Basic knowledge of cainiao shelling (5) -- use memory breakpoint to find OEP

After the basic knowledge in Section 1, we all know that the shelling program first decompress the original compressed code and then put it in the corresponding block. After the shell program is executed, jump back to OEP for execution, we all know that OEP is placed in the code segment, that is, when the shell program completes processing, jump back to the code segment for execution, can we use the shell feature for shelling? The answer is yes, yes! Sometimes it is not enough to break down the code segment tightly. What should I do? In fact, it is very easy to use two memory breakpoints, and the general shell will be a bunch. text ,. rdata ,. decompress the data and rsrc blocks. Based on this principle, we can break the breakpoint under several other segments when appropriate, and then in. text Segment breakpoint, to find the program OEP, and then shell!
I used Delphi7.0's shell with Aspack2.28. After testing, we press "ALT + M" to open the memory image and disconnect the code segment, we can use F2 to initiate a breakpoint or interrupt access to the memory (some strong shells will detect the F2 breakpoint, so we can use this method to cut down the segment !) This breakpoint is a one-time breakpoint. When the block under the breakpoint is read or executed, it will be interrupted. When the breakpoint occurs, it will be automatically deleted!

After CODE (I used Delphi7.0 and the shell, so the Code segment) is disconnected, F9 runs and we stop at 004608BB:

At this point, the Code starts to be decompressed. We run the F2 breakpoint under section 00401000, that is, the PE file header, the next breakpoint, and F9, where we started to decompress the PE file header:


We pull the code below and we will find a very familiar code:

00460425 here is a cross-region transfer, it is obvious that the jump is to OEP, we are in this retn here F2 breakpoint, F9 run, after the break, cancel the breakpoint, after a single step through F8, we found that it had reached the OEP!

In fact, it may not be interrupted in the PE file header. after the rsrc segment is disconnected, the Code segment can also be disconnected to 0046038F, and then pulled to the following, you can find the cross-region transfer to reach the OEP!
Attachment of the downloaded version:
Http://www.bkjia.com/uploadfile/2012/1205/20121205071514480.zip