View Full Version : canīt find OEP with DUMP Plugin
greg
October 29th, 2003, 09:27
Hello
I read some tuts about " how to use Olly dump "
The tuts are about asprotect protected examples and fsg protected exampels.
and itīs always like this :
1.load the exe
2. Plugin->OllyDUMP->Find OEP by ....
3. Wait while Olly is tracing
4. Dump at the OEP
But this method does not work with my olly.
Olly always says
Thread XXXXXX terminated, trace stopped
and do not stop at the OEP or find the OEP
My olly only find the OEP when i use upx packed exampels.
Can somebody help me?
Perhaps i have to change some Debugging options because in the tutorials everything works fine.
Thanks
Ricardo Narvaja
October 29th, 2003, 11:15
In asprotect this method does not work.
1)go to DEBUGGING OPTIONS-EXCEPTIONS and quit all marks, only let the first mark.
2)RUN
3)the program stop in exceptions pass all with SHIFT + F9.
4)look the value of the last exception befores the program begin.
5)repeat the process again restarting the program and go the this last exception before the program begin.
6)PASS WITH SHIFT + F7 (NOT f9 in this moment)
7)go to VIEW-MEMORY and in the section code (STARTS in 401000) put a BREAKPOINT MEMORY ON ACESS.
8)RUN
9)WHEN THE PROGRAM STOP IN MEMORY BREAKPOINT ON EXECUTION (look in the lower left corner) you are in the entry point, or if the program has STOLEN BYTES in the first line executed of original program.
Ricardo
psyCK0
October 29th, 2003, 11:27
Nice technique Ricardo! How do you recover the stolen bytes?
greg
October 29th, 2003, 13:26
Thanks a lot Ricardo !
You really helped me
Hmm..
Can i ask you one more thing? Hope you donīt get bored
Is there a similar way for Aspack, because with Aspack number 3 ( stop in exeptions pass) donīt work.
Greg
JDog45
October 29th, 2003, 15:30
Ricardo always knows all kinds of tricks..

Ricardo Narvaja
October 29th, 2003, 16:51
well the stolen bytes are long for explain in a forum , i have tuts but this is not a cracking forum, but the general method is look for a value in one register when you reach the OEP or the FIRST LINE EXECUTED OF THE PROGRAM (if eax=0, take other register.)
Repeat the process till pass last exception and put a bpm in the section osf asprotect (the section of the exceptions), RUN, when program stop
GO TO DEBUGGING OPTIONS-TRACE and quit all marks and in DEBUG SET CONDITION put
EAX==XXXXXX
XXXXXX is the value you read in eax when stop in OEP, and configure RUN TRACE to LOG TO TXT for the case of the stolen erased, in this case in the txt, will be stored and not erased.
TRACE INTO
LOOK IN RUN TRACE WINDOW, there are one o two loops for slow the tracing, stop the trace in this case, jump to the end of the loop and continue tracing.
If the program stop when EAX==XXXXXX you are in the stolen bytes before this bytes are executed.
In the general cases this work well, if are encripted stolen bytes is other thing, is other method jeje.
Thos methods of OEP are only for asprotects, not for aspack, in aspack in NT/2000/XP you can use the PUSHAD method (this method function well in many packers NOT ARMADILLO, ASPROTECT, PELOCK, TELOCK)in other packers goes well.
Execute the PUSHAD in the beginning of the program with f8 and look in the stack
for example
if your top value of the stack is
124478 09009876
go to the DUMP and GOTO EXPRESSION=124478
mark the 4 bytes and HARDWARE BPX ON ACESSS
Rin and the program when stops in the next line of a POPAD are just to JUMP to OEP, press f7 one or two lines and you are in the FTP.
("ftp://FTP.
")
Ricardo Narvaja
Ricardo Narvaja
October 29th, 2003, 16:53
grr, you are in the OEP not FTP, sorry
Ricardo
greg
October 30th, 2003, 15:20
Yep
THANKS A LOT RICARDO.
You are " THE MAN"
Greg
Teerayoot
October 30th, 2003, 16:17
Not nessary to be on OEP.
You can even dump after stolen excuted.
but in dumped file let's fix it with the real byte.
Work well for me (Asprotect).
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.