Log in

View Full Version : Announcement: OEPFinder

foxthree
April 13th, 2002, 21:49
Hi fellow RCEs:

After taking so much from this board, the time has come for me to give something back to it. I hereby present before you a small app - OEPFinder. Using this tool, you can find the Original Entry Point of packed apps with ease and "without any debugger". With this and SuperBPM, you can bid most packers bye bye. It can bed dled from http://foxthree.cjb.net

However, let me warn you - the tool is nothing great. It was just my attempt at coding something that *could* be useful. Read the "readme.txt" for more details. Comments/+ve Criticisms always gratefully accepted and analyzed

I would like to thank +SplAj guru, Kayaker, binh81, Evaluator and others at the FraviaMB for making this happen.

In short, "U ROCK GUYS!"

Signed,
-- FoxThree
nikolatesla20
April 13th, 2002, 22:02
Hey pretty cool stuff foxthree, is it written in Delphi? I got Delphi 6 finally and wow it is pretty powerful.

Now if only there was some way to locate the actual OEP from this signature byte without a tracer - like where that jump jumps to..there MUST be a technique we can use. Maybe some sort of program that can "watch" the asprotected app start up or something. Yeah it's pretty tough without "tracing" but even ImpREC doesn't need to run ring0 it seems to be able to work from ring3, although I don't think its as accurate as revirgin.

Well Ill keep thinking. Nice clean simple app I like it !

-nt20
h8er
April 14th, 2002, 00:31
The download link seems don't work...
crUsAdEr
April 14th, 2002, 02:19
Nice job, fox3 :>

I like your layout... though i did not thoroughly test it... maybe you should allow user to add signature bytes themself for future usage? :>>.. just another suggestion...

Keep up the good work!,
Binh

P.S : check your PM.. i have more works for you to do .. lol...

P.P.S : on the hindsight...
[ERROR!] An error occurred during ReadProcessMemory. Error Code = 299.
[ERROR!] Scanning Failed! Strange ...
I get this error for attempting to scan anything... so looks like it doesnt support win2k yet :<... mine is win2k SP2 build 2195....
foxthree
April 14th, 2002, 09:50
Hi All:

Tesla: Thanks for your feedback. The App was coded in VC++ 6.0. I've not written programs in Delphi tho' im itching to do so offlate Keep your thoughts on and let me know if you come up with something.

Binh: Up to ur usual tricks eh friend. Keep it up!!!!! You've already given me work for the next 3 days BTW, error code 299 = "Only part of a Read/WriteProcessMemory request was completed." says VC++ Let me test the proggie on Win2K and do a little debugging

Yeah, I'll definitely think about how to automate finding the "real" OEP. Actually, my work isn't something new. ProcDump had a ring3 tracer which can scan for sig bytes. However, mine *does not* use any tracer (yet ).

Thanks and keep the feedback coming.

Signed,
-- FoxThree
foxthree
April 14th, 2002, 16:53
Hello folks:

Just thought I'd keep you guys updated. I've unpacked UPX (latest) 1.20w and ASPack 2.12. I'll add support for them in the upcoming OEPFinder Release.

Signed,
-- FoxThree