1. Use the ESP Law
After the OD is loaded, right-click the ESP content in the register window (for example, 0012ffa4) at F8 once, and choose "follow in the data window" to go to the memory data window, display the memory data window in the form of Hex data. Right-click the address starting position (for example, 0012ffa4) and choose "breakpoint"> "Hardware access"> "word ", f9 runs directly. If it is F8 again or twice, the code push EBP is usually used. The address of this Code is OEP.
2. Secondary breakpoint Method
After the OD is loaded, click the "M" button to go to the memory ing page. Access the breakpoint (F2) in data, resource (rsrc), RDATA, idata, and other segments ), run F9, then open the Memory Page, and access the breakpoint (F2) and F9 under the code segment. When the code segment is disconnected, (1) OEP is usually followed by a few words, you can follow the f8. (generally, The subscripts include popad and jmp xxx. XXX is a relatively distant address ). (2) Open the memory window again and access the breakpoint (F2) and F9 in the "PE File Header". When the program is disconnected, if the program is blank, f8; if it is in system airspace, it indicates that the secondary breakpoint method is invalid. (3) Open the memory window, such as the following data:
00424000 00001000 (4096.) Computer 00400000. rsrc data, input table, resource imag 01001002
Enter tc eip <00424000 in the command line, press enter, run F9, and F8 to reach OEP.
3. simulation tracing method
After the OD is loaded, open the memory window, for example, the following data:
00424000 00001000 (4096.) Computer 00400000. rsrc data, input table, resource imag 01001002
Enter tc eip <00424000 in the command line, press enter, run F9, and F8 to reach OEP.
4. One-Step Tracing Method
You can use this method for programs that modify the PE file header and encounter errors during OD loading (of course, other programs can also use this method ):
Open OD and modify the position for the first pause. Choose "options"> "debug settings"> "events" tab, change "suspend for the first time" to "system breakpoint" ("winmain" by default "). Then, press the "M" button to open the memory ing window, access the breakpoint (F2) in the "PE File Header" of the program, and run F9. After the program runs, for single-step F8 debugging, if you encounter an upward hop (including JMP), then F4 will be added to the next code, so that you will soon be able to reach the OEP (generally with the following sign: popad, jmp xxx, where XXX is a relatively distant address ).
5. command sequence searching
If the command for pushing the stack is pushfd, pushad is applicable:
If the pressure stack command is found to be pushfd or pushad, you can press Ctrl + S to open the "search command sequence" window and find the popad popfd command sequence (note that the sequence should not be wrong, it can be written in two lines.
Which of the following is transferred from http://bbs.pediy.com/showthread.php? T = 144270 & Highlight = VMP
Method 1: One-Step Tracing
1. Load with OD
2. Track down and press F8 in one step to perform a downward hop. Do not let the program jump back.
3. When the program jumps back (including loops, including JMP), we press F4 in the next code (or right-click the code and select breakpoint --> run to the selected code)
4. If you have just loaded the program and there is a call nearby, we will follow F7, otherwise the program will be easy to run.
5. During tracking, if a call program runs, F7 enters the call.
6. Generally, a large jump (cross-segment jump) occurs. For example, JMP xxxxxx, je xxxxxx, or the OEP with retn usually gets to the program soon.
Method 2: ESP Law
1. At the beginning, click F8 to go down. Note that the ESP in the register in the top-right corner of the OD is not displayed (red)
2. In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr xxxxxxxx), press Enter!
3. Select the broken address, breakpoint ---> hardware access ---> word breakpoint.
4. Press F9 to run the program and go directly to the jump point. Press F8 to go down to reach the program OEP.
Method 3: Memory Mirroring
1. Open with OD, set options -- debugging options -- exception, ignore all exceptions (that is, ignore all the exceptions in √), and then press Ctrl + F2 to reload the program!
2. press Alt + m to open the memory image, find the program's first. rsrc. Press f2 to start the breakpoint, and then press SHIFT + F9 to run to the breakpoint.
3. press Alt + m to open the memory image, find the. Code above the first. rsrc. Program, and press the breakpoint under F2! Then press SHIFT + F9 to directly reach the program OEP!
Method 4: step by step to OEP (applicable to some shells)
1. Press Ctrl + F, enter: popad, press f2 to disconnect, and press F9 to run here.
2. Quickly jump to the big jump, press F8 to go down to OEP.
Method 5: last exception method:
Step 1: Open the program with OD, click the option-debug option-exception, and remove all the √! CTRL + F2 reload the program.
Step 2: Press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program run n.
Step 3: Reload the program, and then press SHIFT + F9. This time, the number of times is the n-1 times of the last time the program was run.
