EN | ZH The so-called one-step OEP shelling method is based on the characteristics of the shelling, looking for the assembly instruction closest to OEP, then the int3 breakpoint, and the dump program when the program goes to OEP.
For example, some compression shells tend to be particularly close to OEP or large jmp. Therefore, using Ollydbg's search function, you can search the shell's feature assembly code to achieve the effect of one step breakpoint to OEP.
- ctrl+f find popad
- ctrl+l jumps to the next match
- Find the match, confirm that the shell is ready to jump to the OEP part, then set the breakpoint to run there.
- Only for a very small number of compression shells
The sample program can be downloaded here: 3_direct2oep.zip
Still use the original notepad.exe to illustrate, after opening with
Ollydbg, we press
ctrl+f to find the specified string, like
popad is a typical feature, some shells are commonly used. Popad
to restore state, so search forpopad` as shown below.
In this example, when the searched 'popad
does not meet our requirements, you can pressctrl+l` to search for the next match, about three or four times, we found a jump to OEP. Location.