跳转至

Sfx

EN | ZH The "SFX" method takes advantage of the OEP search function that comes with Ollydbg. You can choose to stop the program directly at the OEP found by the OD. At this time, the decompression process of the shell is completed, and you can directly dump the program.

要点

  1. Set OD, ignore all exceptions, that is, check the exception tab
  2. Switch to the SFX tab and select "Byte mode to track the actual entry (very slow)", OK
  3. Reload the program (if "Block code?" is selected, "No", OD directly reaches OEP)

example

The sample program can be downloaded here: 6_sfx.zip

First we check all ignore exceptions in the menu Options -> Debug Settings -> Exceptions tab.

sfx_01.png

Then switch to the SFX tab and click on "Byte mode to track the real entrance (very slow)"

sfx_02.png

Overloading the program, the program has stopped at the code entry point, and there is no need to re-analyze the OEP.

sfx_03.png


评论