Kind day!
I study on your examples of a code. I write prog, which substitutes Entry Point in given PE a file.
At substitution the search delta of displacement is used. All works normally.
Question: how the delta displacement turns out?

call delta
pop ebp
sub ebp, offset delta

If to consider this code in the usual program, EBP = 0
If in infected EBP! = 0? But why? Not clearly.



call delta
pop ebp
sub ebp, offset delta

This program in OllyDbg has a kind:

00401000 CALL _file.00401005
00401005 POP EBP
00401006 SUB EBP,_file.00401005 ---> EBP=00000000

? In the infected program we have:

00403200 PUSHAD
00403201 CALL _file.00403206
00403206 POP EBP
00403207 SUB EBP,_file.00412042 ---> EBP=00001FC4

In the infected program Entry Point = 00403200, and delta: has the address = 00412042.

As, in the infected file, the same instruction (POP EBP) has two different addresses:
And 00403206 and _ file.00412042 simultaneously.

Where this has undertaken 00412042 I shall not understand as. The infected file in HIEW-? looked. Such displacement in a file in general is not present, there jump.Explain, please, itself I shall not understand. Help!
Posted on 2004-03-19 07:45:24 by animator
The delta trick finds the amount the code has been relocated from the base it was linked to. Let's say you have a PE linked with base = 0x400000 (the normal for PE files), your .text section starts at RVA=0x1000 (also pretty normal), and your entrypoint is at the very start of your .text section. Furthermore, the first instructions in your application is the delta calculation.

This will give the following result:

.00401000: E800000000 call .000401005
.00401005: 5D pop ebp
.00401006: 81ED05104000 sub ebp,000401005

As you can see, the CALL instruction (E8 opcode) has EIP-relative encoding, while the SUB has the full image-base + RVA. When code runs normally, the "pop ebp" results in 0x401005, and the delta is zero. If you add this code at the end of an exe, the "pop ebp" will obviously result in something quite different.

The value at "sub ebp, xxxx" will vary depending on the imagebase used in the appended code, and where in the code the delta calculation is done. The resulting delta value will always be the "how much was I relocated?" value, though.
Posted on 2004-03-19 08:49:32 by f0dder
I added a little test example, just for fun. Btw, I don't like your use of the word "infected"...
Posted on 2004-03-19 09:26:25 by f0dder
The thank, is the best answer which I received.
Excuse please for a word "infect".
Posted on 2004-03-20 05:24:15 by animator
? In the infected program we have:


I hope you are not trying to do something wrong. :)
Posted on 2004-03-20 06:44:24 by Vortex
I have initial code ASProtect 0.00... 1 and I want to understand as it works.
Posted on 2004-03-22 00:59:03 by animator
Eeek eek, no Reverse Engineering either :)
Posted on 2004-03-22 03:12:43 by f0dder