Locating OEPs in Packed EXE Files

StackOverflow https://stackoverflow.com/questions/5380902

Question

Are there any general rules on how to realiably locate OEPs (Original Entry Points) for packed .exe files, please? What OEP clues are there to search for in debugged assembly language?

Say there is a Windows .exe file packed with PC-Guard 5.06.0400 and I wish to unpack it. Therefore, the key condition is finding the OEP within the freshly extracted block of code.

I would use the common debugger OllyDBG to do that.

Was it helpful?

Solution

This depends solely on the packer and the algorithms its using pack and/or virtualize code. Seeing as you are using ollydbg, i'd suggest checking out tuts4you, woodmanns and openrce, they have many plugins (iirc there is one designed for finding oep's in obfuscated code, but i have no clue how well it performs) and olly scripts for dealing with unpacking various packers (from which you may be able to pick up hints for a certain type of packer), they also have quite a few papers/tutorials on the subject as well, which may or may not be of use.

PC Guard doesn't seem to get much attention, but the video link and info here should be of help (praise be to Google cache!)

OTHER TIPS

In the general case - no way. It highly depends on packer. In the most common case packer may replace some code from OEP by some other code.

It's hard to point out any simple strategy and claim that it will work in general, because the business of packer tools is to make OEP finding a very hard problem. Besides, with a good packer, finding the OEP is still not enough. That being said, I do have some suggestions.

I would suggest that you read this paper on the Justin unpacker, they use heuristics that were reasonably effective at the time, and that you might be able to get some mileage from. They will at least reduce the number of candidate entry points to a manageable number:

A study of the packer problem and its solutions (2008) by Fanglu Guo , Peter Ferrie , Tzi-cker Chiueh

There are also some web-analysis pages that can tell you a lot about your packed program. For example, the malware analyzer at: http://eureka.cyber-ta.org/

Here's another one that is currently down, but has done a reasonable job in the past, and I presume will be up again soon): http://bitblaze.cs.berkeley.edu/renovo.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top