EN | ZH The "SFX" method takes advantage of the OEP search function that comes with Ollydbg. You can choose to stop the program directly at the OEP found by the OD. At this time, the decompression process of the shell is completed, and you can directly dump the program.
- Set OD, ignore all exceptions, that is, check the exception tab
- Switch to the SFX tab and select "Byte mode to track the actual entry (very slow)", OK
- Reload the program (if "Block code?" is selected, "No", OD directly reaches OEP)
The sample program can be downloaded here: 6_sfx.zip
First we check all ignore exceptions in the menu
Options -> Debug Settings -> Exceptions tab.
Then switch to the
SFX tab and click on "Byte mode to track the real entrance (very slow)"
Overloading the program, the program has stopped at the code entry point, and there is no need to re-analyze the OEP.