OEP finding methods

albert johnson

English Version:

I start serious research on unpacking techniques today.

In the process of tracing the code, I suddenly thought of a method, I don't know if you have used it.

Tools: x64dbg

Method: step-by-step approach

Principle: When setting breakpoints in x64dbg, if the code at the breakpoint is not resolved, after ctrl + F2, the status is displayed as Inactive in Breakpoint View, on the contrary, if the breakpoint is before OEP, the status is displayed as Enabled, so you can take step by step approach.


Operation: F9 jumps to Entry Point. Step alone by dozens of steps (the specific number of steps depends on personal preference), then set a break and add comments (preferably numbered with serial numbers); in this way, add a few more breakpoints, and the specific number also depends on personal preference. Then, Ctrl + F2 restarts. At this time, Inactive and Enabled in Breakpoint View are the keys to our judgment of OEP. After finding the demarcation point between Inactive and Enabled, repeat the above process to slowly approach the OEP.

Occasional experience, I hope to help everyone.


  • Create New...