Method 1: One-Step Tracing
1. load data with OD, without analyzing Code !"
2. Track F8 in one step to perform a downward hop. That is to say, the jump up won't be implemented! (Through F4)
3. encountered Program Jump back (including loop), we press F4 in the next code (or right-click the code, Select Breakpoint --> Run To selected)
4. Green The line indicates that the jump is not implemented. Ignore it. The red line indicates that the jump has been implemented!
5. If you have just loaded the program and there is a call nearby, we will follow F7, otherwise the program will easily run and fly, so that we can quickly get to the program's OEP
6. During tracking, if a call program runs, F7 enters
7. There are usually large jumps (large-span segments), such as JMP xxxxxx or je xxxxxx, or the OEP of the program will soon be available if there is a retn. BTW: when some shells cannot be tracked down, we can find a large jump that is not implemented nearby, right-click --> "follow", and then F2 is disconnected, shift + F9 stops at the "follow" position, cancels the breakpoint, and continues F8 single-step tracking. Generally, you can easily reach OEP! Method 2: ESP Law
ESP theorem shelling (esp in the OD register, we only needCommandTheHardwareWhen you access a breakpoint, you will see the program's OEP !)
1. Click F8 at the beginning. Note that the ESP in the register in the top-right corner of the OD is not displayed (red ). (This is generally the first ESP value after the key sentence)
2. In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr xxxxxxxx), press Enter!
3. Select the broken address, breakpoint ---> hardware access ---> word breakpoint.
4. Press F9 to run the program and go directly to the jump point. Press F8 to reach the program OEP. Method 3: Memory Mirroring
1: open with ODSoftware!
2: click "option"> "debug option"> "exception", and tick all the √ in it! CTRL + F2 reload the program!
3: press Alt + m to open the memory image and find the first image of the program. rsrc. press the breakpoint under F2, then press SHIFT + F9 to run to the breakpoint, and then press Alt + m to open the memory image and find the first program. rsrc. above. code (that is, 00401000 points), and press f2 to open a breakpoint! Then press SHIFT + F9 (or press F9 without exception) to directly reach the program OEP! Method 4: Get to OEP in one step
1. Start to press Ctrl + F, input: popad (applicable only to a few shells, including UPX and ASPack shells), and then press F2 and F9 to run here
2. Go to the big jump and click F8 to reach OEP! Method 5: last exception Method
1: Open the software with OD
2: click option-debug option-exception to remove all √! CTRL + F2 reload the program
3: At the beginning, the program is a jump. Here we press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program running M!
4: Ctrl + F2 reload program, and press SHIFT + F9 (the number of times this operation was run as expressed as the number of times the program was run as expressed as 1-1)
5: In the lower-right corner of the OD, we can see a "se handle". Press Ctrl + G to enter the address before the se handle!
6: press the F2 breakpoint! Then press SHIFT + F9 to go To the breakpoint!
7: remove the breakpoint and press F8 to go down slowly!
8: OEP of the program! Method 6: Simulated Tracing
1: run the test run first and follow up the program to see if there are any seh hidden piles or the like.
2: Alt + M open the memory image and find (including = SFX, imports, relocations) Memory image, Project 30
Address = 0054b000
Size = 00002000 (8192 .)
Owner = check00400000
Segment =. ASPack
Include = SFX, imports, relocations
Type = imag 01001002
Access = r
Initial access = RWE 3: The address is 0054b000. If we enter tc eip <0054b000 on the command line, press enter and track ing .. BTW: when you use this method, you need to understand the situation in which it will be available. Method 7: SFX Method
1:SetOd, ignore all exceptions, that is, check the exception Tab
2: Switch to The SFX tab, select "byte mode to track the actual entry (very slow)", and click OK.
3: Reload the program (if it jumps out, do you want to "compress the code ?" Select "no" and OD will arrive at OEP) BTW: Do not abuse this method well, and exercise ability is wonderful. |
