Thread: OEP in Visual C++ 6.0 packed programs
View Single Post
  #1  
Old 01-16-2005, 19:29
crkelbery
 
Posts: n/a
OEP in Visual C++ 6.0 packed programs
Find OEP in Visual C++ 6.0 packed programs

Let's say you have a packed exe which originally was a:
Microsoft Visual C++ 6.0 program.

Let's run it.

Start your favourite dumper, select the process and
Dump it. the unpacked exe will not run of course, but you'll be able to get its OEP easyly:


Start HIEW and look for this pattern:

0
0 ��[Forward /Full ]��������������������������������������������������?
0 ?ASCII: WU������������������ ?
0 ? ?
0 ? Hex: 57 55 FC ����������������������������������������������������
0 ��������������������������������������������������������������������ͼ
0

you'll find it here:

.0045F984: 55 push ebp<<<IMPORTANT ADDRESS
.0045F985: 8BEC mov ebp,esp
.0045F987: 83EC08 sub esp,008 ;" "
.0045F98A: 53 push ebx
.0045F98B: 56 push esi
.0045F98C: 57 push edi
.0045F98D: 55***************************push ebp****HERE**********
.0045F98E: FC***************************cld**************THEY*****ARE** .0045F98F: 8B5D0C***********************mov ebx,[ebp][0000C]*****
.0045F992: 8B4508 mov eax,[ebp][00008]
.0045F995: F7400406000000 test d,[eax][00004],000000006 ;"
.0045F99C: 0F8582000000 jne .00045FA24 -------- (1)
.0045F9A2: 8945F8 mov [ebp][-0008],eax
.0045F9A5: 8B4510 mov eax,[ebp][00010]
.0045F9A8: 8945FC mov [ebp][-0004],eax
.0045F9AB: 8D45F8 lea eax,[ebp][-0008]

take a look at the begining of the routine. Write the address
.0045F984: 55 push ebp<<<IMPORTANT ADDRESS


take the bytes in reverse order and search for them:

0 ��[Forward /Full ]��������������������������������������������������?
0 ?ASCII: ��E ���������������� ?
0 ? ?
0 ? Hex: 84 F9 45 00 ������������������������������������������������?
0 ��������������������������������������������������������������������ͼ


you'll find them........and the OEP is some bytes upper:

.00459ACD: 55 push ebp<<<<<<THE OEP!!!!
.00459ACE: 8BEC mov ebp,esp
.00459AD0: 6AFF push 0FF
.00459AD2: 6838FB4800 push 00048FB38 ;" H?"
.00459AD7: 6884F94500*******************push 00045F984 ;" E��"<<THE ADDRESS
.00459ADC: 64A100000000 mov eax,fs:[000000000]
.00459AE2: 50 push eax
.00459AE3: 64892500000000 mov fs:[000000000],esp
.00459AEA: 83EC58 sub esp,058 ;"X"
.00459AED: 53 push ebx
.00459AEE: 56 push esi
.00459AEF: 57 push edi
.00459AF0: 8965E8 mov [ebp][-0018],esp
.00459AF3: FF152C834800 call GetVersion ;KERNEL32.dll


OEP: 459ACD

That's it.
If the bytes in the OEPzone have been stolen by the packer, this method will not help you to find the OEP.
Reply With Quote