Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking.
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.
Fig : PE header- entry point 0x1D16
Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static
Fig: memory string in process Explorer
Now dump the header from memory .I have used process hacker for the purpose. Other tools can also be used.
Fig:Process Hacker dump header from memory
Now see the dumped header Entry Point
Fig dumped header EP-0x4C00
The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)
Fig: ollydbg set hardware breakpoint on expected OEP
Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point