Step 4: observe that there is an "se handle" in the bottom-right corner of OD. Press Ctrl + G and enter the address before the se handle! Come to this address.
Step 5: Click here to open a breakpoint! Then press SHIFT + F9 to go To the breakpoint!
Step 6: At this time, we have skipped all exceptions, removed the breakpoint, and slowly tracked down by F8 to quickly reach the OEP (or after removing the breakpoint, open the memory image, code disconnection F2, shirt + F9)
The shelling method summarized in heiying's teaching:
Method 1: One-Step Tracing
1. Load with OD, click "do not analyze code !"
2. Track F8 in one step to perform a downward hop. That is to say, the jump up won't be implemented! (Through F4)
3. When the program jumps back (including loops), we press F4 in the next code (or right-click the code and select the breakpoint --> run to the selected code)
4. The green line indicates that the jump is not implemented. Ignore it. The red line indicates that the jump has been implemented!
5. If you have just loaded the program and there is a call nearby, we will follow F7, otherwise the program will easily run and fly, so that we can quickly get to the program's OEP
6. During tracking, if a call program runs, F7 enters
7. There are usually large jumps (large-span segments), such as JMP xxxxxx or je xxxxxx, or the OEP of the program will soon be available if there is a retn.
BTW: when some shells cannot be tracked down, we can find a large jump that is not implemented in the vicinity (usually in front of the Code that runs the flight, what is a big jump based on experience), right-click --> "follow", then F2 is disconnected, Shift + F9 stops at the "follow" position, and then the breakpoint is canceled, continue the f8. Generally, you can easily reach OEP!
Method 2: ESP Law
ESP theorem shelling (esp in the OD register, we only need to access the breakpoint of ESP hardware in the command line, and we will come to the program's OEP !)
1. Click F8 at the beginning. Note that the ESP in the register in the top-right corner of the OD is not displayed (red ). (This is generally the first ESP value after the key sentence)
2. In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr xxxxxxxx), press Enter!
3. Select the broken address, breakpoint ---> hardware access ---> word breakpoint.
4. Press F9 to run the program and go directly to the jump point. Press F8 to reach the program OEP.
Method 3: Memory Mirroring
1: Open the software with od!
2: click "option"> "debug option"> "exception" to ignore all the errors! CTRL + F2 reload the program!
3: press Alt + m to open the memory image and find the first image of the program. rsrc. press the breakpoint under F2, then press SHIFT + F9 to run to the breakpoint, and then press Alt + m to open the memory image and find the first program. rsrc. above. code (that is, 00401000 points), and press f2 to open a breakpoint! Then press SHIFT + F9 (or press F9 without exception) to directly reach the program OEP!
Method 4: Get to OEP in one step
1. Start to press Ctrl + F, input: popad (applicable only to a few shells, including UPX and ASPack shells), and then press F2 and F9 to run here
2. Go to the big jump and click F8 to reach OEP!
Method 5: last exception Method
1: Open the software with OD
2: click option-debug option-exception to remove all √! CTRL + F2 reload the program
3: At the beginning, the program is a jump. Here we press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program running M!
4: Ctrl + F2 reload program, and press SHIFT + F9 (the number of times this operation was run as expressed as the number of times the program was run as expressed as 1-1)
5: In the lower-right corner of the OD, we can see a "se handle". Press Ctrl + G to enter the address before the se handle!
6: press the F2 breakpoint! Then press SHIFT + F9 to go To the breakpoint!
7: remove the breakpoint and press F8 to go down slowly! (Or, after the breakpoint is removed, open the memory image and disconnect the code F2, shirt + F9)
8: OEP of the program!
Method 6: Simulated Tracing
1: run the test run first and follow up the program to see if there are any seh hidden piles or the like.
2: Alt + M open the memory image and find (including = SFX, imports, relocations)
Memory image, Project 30
Address = 0054b000
Size = 00002000 (8192 .)
Owner = check00400000
Segment =. ASPack
Include = SFX, imports, relocations
Type = imag 01001002
Access = r
Initial access = RWE
3: The address is 0054b000. If we enter tc eip <0054b000 on the command line, press enter and track ing ..
BTW, that is, this method can be used without seh dark piles)
Method 7: SFX Method
1: Set the OD to ignore all exceptions, that is, check the exception tab.
2: Switch to The SFX tab, select "byte mode to track the actual entry (very slow)", and click OK.
3: Reload the program (if it jumps out, do you want to "compress the code ?" Select "no" and OD will arrive at OEP)
BTW: Do not abuse this method well, and exercise ability is wonderful.