during shittest christmas of my life, 2 weeks without net, 2 car fixes,i was so bored so i decided to code my own oepfinder. first was deroko [ARTEAM], but his version is big like hell and hard to understand. what the differences?
-deroko src is in tasm -well i used masm(but i also prefer tasm, but its dying )
-deroko patches EP -i create process already as debugged no need for suspending etc
-deroko oepfinded stops after messagebox with oep -mine stops on exitprocess so we can find oep inside asprotect that has unpacking code inside code section that is later overwritten with unpacked code
-deroko is using small debuger part that gives instruction length and sets int 3(CC) -i dont use it just set guard page on first section
worked with most of single process protectors,packers sdprotector and others detect that they are debugged
oep find 1.1 improved oep now asks is this oep if yes it will dettach from debuging,so last show when we press yes is our oep so write it down or! use detach, i was bores with restoring stolen bytes by EBFE so when you press detach and right oep is and choose yes, we will patch oep to EBFE so its in infinite loop, and you can attach with olly press F9 to run and F12 t break at our inf jump, now last step press ok on oep finder messagebox and i will restore stolen bytes, move cursor in olly and we are happy enjoy! Human
v1.2 support for parsing name with commandline
v1.3 removed 2 edit's where showed section and size now listbox defaults to 1st section but you can choose other and then press oep or dettach. next move improve engine
v1.31 added to listbox display of sections characteristics Read Write Execute
1.32 patch for kernel32.TerminateProcess so acprotect cant kill us, same is with yodas protector, but that one after detecting that parent process PID isnt explorer.exe PID kills us and itself. it will not kill us now but itself only, have to add more fixes. we patch kernel32 on dll_load_event due on createprocess only exe and ntdll.dll are loaded rest is later. stay tuned for more updates
v1.4 used length disasm engine from deroko to get instruction size. added int 3 patching for more accurate results. on my targets it now works on correct oep. if you find any file it doesnt work, send it to me. doesnt work on yodas protector due it checks if parentpid is pid of explorer.exe, i did a patch but then it doesnt want to work with acprotect, have to find a solution for both, and as we know life later for all of them. now probably next move is execryptor support
