Jump to content

OEP finding methods


albert johnson

Recommended Posts

我是逆向分析新手,刚学到一个新技巧,跟大家分享一下。

PS:

我在研究逆向技术,但是困于中国大陆
看到我技术的朋友,如果感觉我的技术还不错,可以与我交流
如果可以帮助我移民,将不胜感激

Snipaste_2022-09-23_15-31-22.png

Link to comment

English Version:

I start serious research on unpacking techniques today.

In the process of tracing the code, I suddenly thought of a method, I don't know if you have used it.

Tools: x64dbg

Method: step-by-step approach

Principle: When setting breakpoints in x64dbg, if the code at the breakpoint is not resolved, after ctrl + F2, the status is displayed as Inactive in Breakpoint View, on the contrary, if the breakpoint is before OEP, the status is displayed as Enabled, so you can take step by step approach.

 

Operation: F9 jumps to Entry Point. Step alone by dozens of steps (the specific number of steps depends on personal preference), then set a break and add comments (preferably numbered with serial numbers); in this way, add a few more breakpoints, and the specific number also depends on personal preference. Then, Ctrl + F2 restarts. At this time, Inactive and Enabled in Breakpoint View are the keys to our judgment of OEP. After finding the demarcation point between Inactive and Enabled, repeat the above process to slowly approach the OEP.

Occasional experience, I hope to help everyone.

aaa.png

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...