The entry point, or Entry Point, is the address to which there is a command with which program execution begins. Finding of an entry point is one of the first steps at a research of any program.
Instruction
1. It is necessary to distinguish EP (Entry Point) and OEP (Original Entry Point). The term EP is used in a case from not packed (or not protected by a protector) by the program. If the program is packed/is protected, then the place of Entry Point is taken by the first team of the packer therefore it is necessary to find an original entry point – OEP.
2. Find Entry Point, that is an entry point in not packed program, it is possible in different ways. For example, use the Peid program. Open it, click in the right top part a window of the choice of the studied program. For test open the Notepad (notepad.exe), it is in a directory: C:WINDOWSsystem32. You will see the address Entry Point and other data.
3. Try to define Entry Point by the LordPE program. Open the program, click PE Editor, select the notepad.exe file and click Apprx. the Address Entry Point it will be specified in the first line.
4. Start the debugger of Olly debugger and open in it the notepad.exe file. After opening of the file the debugger itself will stop on Entry Point, the line with the address of an entry point will be highlighted in gray color.
5. Install the PE Explorer program. Start it, open in it for notepad.exe (File – Open file). The address of an entry point will be specified in the line "Address of Entry Point".
6. If the program is packed, at first it is necessary to unpack it. For definition of the packer use the Peid program. Start it, open in it the packed program. In the line "EP Section" the packer – for example, will be specified by UPX. Means, for unpacking you need UPX of this version or one of the numerous utilities allowing to unpack the packed UPX files. If any utility does not cope, unpack the file manually. You can learn about subtleties of manual unpacking of UPX here: http://forum.antichat.ru/thread28212.html
7. If the program is protected by a protector, learn its version by means of the Protection ID program. Start it, click "Scan", select the program necessary to you. Click "Open". The program will issue you information on the protector/packer's type – if these options of protectors and packers are in its base.