Announcement: OEPFinder v0.3 Tensor Build [Archive]

View Full Version : Announcement: OEPFinder v0.3 Tensor Build

foxthree

June 8th, 2002, 16:08

Hello Fellow RCEs:

After a looooong gap, I'm glad to announce the OEPFinder Tensor Build - a brand new release of OEPFinder. This release adds support for Windows 2000 and fixs a lot of nasty bugs on the 2K platform. And thanks to BriteDream, a bug in ASPR apps has been fixed.

You can download the same from hxxp://foxthree.cjb.net.

Please let me know your thoughts and comments.

Hang on for a bunch of new packer sigs to be added shortly

Signed,
-- Foxthree

PS: Thanks to +SplAj guru, CrusAder (hope your exams are going fine

) and Kayaker (We'll miss u, great one!)

cyberheg

June 8th, 2002, 20:48

A suggestion could be to make config file or plugin support. I don't say it's useless as it is but if a new version of a existing packer (or just a new one which isn't added) is released people are forced to wait for you to update it.

Just a thought...

// CyberHeg

snaker

June 9th, 2002, 05:51

Hi foxthree,

The program is very nice on WIN98...however since you fixed bugs for WIN2K maybe it should work on WINXP as well...however...I couldn't get it to get me a single OEP on WINXP

Always says bad lower base address or scans from [0] to [0]

foxthree

June 9th, 2002, 09:23

Howdy!

Cyberheg:

Yep. Nice point. Actually, Kayaker too pointed it out to me earlier. About having an external signature file so that people can update it. I'll do it but may be in the next few releases down the line. Thanks for your tip.

Snaker: Reg. WinXP support. I don't have WinXP installed on any of my machines here so that I can test it out. So, guys using WinXP must either find a Win98/2K box or use other techniques or wait....

Knowing that the third option is a really bad one

, try the first or second options....

Signed,
-- FoxThree

PS: RV's tracer is now supporting WinXP maybe you could trace using RV tracer... You can also post the result here reg. the tracer's performance on WinXP

snaker

June 9th, 2002, 10:43

Hmm...

Well foxthree...I hope you can get WINXP soon and find the problems...

Anyways...I don't use REVirgin (sadly...I sure hope tshep isn't reading) coz I'm a firm believer of ImpREC :-)

Anyways...I have made a Generic OEP Finding tool myself...which works on different principles...I will be releasing it with the next release of PEiD...which will perhaps be very soon...

More laters

snaker

foxthree

June 9th, 2002, 18:17

As the subject goes

Signed,
--FoxThree

PS: Will you also be explaining you underlying technique? 'coz I think there are a couple of techniques to find OEiP and OEPFinder uses just one of them

Lbolt99

June 9th, 2002, 19:57

Thanks for the update. Works great.

How about an IATStartFinder?

_Servil_

June 9th, 2002, 21:19

IATEndFinder plz

foxthree

June 10th, 2002, 08:54

LBolt/_Servil_:

Nice

However, I guess that's what RV/ImpREC is there for. You find the OEiP and RV/ImpREC finds the IATStart/End

. I could write one IAT Start Finder but then I'd be treading on +Tsehp/Mackt's toes

However, newer plugins for RV/ImpREC ... ah, that's another story altogether

Signed,
-- FoxThree

Lbolt99

June 10th, 2002, 22:02

Hi Fox3,

I know about the IAT finder in RV, although it doesn't seem to work well for some reason. Now this is nothing against RV, quite frankly it blows Imprec to pieces based on my experience, and Tseph has done a great job on it. But for some reason even with the correct OEP I can only get the correct IAT start from RV about 1/3 of the time. Most of the time this is the method I use for ASPR protected stuff:

load app in sice
bpx virtualalloc, with data window view at ds:04001000
hit f5 several times until code changes in window
clear bpx, then bpx getprocessadress, only break once, clear bpx
step thru, ret several times until u get to the IAT decrypt loop

This method works perfectly every time. Courtesy of Kayacker.
It's neat to see how ASPR decrypts the IAT and everything but after 4-5 times it gets kinda old

[QUOTE]Originally posted by foxthree

Nice However, I guess that's what RV/ImpREC is there for. You find the OEiP and RV/ImpREC finds the IATStart/End . I could write one IAT Start Finder but then I'd be treading on +Tsehp/Mackt's toes

[/QUOTE

Lbolt99

July 8th, 2002, 15:57

The tensor build fails to find OEP on Three leaves from Sapphire Games

Also, seems to lock up on BattleJeep from same company (note this game changes screen resolution to 640x480 when running, went to run OEPFinder, started searching for bytes but stopped responding.

FYI the company seems to be gradually "phasing in" ASprotect: some prods are ASprotected (15pack, 3 leaves, bjeep, etc), some ASpacked and one even has UPX! lol

Lbolt99

July 11th, 2002, 20:20

My bad, another error

3leaves is asprotect 1.1 protected, so oepfinder didn't get it b/c it only supports 1.2+.. duh

getprocaddress is the only unresolved import.

