Kind day!
I study on your examples of a code. I write prog, which substitutes Entry Point in given PE a file.
At substitution the search delta of displacement is used. All works normally.
Question: how the delta displacement turns out?
call delta
delta:
pop ebp
sub ebp, offset delta
If to consider this code in the usual program, EBP = 0
If in infected EBP! = 0? But why? Not clearly.
.CODE
Main:
NOP
NOP
NOP
NOP
call delta
delta:
pop ebp
sub ebp, offset delta
This program in OllyDbg has a kind:
00401000 CALL _file.00401005
00401005 POP EBP
00401006 SUB EBP,_file.00401005 ---> EBP=00000000
? In the infected program we have:
00403200 PUSHAD
00403201 CALL _file.00403206
00403206 POP EBP
00403207 SUB EBP,_file.00412042 ---> EBP=00001FC4
In the infected program Entry Point = 00403200, and delta: has the address = 00412042.
As, in the infected file, the same instruction (POP EBP) has two different addresses:
And 00403206 and _ file.00412042 simultaneously.
Where this has undertaken 00412042 I shall not understand as. The infected file in HIEW-? looked. Such displacement in a file in general is not present, there jump.Explain, please, itself I shall not understand. Help!
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=5bcddd52c566496d7a94c647b82ec27d
I study on your examples of a code. I write prog, which substitutes Entry Point in given PE a file.
At substitution the search delta of displacement is used. All works normally.
Question: how the delta displacement turns out?
call delta
delta:
pop ebp
sub ebp, offset delta
If to consider this code in the usual program, EBP = 0
If in infected EBP! = 0? But why? Not clearly.
.CODE
Main:
NOP
NOP
NOP
NOP
call delta
delta:
pop ebp
sub ebp, offset delta
This program in OllyDbg has a kind:
00401000 CALL _file.00401005
00401005 POP EBP
00401006 SUB EBP,_file.00401005 ---> EBP=00000000
? In the infected program we have:
00403200 PUSHAD
00403201 CALL _file.00403206
00403206 POP EBP
00403207 SUB EBP,_file.00412042 ---> EBP=00001FC4
In the infected program Entry Point = 00403200, and delta: has the address = 00412042.
As, in the infected file, the same instruction (POP EBP) has two different addresses:
And 00403206 and _ file.00412042 simultaneously.
Where this has undertaken 00412042 I shall not understand as. The infected file in HIEW-? looked. Such displacement in a file in general is not present, there jump.Explain, please, itself I shall not understand. Help!
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=5bcddd52c566496d7a94c647b82ec27d
The delta trick finds the amount the code has been relocated from the base it was linked to. Let's say you have a PE linked with base = 0x400000 (the normal for PE files), your .text section starts at RVA=0x1000 (also pretty normal), and your entrypoint is at the very start of your .text section. Furthermore, the first instructions in your application is the delta calculation.
This will give the following result:
As you can see, the CALL instruction (E8 opcode) has EIP-relative encoding, while the SUB has the full image-base + RVA. When code runs normally, the "pop ebp" results in 0x401005, and the delta is zero. If you add this code at the end of an exe, the "pop ebp" will obviously result in something quite different.
The value at "sub ebp, xxxx" will vary depending on the imagebase used in the appended code, and where in the code the delta calculation is done. The resulting delta value will always be the "how much was I relocated?" value, though.
This will give the following result:
.00401000: E800000000 call .000401005
.00401005: 5D pop ebp
.00401006: 81ED05104000 sub ebp,000401005
As you can see, the CALL instruction (E8 opcode) has EIP-relative encoding, while the SUB has the full image-base + RVA. When code runs normally, the "pop ebp" results in 0x401005, and the delta is zero. If you add this code at the end of an exe, the "pop ebp" will obviously result in something quite different.
The value at "sub ebp, xxxx" will vary depending on the imagebase used in the appended code, and where in the code the delta calculation is done. The resulting delta value will always be the "how much was I relocated?" value, though.
I added a little test example, just for fun. Btw, I don't like your use of the word "infected"...
The thank, is the best answer which I received.
Excuse please for a word "infect".
Excuse please for a word "infect".
? In the infected program we have:
Animator,
I hope you are not trying to do something wrong. :)
I have initial code ASProtect 0.00... 1 and I want to understand as it works.
Eeek eek, no Reverse Engineering either :)