; #########################################################################
.586
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
; #########################################################################
.data
MsgTitle db "AntiGenOEP:",0h
MsgText db "AntiGenOEP finder!",0h
.code
start:
; MASM32 antiPeID example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; To make PeID`s GenOepFinder.dll detect false OEP I reversed it`s algorithm.
; Then I came to a conclusion. GenOEP waits for target to break in main section,
; and then performes a search for standard OEP signatures (VC++, Delphi...)
; If we would enter one of these signatures we would make GenOEP brake at
; false OEP.
; Fake VC++ OEP code at 0x00401000
AntiGenOEP db 55h,8Bh,0ECh,6Ah,0FFh,68h,0F8h,40h,40h,00h,68h,0F4h
db 1Dh,40h,00h,64h,0A1h,00,00,00,00,50h,64h,89h,25h,00
db 00,00,00,83h,0ECh,58h,53h,56h,57h,89h,65h,0E8h,0FFh
db 15h,58h,40h,40h,00,33h,0D2h,8Ah,0D4h
; Change Entry point {OEP} to 0x00401030 with LordPE or xPELister
PUSH 40h
PUSH offset MsgTitle
PUSH offset MsgText
PUSH 0
CALL MessageBox
RET
end start
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}