Results 1 to 12 of 12

Thread: Generic ways to find OEP

  1. #1
    black_ice
    Guest

    Question help me please

    hi guys

    is there a generic way to finde the OEP of packed softwares ??

    please answer me
    even if u have stupid idea





    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    pack notepad

    The easiest way is to get the packer/protector and use it on notepad.exe

    then BPMB CS:Notepad_OEiP X

    and the last packers code execution address is shown in the log window. U that and you see the 'signature bytes'. Usually a POPAD or POPFD with a ret or JMP OEIP.......

    Then you find the same sequence in memory for your target.

    (dont use G Notepad_OEiP, does not show the last execution)
    Carve my name into your arm :)

  3. #3
    Sorry SplAj, but i cant seem to use your trick... condemn me if i am wrong but the log window you refered to the command window as well where we typed our command? i tried bpm OEP on a few program but it doesnt show instruction address of the previous instruction...

    I am win2k SP3 with DS 2.6? No icedump loaded... what is wrong?

    Thanks
    crUsAdEr

    P.S : Kayaker, yep this is the thread i was thinking as missing, cos i thought i just saw it for a while, then i went to do something else then come back there were quite a few new threads that move on top and i thought the thread was delete... lesson learnt, should have always scrolled down!!! Sorry about that :>... thanks kayaker.

  4. #4
    black_ice
    Guest

    Unhappy

    thanx body

    i tried this command but it does not work
    can u explain more in details , it would be better if tell one target
    u already unpacked it with this way and how u found the OEP
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    foxthree
    Guest

    Yo!

    Hi Crus:

    Sure it does. Take a look at the log window. For ex. I tried bpmb ShowWindow x and when softice breaks, see in the low window something like this:

    Breakd due to BPMB:ShowWindow DR3
    MSR LastBreakFromIp = XXXXXXX
    MSR LastBreakToIp = XXXXXXXX

    It is the FromIP that is of interest BTW, how did you think, I found all those OEiP Sigs for OEPFinder

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Hmm,

    what version of sice are you guys running? Is there any special setting for sice? I have tried various ways of bpm or bpmb for that matter... the only thing that appears on my log window is
    Breakd due to BPMB:ShowWindow DR3

    Yep, only ONE line above!!! Nothing else??? What is your config FoxThree?

    cheers
    crUsAdEr

  7. #7
    Hi crUsAdEr,
    Most probably you are using old softice.Try newer versions bpmb showwindow x
    esther


    Reverse the code,Reverse Your Minds First

  8. #8
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    What?

    I do get the same result as crusader. I'm using the latest Softice (2.4.7). Is there any special settings that needs to be set?

    hobgoblin

  9. #9

    Working..

    on DS4.2.7 (build 562), W2K, SP3.
    Not working- Sice 4.0.5, W98.
    Configuration files are installation default.
    Neviens.

  10. #10
    Hi All,
    I'm using win98.Not sure of Winme or win2k.My sice is ds 2.6

    Regards
    esther


    Reverse the code,Reverse Your Minds First

  11. #11
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    You, guys, failed to read FUQ..

    What processors you have?!....

  12. #12
    >You, guys, failed to read FUQ..
    >What processors you have?!....

    FUP
    esther


    Reverse the code,Reverse Your Minds First

Similar Threads

  1. FlexLM.ECC.Generic.Patcher
    By Arlequim in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: February 24th, 2014, 22:44
  2. ways to optimize a fastcall function masm/poasm
    By BanMe in forum The Newbie Forum
    Replies: 26
    Last Post: January 25th, 2011, 09:49
  3. Old game graphics enhancement ways & questions
    By settoken in forum The Newbie Forum
    Replies: 7
    Last Post: September 8th, 2010, 11:57
  4. Pokas x86 PE Emulator for Generic Unpacking
    By AmrThabet in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 7th, 2010, 16:01
  5. Generic IDAPro/ASM questions...
    By midnitrcr in forum The Newbie Forum
    Replies: 6
    Last Post: March 15th, 2005, 14:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •