0

I want to reverse a program in olly.The segment that olly loads is not .text and the OEP is out of the olly virtual address scope. The OEP and the segments addresses can be find with PE editors like LordPE, PEexplorer and PEiD. How can I bring the OEP in olly?

n1kita
  • 263
  • 1
  • 5
  • 15

1 Answers1

0

First let's get something straight: OEP stands for Original Entry Point, right?

If so, and what you meant to say is that the sample you're opening inside OllyDbg is packed and if you know how to unpack it to reach the OEP, then you can use a pretty neat plugin written by shag and itzik called OllyScript.

With OllyScript you can modify the registry, setup breakpoints and automate the entire workflow to unpacking your sample.

Notice there were a lot of if's in my answer. If this is not what you were asking please clarify. Ultimately sharing the sample might benefit you as well.

Paul Irofti
  • 412
  • 3
  • 17
  • Yes I mean original entry point.I thinks is not packed, becuase I can see the sections addresses like .tex, .data etc... with PE editors .also OEP address is visible and clarified with PE editors. so I believe is not a packed binary. – n1kita Aug 13 '12 at 07:49
  • And where's the EP? And if it's not packed, what does OEP mean in this context? – Paul Irofti Aug 13 '12 at 08:05
  • @ali: Indeed, OEP does not have a meaning when the Image has not been scrambled (compressed, packed, encrypted). To be sure that your image is packed (or not) just check it with tools like PEid (http://tuts4you.com/download.php?view.398) or PeStudio( http://www.winitor.com), CFF Explorer (http://www.ntcore.com/exsuite.php), etc... – mox Aug 14 '12 at 09:52
  • 1
    @ali: the fact that you see the sections addresses is not an indicator that an image has not been scrambled. If you take a look at an image compressed with UPX, you'll see the sections and their addresses! – mox Aug 14 '12 at 09:54
  • As I said PEid Shows the sections addresses, all of them. But the EP section is not .text and I need to load this section in olly instead of the EP Section that PEid shows. The EP Section That PEid shows is AL123. – n1kita Aug 14 '12 at 10:03
  • Olly loads all the sections it can find. Your problem is elsewhere. You're not making your self more clear by reiterating the same statements. At this point sharing the sample would be best. – Paul Irofti Aug 14 '12 at 10:07
  • The sample is "Need for speed, The Run" game. – n1kita Aug 14 '12 at 16:16