Memory Mirroring Method
The memory mirroring method is to enter the virtual memory section of the program by the ALT's ALT+M shortcut when the packer is loaded. Then, by adding two memory one-time breakpoints, the correct OEP position of the program is reached.
The principle of the memory mirroring method is that for the program resource segment and the code segment under the breakpoint, when the general program self-extracting or self-decrypting, the resource segment is first accessed to obtain the required resources, and then after the automatic shelling is completed, the program code segment is transferred back. At this time, the memory will be disconnected once, and the program will stop at OEP.
要点¶
- Select 'Options -> Debug Options -> Exceptions from the menu.
- Check all ignore exceptions
- Press
ALT+Mto open the memory image, find the first.rsrcof the program, press F2 to break the point, then pressSHIFT+F9to run to the breakpoint. - Press
ALT+Magain to open the memory image. Find the.texton the first.rsrcof the program (in the example,00401000), press F2 to break the point. Then pressSHIFT+F9(or press F9 without exception)
example¶
The sample program can be downloaded here: 4_memory.zip
OD loader, check all ignore exceptions in the menu item 'Options -> Debug Settings -> Exceptions tab>.
Press Alt+M to open the memory image and find the resource segment, which is `srcrc of address=00407000, size=00005000, select F2 to break
Go back to the CPU window, press F9 to run, the program is broken at 0040D75F
Press Alt+M again to open the memory image and break the .text code snippet.
Continue to run, the program is broken at 004010CC, which is OEP
本页面的全部内容在 CC BY-NC-SA 4.0 协议之条款下提供,附加条款亦可能应用。