在打包的 EXE 文件中查找 OEP

发布于 2024-10-24 07:57:08 字数 246 浏览 13 评论 0原文

请问,对于如何真正找到打包的 .exe 文件的 OEP(原始入口点),是否有任何一般规则?在调试后的汇编语言中可以寻找哪些 OEP 线索?

假设有一个包含 PC-Guard 5.06.0400 的 Windows .exe 文件,我希望解压它。因此,关键条件是在新提取的代码块中找到 OEP。

我将使用通用调试器 OllyDBG 来做到这一点。

Are there any general rules on how to realiably locate OEPs (Original Entry Points) for packed .exe files, please? What OEP clues are there to search for in debugged assembly language?

Say there is a Windows .exe file packed with PC-Guard 5.06.0400 and I wish to unpack it. Therefore, the key condition is finding the OEP within the freshly extracted block of code.

I would use the common debugger OllyDBG to do that.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

深海少女心 2024-10-31 07:57:08

在一般情况下 - 没办法。这很大程度上取决于打包机。在最常见的情况下,加壳程序可能会用其他代码替换 OEP 中的某些代码。

In the general case - no way. It highly depends on packer. In the most common case packer may replace some code from OEP by some other code.

2024-10-31 07:57:08

这仅取决于打包程序及其使用打包和/或虚拟化代码的算法。鉴于您正在使用 ollydbg,我建议您查看 tuts4you、woodmanns 和 openrce,它们有很多插件(iirc 有一个设计用于在模糊代码中查找 oep,但我不知道它的性能如何)和 olly 脚本处理拆包各种加壳器(您可以从中获取某种类型加壳器的提示),他们也有很多关于该主题的论文/教程,这些论文/教程可能有用也可能没有用。

PC Guard 似乎没有引起太多关注,但视频链接和信息 此处 应该有帮助(赞扬谷歌缓存!)

This depends solely on the packer and the algorithms its using pack and/or virtualize code. Seeing as you are using ollydbg, i'd suggest checking out tuts4you, woodmanns and openrce, they have many plugins (iirc there is one designed for finding oep's in obfuscated code, but i have no clue how well it performs) and olly scripts for dealing with unpacking various packers (from which you may be able to pick up hints for a certain type of packer), they also have quite a few papers/tutorials on the subject as well, which may or may not be of use.

PC Guard doesn't seem to get much attention, but the video link and info here should be of help (praise be to Google cache!)

北笙凉宸 2024-10-31 07:57:08

很难指出任何简单的策略并声称它通常会起作用,因为加壳工具的作用是让 OEP 发现一个非常困难的问题。此外,有了一个好的加壳器,仅仅找到 OEP 还不够。话虽这么说,我确实有一些建议。

我建议您阅读这篇关于 Justin 解包器的论文,他们使用当时相当有效的启发式方法,您也许可以从中得到一些启发。他们至少会将候选入口点的数量减少到可管理的数量:

加壳器问题及其解决方案的研究(2008)
作者:FangluGuo、PeterFerrie、Tzi-ckerChiueh

还有一些 Web 分析页面可以告诉您很多有关打包程序的信息。例如,恶意软件分析器位于:
http://eureka.cyber-ta.org/

这是另一个目前已关闭的网站,但已关闭过去完成了合理的工作,我想很快就会再次起来):
http://bitblaze.cs.berkeley.edu/renovo.html

It's hard to point out any simple strategy and claim that it will work in general, because the business of packer tools is to make OEP finding a very hard problem. Besides, with a good packer, finding the OEP is still not enough. That being said, I do have some suggestions.

I would suggest that you read this paper on the Justin unpacker, they use heuristics that were reasonably effective at the time, and that you might be able to get some mileage from. They will at least reduce the number of candidate entry points to a manageable number:

A study of the packer problem and its solutions (2008)
by Fanglu Guo , Peter Ferrie , Tzi-cker Chiueh

There are also some web-analysis pages that can tell you a lot about your packed program. For example, the malware analyzer at:
http://eureka.cyber-ta.org/

Here's another one that is currently down, but has done a reasonable job in the past, and I presume will be up again soon):
http://bitblaze.cs.berkeley.edu/renovo.html

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文