OEP in Visual C++ 6.0 packed programs

Find OEP in Visual C++ 6.0 packed programs

Let's say you have a packed exe which originally was a:
Microsoft Visual C++ 6.0 program.

Let's run it.

Start your favourite dumper, select the process and
Dump it. the unpacked exe will not run of course, but you'll be able to get its OEP easyly:


Start HIEW and look for this pattern:

0
0 ��[Forward /Full ]��������������������������������������������������?
0 ?ASCII: WU������������������ ?
0 ? ?
0 ? Hex: 57 55 FC ����������������������������������������������������
0 ��������������������������������������������������������������������ͼ
0

you'll find it here:

.0045F984: 55 push ebp<<<IMPORTANT ADDRESS
.0045F985: 8BEC mov ebp,esp
.0045F987: 83EC08 sub esp,008 ;" "
.0045F98A: 53 push ebx
.0045F98B: 56 push esi
.0045F98C: 57 push edi
.0045F98D: 55***************************push ebp****HERE**********
.0045F98E: FC***************************cld**************THEY*****ARE** .0045F98F: 8B5D0C***********************mov ebx,[ebp][0000C]*****
.0045F992: 8B4508 mov eax,[ebp][00008]
.0045F995: F7400406000000 test d,[eax][00004],000000006 ;"
.0045F99C: 0F8582000000 jne .00045FA24 -------- (1)
.0045F9A2: 8945F8 mov [ebp][-0008],eax
.0045F9A5: 8B4510 mov eax,[ebp][00010]
.0045F9A8: 8945FC mov [ebp][-0004],eax
.0045F9AB: 8D45F8 lea eax,[ebp][-0008]

take a look at the begining of the routine. Write the address
.0045F984: 55 push ebp<<<IMPORTANT ADDRESS


take the bytes in reverse order and search for them:

0 ��[Forward /Full ]��������������������������������������������������?
0 ?ASCII: ��E ���������������� ?
0 ? ?
0 ? Hex: 84 F9 45 00 ������������������������������������������������?
0 ��������������������������������������������������������������������ͼ


you'll find them........and the OEP is some bytes upper:

.00459ACD: 55 push ebp<<<<<<THE OEP!!!!
.00459ACE: 8BEC mov ebp,esp
.00459AD0: 6AFF push 0FF
.00459AD2: 6838FB4800 push 00048FB38 ;" H?"
.00459AD7: 6884F94500*******************push 00045F984 ;" E��"<<THE ADDRESS
.00459ADC: 64A100000000 mov eax,fs:[000000000]
.00459AE2: 50 push eax
.00459AE3: 64892500000000 mov fs:[000000000],esp
.00459AEA: 83EC58 sub esp,058 ;"X"
.00459AED: 53 push ebx
.00459AEE: 56 push esi
.00459AEF: 57 push edi
.00459AF0: 8965E8 mov [ebp][-0018],esp
.00459AF3: FF152C834800 call GetVersion ;KERNEL32.dll


OEP: 459ACD

That's it.
If the bytes in the OEPzone have been stolen by the packer, this method will not help you to find the OEP.

[Hero]

I don't here is the right place for this thread or not,I think you should post
it in 'Windows cracking Tutorials'.
But You can find OEP with an small program like PEid,isn't it?

sincerely yours

i could write any program in VC++ (any version) and you will not find the const bytes... i only give a simple masm compiled object - as entry to winmain vc++ function and, your method fill fail..
btw. in manually methods good metgod is to find a GetModuleHandle or a HeapCreare/HeapAlloc in VC, you can user other apis that apper in entry procedure to find OEP manually..

". in manually methods good metgod is to find a GetModuleHandle "

This is absolutelly true. For example:

look for the address where is stored GetModulehandleA address.
With olly > Find References.......

Let's suppose olly finds 6 different places

Double click and look upper.........
It's easy to recognize the good place:

004913F0 55 PUSH EBP<<<<<<<
004913F1 8BEC MOV EBP,ESP
004913F3 6A FF PUSH -1
004913F5 68 68FB4C00 PUSH INSTALL_.004CFB68
004913FA 68 A0764900 PUSH INSTALL_.004976A0
004913FF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00491405 50 PUSH EAX
00491406 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0049140D 83EC 58 SUB ESP,58
00491410 53 PUSH EBX
00491411 56 PUSH ESI
00491412 57 PUSH EDI
00491413 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00491416 FF15 C0924B00 CALL DWORD PTR DS:[4B92C0] ; KERNEL32.GetVersion
0049141C 33D2 XOR EDX,EDX
0049141E 8AD4 MOV DL,AH
00491420 8915 146F5100 MOV DWORD PTR DS:[516F14],EDX
00491426 8BC8 MOV ECX,EAX
00491428 81E1 FF000000 AND ECX,0FF
0049142E 890D 106F5100 MOV DWORD PTR DS:[516F10],ECX
00491434 C1E1 08 SHL ECX,8
00491437 03CA ADD ECX,EDX
00491439 890D 0C6F5100 MOV DWORD PTR DS:[516F0C],ECX
0049143F C1E8 10 SHR EAX,10
00491442 A3 086F5100 MOV DWORD PTR DS:[516F08],EAX
00491447 6A 01 PUSH 1
00491449 E8 D64F0000 CALL INSTALL_.00496424
0049144E 59 POP ECX
0049144F 85C0 TEST EAX,EAX
00491451 75 08 JNZ SHORT INSTALL_.0049145B
00491453 6A 1C PUSH 1C
00491455 E8 C3000000 CALL INSTALL_.0049151D
0049145A 59 POP ECX
0049145B E8 AC3D0000 CALL INSTALL_.0049520C
00491460 85C0 TEST EAX,EAX
00491462 75 08 JNZ SHORT INSTALL_.0049146C
00491464 6A 10 PUSH 10
00491466 E8 B2000000 CALL INSTALL_.0049151D
0049146B 59 POP ECX
0049146C 33F6 XOR ESI,ESI
0049146E 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
00491471 E8 46740000 CALL INSTALL_.004988BC
00491476 FF15 B8914B00 CALL DWORD PTR DS:[4B91B8] ; KERNEL32.GetCommandLineA
0049147C A3 14865100 MOV DWORD PTR DS:[518614],EAX
00491481 E8 04730000 CALL INSTALL_.0049878A
00491486 A3 D06E5100 MOV DWORD PTR DS:[516ED0],EAX
0049148B E8 AD700000 CALL INSTALL_.0049853D
00491490 E8 EF6F0000 CALL INSTALL_.00498484
00491495 E8 4E110000 CALL INSTALL_.004925E8
0049149A 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0049149D 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
004914A0 50 PUSH EAX
004914A1 FF15 E8914B00 CALL DWORD PTR DS:[4B91E8] ; KERNEL32.GetStartupInfoA
004914A7 E8 806F0000 CALL INSTALL_.0049842C
004914AC 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
004914AF F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
004914B3 74 06 JE SHORT INSTALL_.004914BB
004914B5 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
004914B9 EB 03 JMP SHORT INSTALL_.004914BE
004914BB 6A 0A PUSH 0A
004914BD 58 POP EAX
004914BE 50 PUSH EAX
004914BF FF75 9C PUSH DWORD PTR SS:[EBP-64]
004914C2 56 PUSH ESI
004914C3 56 PUSH ESI
004914C4 FF15 D4924B00 CALL DWORD PTR DS:[4B92D4] <<getmodulehandlea ; INSTALL_.0052016F


Thanks for the two answers. Anyway i didn't mean the method i suggested
to be an always-working-method, but i guess it's nice trying to look for different patters......we don't know when they can be useful......isn't it??