Results 1 to 9 of 9

Thread: Different Entry Points - IDA and Olly 2.01

  1. #1
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1

    Different Entry Points - IDA and Olly 2.01

    Hi All,
    I was reversing a piece of malware keeping in mind the tips in the previous thread I started and have come a long way thanks to that.

    While reversing however I came upon an interesting thing. The Entry Point of the program seemed to be differently detected in Olly 2.01 and IDA Pro. Olly was configured to stop on WinMain if it was known but it seemed to stop at a point much before IDA did.

    So I'm saying... Olly stopped at 404EDD while IDA stopped at 403D50. Now the interesting thing was, if I started at the Entry Point detected by Olly and worked my way forward from there, I eventually arrive at 403D50 [The IDA entry point] and then everything is similar. Also, all that code till 403D50 did not seem to be too important from a "malware behavior" perspective.

    So it seems that there is some intelligence built into IDA which is detecting known assembly code and not "showing" it to the user directly, giving him a better point to start analyzing from.

    Could someone confirm this behaviour please? What is correct and why?

    Thanks
    Arvind
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

  2. #2

    As Above

    One is "START"

    Other is "WINMAIN"

    Your turn to figure out which is which.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1
    Ha Ha thanks a lot basically telling me to RTFM

    I'll try and read more and all that. But I always thought both tools should stop at Entry Point? That's what all the PE header documentation says too..rt? Code starting from entry point? So why did IDA ignore all that and go to WinMain?

    I remember one field called 'Start of Code' too. But I am not sure that is relevant here

    Arvind
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

  4. #4
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    So it seems that there is some intelligence built into IDA which is detecting known assembly code and not "showing" it to the user directly, giving him a better point to start analyzing from.
    Correct!
    Go to last line of IDA disassembly ("end start"): that's the true entry point. Click on it and you will be teletransported to its address: that must be the same as Olly entry point.

    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  5. #5
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1
    Yes that's correct Bilbo ..there is a start and exit in IDA which takes me to those places.

    However, the question is...in future analysis can I just look at IDA and simply start where it tells me to? So for example I wasted 1 or 2 hours looking at the code from the real entry point to WinMain in Olly on this malware sample.

    Thanks
    Arvind
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

  6. #6

    As Above...

    And, of course, I am assuming you are aware that an app can also have multiple entry points, right?

    Have Phun
    Blame Microsoft, get l337 !!

  7. #7
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1
    Ooops aimless...no not at all... I was always under the impression that an app has 1 entry point only. Packed yes and hidden and you have to find the "real" entry point and then use plugins to dump the "real" executable...but no...I didn't know anything else.

    A quick Google search gives lots of terrible unrelated results... .. will dig more... If there is a good read though you have in mind do drop it in here.

    Thnx
    Arvind
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

  8. #8

    As Above

    You can "begin" your "journey" using the following links:

    http://service1.symantec.com/legal/publishedpatents.nsf/0/FCF9F85991044261882570410057EF6C/$FILE/United%20States%20Patent%206,851,057.htm

    AND

    http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CDcQFjAC&url=http%3A%2F%2Fimpact.crhc.illinois.edu%2Ff tp%2Freport%2Fms-thesis-michael-thiems.pdf&ei=Uah9T9uzLMblrAeTlsD2DA&usg=AFQjCNEB_3NwKmEkQoiwaK3fuvhMGml0Mw&sig2=MLhAm1dNXTqhghznpnP zSg

    ALSO

    Download ThinApp461_manual.pdf for a definition of how multiple entry points can be implemented. Note that this is just "one" of the ways in which it can be implemented.

    And so many more....

    Have Phun
    Blame Microsoft, get l337 !!

  9. #9
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1
    Awesome thanks. I will go through all of these in time. You guys rock
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

Similar Threads

  1. How to change the Disasm Entry?
    By FirefoxXP in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 27th, 2005, 05:23
  2. Error Entry Point Alert con Olly
    By gallegoortiz in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 18th, 2005, 10:10
  3. Entry point outside of the code?
    By Zov in forum OllyDbg Support Forums
    Replies: 7
    Last Post: September 29th, 2004, 08:39
  4. Softice Break Points
    By adg in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: February 15th, 2002, 15:58
  5. Finding Armadillo Entry Point???
    By Bubbleman in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: March 5th, 2001, 18:24

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •