|
|
#1
01-16-2005, 19:29
|
|||
|
|||
|
OEP in Visual C++ 6.0 packed programs
Find OEP in Visual C++ 6.0 packed programs
Let's say you have a packed exe which originally was a: Microsoft Visual C++ 6.0 program. Let's run it. Start your favourite dumper, select the process and Dump it. the unpacked exe will not run of course, but you'll be able to get its OEP easyly: Start HIEW and look for this pattern: 0 0 ��[Forward /Full ]��������������������������������������������������? 0 ?ASCII: WU������������������ ? 0 ? ? 0 ? Hex: 57 55 FC ���������������������������������������������������� 0 ��������������������������������������������������������������������ͼ 0 you'll find it here: .0045F984: 55 push ebp<<<IMPORTANT ADDRESS .0045F985: 8BEC mov ebp,esp .0045F987: 83EC08 sub esp,008 ;" " .0045F98A: 53 push ebx .0045F98B: 56 push esi .0045F98C: 57 push edi .0045F98D: 55***************************push ebp****HERE********** .0045F98E: FC***************************cld**************THEY*****ARE** .0045F98F: 8B5D0C***********************mov ebx,[ebp][0000C]***** .0045F992: 8B4508 mov eax,[ebp][00008] .0045F995: F7400406000000 test d,[eax][00004],000000006 ;" .0045F99C: 0F8582000000 jne .00045FA24 -------- (1) .0045F9A2: 8945F8 mov [ebp][-0008],eax .0045F9A5: 8B4510 mov eax,[ebp][00010] .0045F9A8: 8945FC mov [ebp][-0004],eax .0045F9AB: 8D45F8 lea eax,[ebp][-0008] take a look at the begining of the routine. Write the address .0045F984: 55 push ebp<<<IMPORTANT ADDRESS take the bytes in reverse order and search for them: 0 ��[Forward /Full ]��������������������������������������������������? 0 ?ASCII: ��E ���������������� ? 0 ? ? 0 ? Hex: 84 F9 45 00 ������������������������������������������������? 0 ��������������������������������������������������������������������ͼ you'll find them........and the OEP is some bytes upper: .00459ACD: 55 push ebp<<<<<<THE OEP!!!! .00459ACE: 8BEC mov ebp,esp .00459AD0: 6AFF push 0FF .00459AD2: 6838FB4800 push 00048FB38 ;" H?" .00459AD7: 6884F94500*******************push 00045F984 ;" E��"<<THE ADDRESS .00459ADC: 64A100000000 mov eax,fs:[000000000] .00459AE2: 50 push eax .00459AE3: 64892500000000 mov fs:[000000000],esp .00459AEA: 83EC58 sub esp,058 ;"X" .00459AED: 53 push ebx .00459AEE: 56 push esi .00459AEF: 57 push edi .00459AF0: 8965E8 mov [ebp][-0018],esp .00459AF3: FF152C834800 call GetVersion ;KERNEL32.dll OEP: 459ACD That's it. If the bytes in the OEPzone have been stolen by the packer, this method will not help you to find the OEP. 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Free portable programs | CodeCracker | General Discussion | 12 | 03-22-2018 17:17 |
| Programs kills itself - how to avoid that? | aldente | General Discussion | 10 | 09-22-2005 11:15 |
Threaded Mode