Lik*_*kak 2 portable-executable ollydbg
我想在 OllyDbg 中分析一个文件,然而,这个文件中的“入口点地址”是0x0000. 所以它将运行 MZ 签名作为 ASM 代码的开始部分。
大多数调试器也无法直接调试它。
如何找到修改标题的原始入口点?
If AddressOfEntryPoint in EXE set to 0 - so EXE and have no this entry point. In this case, for not crash EXE must have the TLS callbacks - look for IMAGE_TLS_DIRECTORY (IMAGE_DIRECTORY_ENTRY_TLS) and AddressOfCallBacks must be not 0. So this is real entry point(s) of this EXE - no other option, otherwise EXE will crashes.
Most debuggers are also unable to debug it directly.
This happens if debugger set breakpoint on entrypoint. In this case "entrypoint" will be on MZ - and when debugger set breakpoint (0xcc opcode) here - damage MZ signature. As result in process initialization was exception (user32.UserClientDllInitialize -> ntdll.CsrClientConnectToServer -> RtlImageNtHeaderEx (error because MZ damaged by breakpoint) )
But if debugger has not set a breakpoint on entrypoint - no problem in debugging.
所以解决方案是寻找IMAGE_DIRECTORY_ENTRY_TLS.AddressOfCallBacks或设置断点LdrpCallTlsInitializers
这真的是CLR( .NET) 图像 - 在这个图像类型中,入口点是正式的,在 xp 之后不再使用。系统忽略它,并呼吁_CorExeMain在mscoree.dll为切入点。
但是,如果您尝试使用自动将断点设置为入口点的调试器进行调试(调试器的想法)- MZ( IMAGE_DOS_HEADER) 已损坏。结果RtlImageNtHeader[Ex]返回 0(错误)EXE并且应用程序崩溃(在此调试器下)