Flag: Tornado!
Hurricane!
|
|
| RDG OEP Signature Spoofing |
Analyzing |
ap0x |
AntiRDG-OEP-Signature.zip |
March 11 2006 |
|
|
; #########################################################################
.586
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
; #########################################################################
.data
msgTitle db "Scan status:",0h
msgText db "Fake signature ;)",0h
.code
start:
; MASM32 antiRDG example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; RDG checks OEP for signatures. If the byte pattern at OEP matches some of
; the signatures stored in RDG.exe or text database RDG will identify target as
; packer or protector assigned to that signature. So we can insert any number
; of bytes at OEP and make RDG detect the wrong packer.
; For example this is ASProtect`s OEP
PUSH offset @RealStart
CALL @delta
RET
@delta:
RET
; See the AntiRDG-OEP-Signature.zip archive for a Phantasm example
; Unimportant bytes - junk
db 0Bh,0B6h,66h,0B1h,22h,0B7h
; STACK is aligned, just continue executing.
@RealStart:
PUSH 40h
PUSH offset msgTitle
PUSH offset msgText
PUSH 0
CALL MessageBox
PUSH 0
CALL ExitProcess
end start
|
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}