 56 PUSH ESI(etc.. if your just after simple EP change you can just relocate the first line) *4
004074F4 |. FF15 10104000 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
004074FA |. 8BF0 MOV ESI,EAX
004074FC |. 8A06 MOV AL,BYTE PTR DS:[ESI]
004074FE |. 3C 22 CMP AL,22


Then find some code cave at ex 00407811 there you gonna put your new EP

00407811 you can add that(004074ED) PUSH EBP here or (JMP 004074ED) if you aint nop'd it up there ^^ and skip all lines down and go to procdump or
00407812 and some of the lines after here *2
00407813 and here *3
00407814 etc. if you like that is or you can just relocate the (004074ED) and ignore 7812,13,14) *4
00407815 here you can put JMP 004074EE (the line after your orig ep was up^^) or if you replaced *2,*3,*4 JMP 004074F4
00407816 00 DB 00
00407817 00 DB 00
save the file open lord pe or program of your choise ProcDump32 find the ep 004074ED and change it to 00407811 save and your exe has brand new entry point



hope this helps.

[Ryan M]

Let's use this as an example...

Now that that code is inserted do I NOP out the original entry point, and how do I calculate
the new Entry Point to put in PROCDUMP32?

ORIG PUSH EBP:40E9DB
MY PUSH EBP:4165D2

004165D0   . C3			 RETN
004165D1   . C3			 RETN
004165D2   . 55			 PUSH EBP
004165D3   . 8BEC		   MOV EBP,ESP
004165D5   . 83EC 08		SUB ESP,8
004165D8   . 68 DBE94000	PUSH x.<ModuleEntryPoint>
004165DD   . 68 D0654100	PUSH x.004165D0
004165E2   . B8 D1654100	MOV EAX,x.004165D1
004165E7   . FFE0		   JMP EAX

PROCDUMP32.EXE INFO:
ENTRY POINT=0000E9DB
SIZE OF IMAGE=00023000
IMAGE BASE=00400000

[saintfiends]

What I do is just simply put a JMP into the original EP and then relocate few lines somewhere else and then JMP back in again to the program flow.

[Ryan M]

So by replacing the original EP with a JMP what else would you move?

00403954 >/$ 55			 JMP <--Original EP
00403955  |. 8BEC		   MOV EBP,ESP <--MOVE or NOP?
00403957  |. 6A FF		  PUSH -1 <--MOVE or NOP?
00403959  |. 68 20414000	PUSH file.00404120 <--MOVE or NOP?
0040395E  |. 68 863A4000	PUSH <JMP.&MSVCRT._except_handler3>	 ;  SE handler installation
00403963  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00403969  |. 50			 PUSH EAX
0040396A  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00403971  |. 83EC 20		SUB ESP,20 <--MOVE or NOP?
00403974  |. 53			 PUSH EBX
00403975  |. 56			 PUSH ESI
00403976  |. 57			 PUSH EDI
00403977  |. 8965 E8		MOV DWORD PTR SS:[EBP-18],ESP
0040397A  |. 8365 FC 00	 AND DWORD PTR SS:[EBP-4],0
0040397E  |. 6A 01		  PUSH 1
00403980  |. FF15 D0404000  CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>;  msvcrt.__set_app_type
00403986  |. 59			 POP ECX

I would assume NOP out the MOV EBP,ESP and append it elsewhere in the file...would that be the only line moved though?

[saintfiends]

I found this tutorial. Hope it helps.

hxxp://students.sabanciuniv.edu/%7Ecanyildizli/UD_methods1.pdf

[Ryan M]

Appreciate the link, however I have already read that. The part that keeps screwing up my PE files. Whenever I do the part of the tutorial that consits of PushEBPAddress-ImageBase=New EP...I'm not sure why either.

[saintfiends]

Thats strange, I just followed the tutorial to make sure and everythings working fine here. Check out tuts4you.com I think they've got some stuff about changing EP.

[Ryan M]

You use the new PUSH EBP address that you insert right, and NOP out the existing one, correct?

[saintfiends]

There is no need to NOP out anything. Just leave it as it is. Here is what I did.

hxxp://img103.imageshack.us/img103/7673/tutlp9.jpg

and the executable I used:

hxxp://rapidshare.com/files/64423129/helloworld.exe.html




PS: Anyone who is about to flame me for copying. The original tutorial is given on the previous post. This is just to show how I did it!.

[Ryan M]

I've done all those steps, but when I have a situation like this....


PUSHEBP=00401188
IB=00400000

That EP= 400000[IB]-401188[PUSHEBP]=00001188[EP]

Here is my problem...

PUSHEBP=006AC5B1
IB=00400000

My EP= 400000[IB]-6AC5B1[PUSHEBP]=FFFFFFFFFFFD53A4D

Does this method only work for smaller files? Sorry If I'm missing something there, I am following step by step, calculator is in HEX too not DEC

[saintfiends]

lol, thats weird 006AC5B1 is obviously bigger than IB. I'm out of words right now . If its not packed I gues it should be fine. If I could see something like that maybe I could try finding a way around it. But right now I dont have anything that fits the description. Or give me a link to an exe that is like that, I wanna try too.

[IDEspinner]

One of the main issues ive seen people get caught up with using this 'jmp' hook method is that the jmp command overwrites several of the following commands. Be sure that you restore the commands(you may have to set the write bit on whatever memory stub your writing on).

Also you could have an off by one calculation, this is why I really like using ollydbg because you can use that to calculate your offsets and never have to worry that you put the wrong offset.

So by replacing the original EP with a JMP what else would you move?

00403954 >/$ 55			 JMP <--Original EP
00403955  |. 8BEC		   MOV EBP,ESP <--MOVE or NOP?
00403957  |. 6A FF		  PUSH -1 <--MOVE or NOP?
00403959  |. 68 20414000	PUSH file.00404120 <--MOVE or NOP?
0040395E  |. 68 863A4000	PUSH <JMP.&MSVCRT._except_handler3>	;  SE handler installation
00403963  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00403969  |. 50			 PUSH EAX
0040396A  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00403971  |. 83EC 20		SUB ESP,20 <--MOVE or NOP?
00403974  |. 53			 PUSH EBX
00403975  |. 56			 PUSH ESI
00403976  |. 57			 PUSH EDI
00403977  |. 8965 E8		MOV DWORD PTR SS:[EBP-18],ESP
0040397A  |. 8365 FC 00	 AND DWORD PTR SS:[EBP-4],0
0040397E  |. 6A 01		  PUSH 1
00403980  |. FF15 D0404000  CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>;  msvcrt.__set_app_type
00403986  |. 59			 POP ECX

I would assume NOP out the MOV EBP,ESP and append it elsewhere in the file...would that be the only line moved though?