This method of hacnho can only applied with a small and simple packed exe. OllyDbg will fail when tracing with a large, complex exe. For example, I download FSG 1.0 from this site (ExeTools), pack the Stud_PE and trace with OllyDbg. Failed to find OEP.
We can use PEiD to find OEP. PEiD will find the correct OEP with packed Stud_PE. The plugin "PEiD Generic Unpacker" of PEiD can automatic unpack the FSG 1.0 packed EXE. However, PEiD sometime will fail on a console, packed Exe.
Another way is same as JMI way, use OllyDump to find OEP by "Find OEP by Section Hop (xxx)", but it take a long time.
QUnpack of FEUERRADER can find the correct OEP of Stud_PE packed, but it failed when unpack.
With the OEP found, you can he or bp on it, dump with OllyDump and rebuild IAT with ImpRec.
I am finding the manual way to find the OEP of FSG 1.0 packed exe. If I success, I will post information here.
Regards
|