Jump to content

OEP finding methods

albert johnson

Recommended Posts





Link to comment

English Version:

I start serious research on unpacking techniques today.

In the process of tracing the code, I suddenly thought of a method, I don't know if you have used it.

Tools: x64dbg

Method: step-by-step approach

Principle: When setting breakpoints in x64dbg, if the code at the breakpoint is not resolved, after ctrl + F2, the status is displayed as Inactive in Breakpoint View, on the contrary, if the breakpoint is before OEP, the status is displayed as Enabled, so you can take step by step approach.


Operation: F9 jumps to Entry Point. Step alone by dozens of steps (the specific number of steps depends on personal preference), then set a break and add comments (preferably numbered with serial numbers); in this way, add a few more breakpoints, and the specific number also depends on personal preference. Then, Ctrl + F2 restarts. At this time, Inactive and Enabled in Breakpoint View are the keys to our judgment of OEP. After finding the demarcation point between Inactive and Enabled, repeat the above process to slowly approach the OEP.

Occasional experience, I hope to help everyone.


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...