How to find YP's OEP
 

Hey Guys

Been working on unpacking a YP 1.03 .DLL lately..I've been following a tutorial as I did not want te reinvent the wheel for that packer :)

Can somebody explain to me how to find the OEP for a YP 1.03 packed .dll ? The unpacking process went quite fine, but I dumped it while the thread was stopped after BP'ing on the .code section.. Now I have the dumped file but no OEP...
I tried comparing it with other dll's to see if i could match the entrycode but no luck :(

Furthermore: YP has an anti-dump trick.. I wondered how this 'trick' works ? I mean when you dump normally you get a packed dump.. Does this mean that the dll repacks itself after every method in the dll has been called or something ?? Im really confused here :)

Any info on these 2 subject would be great :)

To find OEP u'd better check the value of stack at BP on gettickcount, when debugger stop second time (with gettickcount BP). ;)

Suddenly, thanks for your answer.... I tried your solution but I cannot find the OEP using it.. Maybe you could describe your method in more detail ? You're sure it works for the latest yoda's protector ?

OEP is stored to [esp+10] after return of second time of gettickcount.

The OEP is usually stored with "ror oep, 7"

so u can get real oep with "rol [esp+10], 7" ;)

of course the value, 7 is dependent on u.

when u try some other number, u maybe find oep easily.

if u have a problem, feel free to know me that.

regards