Still have the problem with the lockup on battlejeep, though. /tracex will get you to the OEP however, watch for three pre-oep dipz

haec_est

July 17th, 2002, 20:38

Hi,

it seems that OEPFinder 0.3 [Tensor build] search for signature bytes starting
at image base, but for some programs it may be not the case... expecially if
the packer map that signature at a lower address than image base !!!

example :

Macromedia Director 8.5.1 Trial (Vbox 4.6.2 but signature is the same)

image base : 0x20000000

OEiP : 0x200072F8
iat start : 0x2026F000
iat len : 0x00001158

redirected api : 0x02

Code:



:dd 2026fe80 l 10

001B:2026FE80 0700EB50  0700EBBF  77E3594C  77E359D6      P.......LY.w.Y.w



:u 700eb50 l 1c

001b:0700eb50  e819000000          call      0700eb6e

001b:0700eb55  ff742410            push      dword ptr [esp+10]

001b:0700eb59  ff742410            push      dword ptr [esp+10]

001b:0700eb5d  ff742410            push      dword ptr [esp+10]

001b:0700eb61  ff742410            push      dword ptr [esp+10]

001b:0700eb65  ff158cc30407        call      [USER32!GetMessageA]

001b:0700eb6b  c21000              ret       0010



:u 700ebbf l 20

001b:0700ebbf  55                  push      ebp

001b:0700ebc0  8bec                mov       ebp,esp

001b:0700ebc2  e8a7ffffff          call      0700eb6e

001b:0700ebc7  ff7518              push      dword ptr [ebp+18]

001b:0700ebca  ff7514              push      dword ptr [ebp+14]

001b:0700ebcd  ff7510              push      dword ptr [ebp+10]

001b:0700ebd0  ff750c              push      dword ptr [ebp+0c]

001b:0700ebd3  ff7508              push      dword ptr [ebp+08]

001b:0700ebd6  ff15d4c30407        call      [USER32!PeekMessageA]

001b:0700ebdc  5d                  pop       ebp

001b:0700ebdd  c21400              ret       0014

... same as Dreamweaver MX !

OEPFinder says :

Identified Platform: Microsoft Windows 2000 Professional (Build 2195)
Enumerating Processes...
Ready...
Refreshed Process List...
Scanning Process Director.exe [PID = 2EC] for "VBox 4.6.5"...
Scanning memory range : [20000000] to [6F03C000] for OEP Bytes
iMemMap = 166
----> FAILED!: Unable to find OEP byte pattern

. Are you sure you chose the right packer?
Scanning Complete...Have a nice day!

while SoftICE says :

Code:



:u e709af l 7

001b:00e709af  ffe3                jmp       ebx	-> jump to OEP

001b:00e709b1  eb01                jmp       00e709b4

obfuscated as :

Code:



001b:00e709ad  cd20                int       20 VXDJmp 01EB,63FF



:db e709ab l 10

0010:00E709AB EB 02 CD 20 FF E3 EB 01-EB 8B 55 F8 EB 02 CD 20  ... ......U....

...signature bytes are still there but at a lower adress than image base, so better
search in entire memory

regards,

haec_est

jefflee

December 6th, 2004, 12:40

foxthree, kick u.
Ur site foxthree.cjb.net prompts me to install a plugin, and I installed,
found it spawned two processes(Oh no, three). It's a virus! Damn.

dELTA

December 6th, 2004, 13:19

The cjb.net redirector service is pushing spyware and has always done so, yes. It does most likely not have anything to do with foxthree's website though. And as a general tip, don't answer yes on strange dialog boxes that pop up on arbitrary websites...

JMI

December 7th, 2004, 07:15

Let's see, nearly two years after the last post in this thread he tries to log on and doesnt' have the good sense not to click "yes" when asked to install a plug-in from someone he doesn't know anything about. Duh! You can fool some of the people all of the time.

Regards,

jefflee

December 8th, 2004, 02:50

Quote:

[Originally Posted by dELTA]The cjb.net redirector service is pushing spyware and has always done so, yes. It does most likely not have anything to do with foxthree's website though. And as a general tip, don't answer yes on strange dialog boxes that pop up on arbitrary websites...

Thanks for ur advise. Is cjb.net just a redirector? I dont know. I was prompted that and I can't see anything in the page but a sentence saying only if I installed the plugin can I view the page, and I just didn't expect an address published here will contain malicious software. So I chose yes. I guessed it might be some plugin to view some kind of animation or something else.

jefflee

December 8th, 2004, 02:56

Quote:

[Originally Posted by JMI]Let's see, nearly two years after the last post in this thread he tries to log on and doesnt' have the good sense not to click "yes" when asked to install a plug-in from someone he doesn't know anything about. Duh! You can fool some of the people all of the time.

Regards,

Duh. Could u be less cynical? I'm just an ordinary user. I didn't suspect a publisher here so I click "yes". Though it shows to be a misjudgement.
Does two years make much sense? I see many homepages existing several years.

homersux

June 17th, 2005, 16:22

I cannot find oepfinder v0.3 anywhere on the net. I found v0.2 but it does not work very well with w2k box. Is there a place to get this thing? I need to unpack a asprotect 1.2->1.3 protected target. If you know a better tool, please let me know as well. Thanks!

seven

June 18th, 2005, 03:27

Quote:

when asked to install a plug-in from someone he doesn't know anything about

NO oepfinder v0.3 !!
i just found unknow plugin :
Media Access is free ad delivery software
which provides targeted advertising offers

ACE-ppc

June 18th, 2005, 08:41

hmm .. ist there a new download link anywhere ... the cjb Redirector iss down.