Русский / Russian English / Английский

Сейчас на форуме: tusovaka, TOM_RUS (+3 невидимых)
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS ·

 eXeL@B —› WorldWide —› Structures of an OEP
Посл.ответ Сообщение

Ранг: 0.5 (гость)
Статус: Участник

Создано: 17 ноября 2010 21:34 New!
Цитата · Личное сообщение · #1


i'm relative new to reversing and have question about OEPs:

in VB e.g. an OEP always pushes a string like "VB5!" an then always calls ThunRTMain.

Are there similar structures in other languages like c/c++, delphi etc.?


Ранг: 481.4 (мудрец)
Статус: Участник
Тот самый :)

Создано: 18 ноября 2010 02:51 · Поправил: Hexxx New!
Цитата · Личное сообщение · #2

If we say by using word "similar", yes there are. But they are quite different. Because each language does initialization its' own way. Also such structures are present only in GUI applications built on certain GUI framework. I.e. if you make C++ console application, there will be nothing similar. But if you make MFC application, there will be MFC initialization in some kind similar to VB.

So, just download all the compilers you are interested in. Build typical "hello world" application of each type, load it to IDA and you'll have the vision which of them are alike vb.

p.s. Yes, you may use your own application as donor, in case the protector has destroyed the code at OEP. You just need to have the application built with the same compiler.

Ранг: 0.5 (гость)
Статус: Участник

Создано: 18 ноября 2010 13:26 New!
Цитата · Личное сообщение · #3

thanks, i will give it a try

my goal is, that i become able to identify OEP more easily and that i don't have to "guess" (e.g. i used this method so this must be OEP). I want to get a better view wheter this can be OEP or not and don't just have to "trust" the method of my choice. Is there another way than just trying to verify for correctness?

Ранг: 481.4 (мудрец)
Статус: Участник
Тот самый :)

Создано: 18 ноября 2010 14:28 · Поправил: Hexxx New!
Цитата · Личное сообщение · #4

if you're talking about OEP, this means you're learning how to get to OEP through the protector's code. In such case there are several other characteristics that can be used to find where protector's code finishes:
1) difference in EIP. i.e. protectors' code flows like a long set of instructions, and then finally it does jmp or call to some really far address. See UPX as example.
2) difference in ESP. The protectors' code allocates some stack for itself. Then after it made all its' tasks, it returns ESP to the initial value, necessary for real code to run.
3) some compilers just place oep at some constant place. For example, delphi (till d7 as i know) placed OEP as the last function in CODE section. I.e. you may just go to the end of CODE section and scroll up till you find it But it requires visual instruction recognition skill Because if you are looking into the dump, there will be just undefined instructions, because oep is still points to protector's code

And as I've said, you can find oep by signature, using the code from "hello world" samples. You just dump the application after the protector finished its' job. I.e. you don't even need to debug the application. Just run it, then dump it at any moment after it finished loading. Load the dump into IDA without any reconstruction, then search the code sequences that you see in "hello world" sample. And you'll be able to find the similar code and the approximate OEP.

Finally, when you've got the address, you may try to walk to that address via debugger. Sometimes you'll be able to set breakpoint to that address, and just see if it was hit. But usually you'll have to walk manually.
Or you can restore the dump, set the OEP address that you suspect and see if it work.

p.s. also you may try to get the protector which is used in the application, protect you "hello world" application with it, and see how your known code is changed by protector. Or walk in the debugger to already known OEP.

 eXeL@B —› WorldWide —› Structures of an OEP

Видеокурс ВЗЛОМ