Dennis Elser at McAfee Labs wrote Entry Point Finder, a plugin for IDA Pro 4.7, to help find the original entry point for executables that were packed. Once the entry point is found, it’s easy to do a memory dump and unpack the executable while restoring the imports.
Unfortunately, IDA Pro made changes to their SDK for IDA Pro 4.9, which broke the short lived plugin. However, while doing a reverse engineer recently, I thought I’d revive the plugin. It only required a few minor changes to the code. The plugin should now work for IDA Pro 4.9+, but I compiled it for IDA Pro 5.7.
Dennis Elser seems to have disappeared from the face of the Web in 2009. If anyone has a current Web site address for him, please let me know.
Below is the download including the source and compiled for Windows 32bit .plw file, which goes into the plugins folder inside your IDA Pro install folder. As with most unpacking methods, it works best for executables, and you shouldn’t expect much luck for DLLs.
One Reply to “Entry Point Finder – IDA Pro 4.9+ Plugin”
Thanks, I’m learning how to unpacking and your post is really helpful !!