Od hand shelling Methods

Method 1: One-Step Tracing

1. Load with OD

2. Track down and press F8 in one step to perform a downward hop. Do not let the program jump back.

3. When the program jumps back (including loops), let's look at the next sentenceCodePress F4. (or right-click the code and select the breakpoint --> run to the selected code)

4. If you have just loaded the program and there is a CALL nearby, we will follow F7, otherwise the program will be easy to run.

5. During tracking, if a CALL program runs, F7 enters the CALL.

6. Generally, a large jump (cross-segment jump) occurs, such as jmp XXXXXX or je xxxxxx or
The RETN will usually arrive at the program's OEP soon.

Method 2: ESP Law

1. At the beginning, click F8 to go down. Note that the ESP in the register in the top-right corner of the OD is not displayed (red)

2. In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr XXXXXXXX), press Enter!

3. Select the broken address, breakpoint ---> hardware access ---> WORD breakpoint.

4. Press F9 to run the program and go directly to the jump point. Press F8 to go down to reach the program OEP.


Method 3: Memory Mirroring

1. Open with OD, set options-debugging options-exception, and ignore all exceptions (that is

√), And then CTRL + F2 to reload the program!

2. press ALT + M to open the memory image, find the first. rsrc of the program, press the breakpoint under F2, and then press

SHIFT + F9 run to the breakpoint.

3. press ALT + M to open the memory image, find the first. rsrc. CODE above the program, and press F2

Breakpoint! Then press SHIFT + F9 to directly reach the program OEP!

Method 4: step by step to OEP (applicable to some shells)

1. Press Ctrl + F, enter: popad, press F2 to disconnect, and press F9 to run here.

2. Quickly jump to the big jump, press F8 to go down to OEP.

Method 5: last exception method:

Step 1: Open the program with OD, click the option-debug option-exception, and remove all the √ in it

! CTRL + F2 reload the program.

Step 2: Press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program run n.

Step 3: Reload the program, and then press SHIFT + F9. The number of times this operation is the number of times that the last program was run.

N-1 times.

Step 4: observe that there is an "SE handle" in the bottom right corner of the OD. Press CTRL + G and enter the SE sentence.

The address before the handle! Come to this address.

Step 5: Click here to open a breakpoint! Then press SHIFT + F9 to go To the breakpoint!

Step 6: At this time, we have skipped all exceptions, removed the breakpoint, and followed the f8.

It's almost OEP.