OEP finding methods

[albert johnson]

我是逆向分析新手，刚学到一个新技巧，跟大家分享一下。

PS：

我在研究逆向技术，但是困于中国大陆
看到我技术的朋友，如果感觉我的技术还不错，可以与我交流
如果可以帮助我移民，将不胜感激

[albert johnson]

English Version:

I start serious research on unpacking techniques today.

In the process of tracing the code, I suddenly thought of a method, I don't know if you have used it.

Tools: x64dbg

Method: step-by-step approach

Principle: When setting breakpoints in x64dbg, if the code at the breakpoint is not resolved, after ctrl + F2, the status is displayed as Inactive in Breakpoint View, on the contrary, if the breakpoint is before OEP, the status is displayed as Enabled, so you can take step by step approach.

 

Operation: F9 jumps to Entry Point. Step alone by dozens of steps (the specific number of steps depends on personal preference), then set a break and add comments (preferably numbered with serial numbers); in this way, add a few more breakpoints, and the specific number also depends on personal preference. Then, Ctrl + F2 restarts. At this time, Inactive and Enabled in Breakpoint View are the keys to our judgment of OEP. After finding the demarcation point between Inactive and Enabled, repeat the above process to slowly approach the OEP.

Occasional experience, I hope to help everyone.

[JochenX]

@albert johnson
This method is a bit vague, please make a tutorial if you want others to use your experience.

[w00she]

5 hours ago, JochenX said:

@albert johnson
This method is a bit vague, please make a tutorial if you want others to use your experience.

 

I totally agree with you , old tutorials were from people who are retired now , they were delivering a good quality tutorials in instant demo flash files 

nowdays things changed , we rarely see a video tutorial . old tutorials are gold but no one is sharing new resources for learning like they were.

forums closed maybe one of them is unpack.cn which was a great place for people trying to learn unpacking

and the reversing community isn't doing good. idk why 

[minh]

I don't believe you for your flag

[JochenX]

5 hours ago, w00she said:

 

I totally agree with you , old tutorials were from people who are retired now , they were delivering a good quality tutorials in instant demo flash files 

nowdays things changed , we rarely see a video tutorial . old tutorials are gold but no one is sharing new resources for learning like they were.

forums closed maybe one of them is unpack.cn which was a great place for people trying to learn unpacking

and the reversing community isn't doing good. idk why 

The knowledge of the old generation was like the sea, that is, it did not end with learning! But the knowledge of the new generation is like a small glass and it ends quickly!
And the new generation is afraid of this issue.

[JochenX]

On 9/23/2022 at 11:25 AM, albert johnson said:

English Version:

I start serious research on unpacking techniques today.

In the process of tracing the code, I suddenly thought of a method, I don't know if you have used it.

Tools: x64dbg

Method: step-by-step approach

Principle: When setting breakpoints in x64dbg, if the code at the breakpoint is not resolved, after ctrl + F2, the status is displayed as Inactive in Breakpoint View, on the contrary, if the breakpoint is before OEP, the status is displayed as Enabled, so you can take step by step approach.

 

Operation: F9 jumps to Entry Point. Step alone by dozens of steps (the specific number of steps depends on personal preference), then set a break and add comments (preferably numbered with serial numbers); in this way, add a few more breakpoints, and the specific number also depends on personal preference. Then, Ctrl + F2 restarts. At this time, Inactive and Enabled in Breakpoint View are the keys to our judgment of OEP. After finding the demarcation point between Inactive and Enabled, repeat the above process to slowly approach the OEP.

Occasional experience, I hope to help everyone.

A series of vague and impractical explanations and a vague picture!
Everything is like a brag! Doesn't it look like it?