Results 1 to 2 of 2

Thread: How to find OEP

  1. #1
    mray
    Guest

    How to find OEP

    Can anyone tell me the method of finding the OEP, i mean most tutorials will tell you to trace till you see a certain pop or certain call instruction, and say that the eip is there. What I would like to know is how someone first discovered that the OEP is there, I mean, I realize the packer has to unpack the program first.. so it's code runs first, but what are some API's it must call to launch the original program, i mean, is there a certain API call which comes directly after the program has been packed? or how do you all locate the ending of the packer/cryptor ..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    DakienDX
    Guest
    Hello mray !

    If you're tracing, the OEP is quite simple to find. Most time you jump/return from the protector's code segment to the program's code segment.

    Before starting to trace you should look where the original code segment starts and where it ends. Some packers hide this information and merge anything into one segment. Then you must guess if you jump to the code segment or not. The original program's code will look different than the packer's code, since the unpacker is written in ASM and the program is mostly written in some high level language.
    If more than one packer is used on the program this gets more difficult.
    You must learn to feel how a jump to the OEP looks like. There are no special rules.

    After the OEP of a (high level language) program you usually find a "call" to GetVersionA/GetCommandLineA/GetStartupInfoA or a "call" to __set_app_type/__p__fmode/__p__commode or no direct visible calls depending on the compiler used. If you're debugging a Visual Basic program you'll find a "push" instruction followed by a "call" to the library MSVBVM??.DLL and no code after that any more (it looks like bad opcodes).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. I can't find the OEP
    By Limee AKA Lamer in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: September 5th, 2004, 05:39
  2. Where can I find...?
    By highenergy in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 3rd, 2004, 12:06
  3. How to find out, what the call does ?
    By van_Hauser in forum The Newbie Forum
    Replies: 6
    Last Post: February 9th, 2004, 08:54
  4. Cant find
    By Underlordkrullik in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 11th, 2003, 22:41
  5. hey where can I find v-box 4.5 tut??
    By f_v_man in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: August 2nd, 2001, 09:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •