Negative OEP?

howcow95 · 09/06/2009, 15:04

Well I was looking at dlntq's guide to unpack CabalMain.exe and PH uses a dif packer than NA... NA uses themida. So I began my search for an unpacker, all the one shot unpackers I found would always give me internal errors. SOOO I got one that worked through olly. So I THINK I got it successfully unpacked in olly then I used ImportREC to dump it. After a long while of trying I finally got a cabal_dump.exe soo I tried to move onto the second unpack but to my horror when I scanned with DiE and PiED it tells me it's packed with themida? So I think I got the OEP wrong. Now today, I used PEtools to find the OEP which indeed tells me different then what olly was saying my OEP was, and according to this guide to unpacking themida you subtract the Image Base from OEP and sub it into the IAT's on ImportREC but I get a Negative OEP that way

Here's the guide I used

Now I either need a dif way to dump or a simple confirmation if I got my first dump right. The cabal_dump.exe is 11.7 mb I need to unpack it once more according to dlntq to get the asm. So now I'm at a loss at what to do when I try to open cabal_dump.exe in olly it gives me an error and I think it gives me RETN 4. If someone is willing to help I can provide screenshots and more detail O.o Thanks in advance.

dlnqt · 09/06/2009, 15:13

it depends if you have to unpack it the second time.. because there's a possibility that an exe is packed with multiple packers. to be sure if it is packed or not, use DiE, PEiD or search for other packer identifiers out there..

Cabal PH cabalmain.exe can be unpacked with 1 program, what I posted is an alternative that doesn't work, it only shows the actual asm but it won't run normally.. that's my first try in unpacking PH's cabalmain.exe. The 2nd time I tried to unpack it, I only used a single unpacker, I will be posting a guide soon.. but right now I don't have the time.

As for Cabal NA, I don't know what packer is used on it so I don't have any idea, I may have to edit my other thread as not to confuse other people..

howcow95 · 09/06/2009, 15:58

hmm I'm still trying to find a way to unpack as I said themida 18.x.x/ winlic is used on cabalNA but I'm having real difficulty unpacking it. all i kno is that the cabal_dump.exe that I got is not asm code so far the stuff you nova and atomic have been useful to me but it can only help me to a certain point because you guys are from PH otherwise I prolly wudve got it by now too

zen83 · 09/07/2009, 01:51

howcow95, your cabalmain.exe is packed with themida 1.9.9.0 . So the guide you used can't unpack your file

howcow95 · 09/07/2009, 03:39

haha yea I read sumwhere that the version I'm using is wrong but the olly and script I used was the only one that didn't show any errors so thanks for the confirmation. BUT i'm not following the guide 100% i'm tweaking in places that I need as for now I don't even think Cabal NA is patched yet so ima work on getting some valuable time in while I still can. After that I'll work on unpacking and everything else.