2

Are there any general rules on how to realiably locate OEPs (Original Entry Points) for packed .exe files, please? What OEP clues are there to search for in debugged assembly language?

Say there is a Windows .exe file packed with PC-Guard 5.06.0400 and I wish to unpack it. Therefore, the key condition is finding the OEP within the freshly extracted block of code.

I would use the common debugger OllyDBG to do that.

user1354557
  • 2,413
  • 19
  • 29
Bunkai.Satori
  • 4,698
  • 13
  • 49
  • 77

3 Answers3

2

In the general case - no way. It highly depends on packer. In the most common case packer may replace some code from OEP by some other code.

Abyx
  • 12,345
  • 5
  • 44
  • 76
  • +1 for relevant advice. Hi and thanks for reply. I understand your point. However, is there a way to **visually recognize** that **this** portion of assembly code is the **OEP**? For example, there a specific sequence of instructions, that make up the OEP? There must be something like that, as reversers are able to identify OEPs. – Bunkai.Satori Mar 21 '11 at 20:18
  • @Bunkai Yes there usually is: if the piece of code resembles a main() function. It's pretty easy to spot main(), at least for a compiler you are familiar with. GCC f.ex produces very similar main()'s. – joveha Mar 23 '11 at 22:48
  • @joveha: Hi Joveha, thanks for your response. In other words, I should begin with taking a look at my c++ compiler and seeing how it generates main(). Then, I will be able to recognize it i any other file being analyzed for exe files written in c++. But then, I should learn now delphi and other compilers' main() functions look like. – Bunkai.Satori Mar 24 '11 at 08:52
  • @bunkai Pretty much yes. But it's not that hard to spot since you will be looking at code that runs before main(), like setting up destructor stuff, doing atexit(), etc. And then it calls main() with the usual argc,argv arguments. Should be easy to spot for any compiler. Just to be clear, when I say main() i mean the code that the compiler generates just before main() is called. – joveha Mar 24 '11 at 12:24
  • @joveha: thank you very much. What you wrote makes logic to me. – Bunkai.Satori Mar 28 '11 at 13:08
1

This depends solely on the packer and the algorithms its using pack and/or virtualize code. Seeing as you are using ollydbg, i'd suggest checking out tuts4you, woodmanns and openrce, they have many plugins (iirc there is one designed for finding oep's in obfuscated code, but i have no clue how well it performs) and olly scripts for dealing with unpacking various packers (from which you may be able to pick up hints for a certain type of packer), they also have quite a few papers/tutorials on the subject as well, which may or may not be of use.

PC Guard doesn't seem to get much attention, but the video link and info here should be of help (praise be to Google cache!)

Necrolis
  • 25,836
  • 3
  • 63
  • 101
  • +1 for good advices. Hi and thank you for your valuable advices. yes, I've been there and read and saw many tutorials. However, there is not too much material on how to identifiy the OEP. Therefore, I came to ask here. I tried OllyDBG plugins, but IMO, they are not reliable. I have to unpack PC-Guard 5.06 and none of them helped, neither automatic unpackers helped. Would you have practical advice on how to reliably identify OEPs from reading the code? do they look similar? PUSH EBP; MOV EBP, ESP; seemingly work mostly for functions than for EOPs. – Bunkai.Satori Mar 21 '11 at 18:11
  • @Bunkai: `PUSH EBP MOV EBP,ESP` is a stack frame epilogue, not really gonna help with finding hidden OEP's. unfortunately PC-Guard doesn't seem all that popular, I did find something though, see my post for the link. – Necrolis Mar 22 '11 at 03:57
  • Yeah, I've already seen them. Thank you for good tip, althouth they are not extremely helpful. Their key ida is to press Shift+F9 repeatedly x-times. This owever dd not wor for me. In my case, the packed application lanuched after single press of Shift+F9. They do not explain too much neither, imo, but thank you for your willingness.. – Bunkai.Satori Mar 22 '11 at 05:25
0

It's hard to point out any simple strategy and claim that it will work in general, because the business of packer tools is to make OEP finding a very hard problem. Besides, with a good packer, finding the OEP is still not enough. That being said, I do have some suggestions.

I would suggest that you read this paper on the Justin unpacker, they use heuristics that were reasonably effective at the time, and that you might be able to get some mileage from. They will at least reduce the number of candidate entry points to a manageable number:

A study of the packer problem and its solutions (2008) by Fanglu Guo , Peter Ferrie , Tzi-cker Chiueh

There are also some web-analysis pages that can tell you a lot about your packed program. For example, the malware analyzer at: http://eureka.cyber-ta.org/

Here's another one that is currently down, but has done a reasonable job in the past, and I presume will be up again soon): http://bitblaze.cs.berkeley.edu/renovo.html

Kevin
  • 233
  • 1
  • 8