PDA

View Full Version : canīt find OEP with DUMP Plugin


greg
October 29th, 2003, 09:27
Hello

I read some tuts about " how to use Olly dump "
The tuts are about asprotect protected examples and fsg protected exampels.
and itīs always like this :
1.load the exe
2. Plugin->OllyDUMP->Find OEP by ....
3. Wait while Olly is tracing
4. Dump at the OEP

But this method does not work with my olly.
Olly always says
Thread XXXXXX terminated, trace stopped
and do not stop at the OEP or find the OEP

My olly only find the OEP when i use upx packed exampels.

Can somebody help me?
Perhaps i have to change some Debugging options because in the tutorials everything works fine.

Thanks

Ricardo Narvaja
October 29th, 2003, 11:15
In asprotect this method does not work.

1)go to DEBUGGING OPTIONS-EXCEPTIONS and quit all marks, only let the first mark.
2)RUN
3)the program stop in exceptions pass all with SHIFT + F9.
4)look the value of the last exception befores the program begin.
5)repeat the process again restarting the program and go the this last exception before the program begin.
6)PASS WITH SHIFT + F7 (NOT f9 in this moment)
7)go to VIEW-MEMORY and in the section code (STARTS in 401000) put a BREAKPOINT MEMORY ON ACESS.
8)RUN
9)WHEN THE PROGRAM STOP IN MEMORY BREAKPOINT ON EXECUTION (look in the lower left corner) you are in the entry point, or if the program has STOLEN BYTES in the first line executed of original program.

Ricardo

psyCK0
October 29th, 2003, 11:27
Nice technique Ricardo! How do you recover the stolen bytes?

greg
October 29th, 2003, 13:26
Thanks a lot Ricardo !
You really helped me

Hmm..
Can i ask you one more thing? Hope you donīt get bored

Is there a similar way for Aspack, because with Aspack number 3 ( stop in exeptions pass) donīt work.

Greg

JDog45
October 29th, 2003, 15:30
Ricardo always knows all kinds of tricks..

Ricardo Narvaja
October 29th, 2003, 16:51
well the stolen bytes are long for explain in a forum , i have tuts but this is not a cracking forum, but the general method is look for a value in one register when you reach the OEP or the FIRST LINE EXECUTED OF THE PROGRAM (if eax=0, take other register.)
Repeat the process till pass last exception and put a bpm in the section osf asprotect (the section of the exceptions), RUN, when program stop
GO TO DEBUGGING OPTIONS-TRACE and quit all marks and in DEBUG SET CONDITION put
EAX==XXXXXX

XXXXXX is the value you read in eax when stop in OEP, and configure RUN TRACE to LOG TO TXT for the case of the stolen erased, in this case in the txt, will be stored and not erased.
TRACE INTO

LOOK IN RUN TRACE WINDOW, there are one o two loops for slow the tracing, stop the trace in this case, jump to the end of the loop and continue tracing.

If the program stop when EAX==XXXXXX you are in the stolen bytes before this bytes are executed.
In the general cases this work well, if are encripted stolen bytes is other thing, is other method jeje.

Thos methods of OEP are only for asprotects, not for aspack, in aspack in NT/2000/XP you can use the PUSHAD method (this method function well in many packers NOT ARMADILLO, ASPROTECT, PELOCK, TELOCK)in other packers goes well.

Execute the PUSHAD in the beginning of the program with f8 and look in the stack

for example

if your top value of the stack is

124478 09009876

go to the DUMP and GOTO EXPRESSION=124478

mark the 4 bytes and HARDWARE BPX ON ACESSS

Rin and the program when stops in the next line of a POPAD are just to JUMP to OEP, press f7 one or two lines and you are in the FTP.
("ftp://FTP.
")

Ricardo Narvaja

Ricardo Narvaja
October 29th, 2003, 16:53
grr, you are in the OEP not FTP, sorry

Ricardo

greg
October 30th, 2003, 15:20
Yep

THANKS A LOT RICARDO.
You are " THE MAN"

Greg

Teerayoot
October 30th, 2003, 16:17
Not nessary to be on OEP.


You can even dump after stolen excuted.
but in dumped file let's fix it with the real byte.

Work well for me (Asprotect).