General Old UPX Shell Description: The typical entrance of the UPX, corresponding to the export popad, usually the true portal of JMP across the program. Tools: OLLYDBG V1.10 Method 1: Step by step, F8 is going forward, don't let the program go back, I want to go back to F4, until I encounter POPAD, I will jump with a cross-section (it's far away) JMP, there may be many times with flying, at this time, I have to come from the head. Note that I want to write down the address of the flying, and the F4 is skipped when these addresses. Find the address after JMP, you can. Method 2: Under the API breakpoint, there are two commonly used API breakpoints: LoadLibrarya, getProcadDress, if the interpretation bar is found in the process of gradually tracking, there is Kernel32.LoadLibrarya or kernel32.getProcaddress (priority breakpoint), directly here The next break (command line BP APINAME), F9 runs to breakpoints, F2 cancels the breakpoint, Ctrl F9 runs the program to return, this is not far from the program entry point, and there must be a popad of a popad of a span Jumping F8 Step to the JMP behind the POPAD, jump to the true entry point of the program. Method 3: Look directly, the premise is that you know the characteristics of the shell, Ctrl f looks for popad, and when the address is found at the address Point, F9 runs to breakpoints, F2 cancels the breakpoint, the cross-section jump directly points directly to the true portal of the program, F8 to the entrance, DUMP. Method 4: ESP Law, After loading the program, the F8 single-step runs the first change value of the corresponding register ESP, right-click the ESP register, select the corresponding memory address in the transition (corresponding command line: D ESP value) Numerical, right-click breakpoint, hardware access Word, write hardware breakpoints. F9 runs the program to breakpoints, finds the breakpoints just under debugging, delete breakpoints, F8 directly to the true entrance of the program, DUMP. Postscript: There may not be possible after DUMP, and fix it with Recimport.
