#1
|
|||
|
|||
How to find YP's OEP
Hey Guys
Been working on unpacking a YP 1.03 .DLL lately..I've been following a tutorial as I did not want te reinvent the wheel for that packer Can somebody explain to me how to find the OEP for a YP 1.03 packed .dll ? The unpacking process went quite fine, but I dumped it while the thread was stopped after BP'ing on the .code section.. Now I have the dumped file but no OEP... I tried comparing it with other dll's to see if i could match the entrycode but no luck Furthermore: YP has an anti-dump trick.. I wondered how this 'trick' works ? I mean when you dump normally you get a packed dump.. Does this mean that the dll repacks itself after every method in the dll has been called or something ?? Im really confused here Any info on these 2 subject would be great |
#2
|
|||
|
|||
To find OEP u'd better check the value of stack at BP on gettickcount, when debugger stop second time (with gettickcount BP).
|
#3
|
|||
|
|||
Suddenly, thanks for your answer.... I tried your solution but I cannot find the OEP using it.. Maybe you could describe your method in more detail ? You're sure it works for the latest yoda's protector ?
|
#4
|
|||
|
|||
OEP is stored to [esp+10] after return of second time of gettickcount.
The OEP is usually stored with "ror oep, 7" so u can get real oep with "rol [esp+10], 7" of course the value, 7 is dependent on u. when u try some other number, u maybe find oep easily. if u have a problem, feel free to know me that. regards |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Find out Encryption | aldente | General Discussion | 9 | 01-07-2005 05:10 |