The entry point, or Entry Point, is the address at which the command from which the program starts execution is located. Finding the entry point is one of the first steps in researching any program.
Instructions
Step 1
A distinction should be made between EP (Entry Point) and OEP (Original Entry Point). The term EP is used in the case of an unpacked (or not protected by a protector) program. If the program is packed / protected, then the Entry Point is taken by the first command of the packer, so you need to find the original entry point - OEP.
Step 2
You can find the Entry Point, that is, the entry point in an unpacked program, in different ways. For example, use the Peid program. Open it, click the button for selecting the program under investigation in the upper right part of the window. To try, open Notepad (notepad.exe), it is located in the directory: C: WINDOWSsystem32. You will see the Entry Point address and other details.
Step 3
Try to determine the Entry Point using the LordPE program. Open the program, click the PE Editor button, select the notepad.exe file and click OK. The Entry Point will be listed on the first line.
Step 4
Launch Olly debugger and open notepad.exe in it. After opening the file, the debugger itself will stop at the Entry Point, the line with the entry point address will be highlighted in gray.
Step 5
Install PE Explorer. Run it, open notepad.exe in it (File - Open file). The entry point address will be listed in the "Address of Entry Point" line.
Step 6
If the program is packed, you must first unpack it. Use the Peid program to identify the packer. Run it, open the packed program in it. The "EP Section" line will contain a wrapper - for example, UPX. This means that to unpack you will need the UPX of this version or one of the many utilities that allow you to unpack packed UPX files. If none of the utilities can handle it, unpack the file manually. You can find out about the intricacies of manual UPX unpacking here:
Step 7
If the program is protected by a protector, find out its version using the Protection ID program. Run it, click the "Scan" button, select the program you need. Click the "Open" button. The program will give you information about the type of protector / packer - if these options for protectors and packers are in its database.
