EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationunpackingoepesp-breakpoint

Unpacking with a Debugger

The Original Entry Point concept, the ESP hardware breakpoint technique for finding it, and the Scylla workflow for dumping and rebuilding the Import Address Table into an analysable PE.

Ashish Revar12 May 202618 min read3 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Spotting Forensic Gold in Malware Strings

Discover how malware analysts extract hidden intelligence from embedded strings — URLs, registry paths, API call sequences, and C2 artefacts that reveal attacker behaviour and seed your IOC list.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Scylla — IAT Reconstruction Plugin for x64dbg

Scylla is bundled with x64dbg. Access via Plugins menu. Essential for IAT reconstruction after manual unpacking.

tool
OpenRCE — Unpacking Tutorials Archive

Classic OpenRCE article on manual unpacking methodology. Covers ESP breakpoint technique with screenshots.

reference
REMA eBook 2026 — Chapter 5, Manual Unpacking

Full ESP breakpoint procedure and Scylla workflow in the REMA eBook Chapter 5.

ebook
More articlesTest your knowledge

The Goal: Reach the OEP

The unpacking stub must restore the original code in memory before transferring control to it. The point where control transfers from the stub to the original code is the Original Entry Point (OEP). The analyst''s goal is to reach the OEP, dump the process memory, and reconstruct the import table.

Packed file on disk → stub executes → decompresses payload in memory
                                                            ↓
                                               OEP reached → dump + fix IAT
                                                            ↓
                                               Analysable unpacked PE

The ESP Hardware Breakpoint Technique

Many common packers (UPX, ASPack, PECompact) begin with a PUSHAD instruction that saves all general-purpose registers to the stack. After the unpacking loop, a POPAD restores them. The transition from POPAD to the OEP jump is called the tail jump.

Why this works

PUSHAD writes all eight registers onto the stack in one operation, decrementing ESP by 32 bytes. After unpacking completes, POPAD reads those same bytes back. If we set a hardware breakpoint on the memory address where PUSHAD stored the values, the breakpoint fires exactly when POPAD accesses them — pausing execution just before the tail jump.

Execution flow:
  PUSHAD     → saves registers, ESP decrements 32 bytes
  [unpacking loop runs — decompresses payload]
  POPAD      → reads from ESP location → HARDWARE BREAKPOINT FIRES HERE
  JMP [OEP]  → tail jump to original code

Step-by-step procedure in x32dbg

1. Open packed sample in x32dbg
2. Run to entry point (F9 — stops at first instruction)
3. First instruction is PUSHAD — confirm this
4. Step over PUSHAD with F8
5. Note the current ESP value in the Registers panel
6. Right-click the ESP value in the Dump panel
   → Breakpoint → Hardware, Access → DWORD
7. Press F9 to run
8. Debugger pauses — POPAD is accessing the breakpoint address
9. Look at the next instruction after POPAD
   → There will be a JMP or RET to a distant address (the tail jump)
10. Step into the tail jump with F7
11. You are now at the OEP — the first instruction of the original code

Recognising the OEP

The OEP of a normally compiled Windows executable starts with the standard compiler prologue:

; MSVC-compiled EXE entry point (typical)
PUSH    EBP
MOV     EBP, ESP
SUB     ESP, some_value

; Or for a DLL:
PUSH    EBP
MOV     EBP, ESP
PUSH    ECX

If after the tail jump you see a function prologue pattern, you are at the correct OEP. If you see garbage bytes or a second jump, the packer has additional stages — repeat the process.

When PUSHAD/POPAD Is Not Used

Some packers do not use PUSHAD. Alternative breakpoint strategies:

StrategyWhen to Use
VirtualAlloc breakpointWhen the packer allocates memory for the unpacked code — break when allocation returns and set memory execute breakpoint on that region
VirtualProtect breakpointWhen the packer marks the unpacked region as executable — fires just before OEP transfer
Memory execute breakpoint on .text sectionSet on the first byte of the (currently empty) .text region — fires when the stub writes and then executes code there
Entropy-guided steppingRun until entropy in memory drops — indicates decompression complete

Dumping Memory with Scylla

Once paused at the OEP, the unpacked code exists in memory but the on-disk file is still packed. Scylla is the standard tool for creating an analysable PE:

Scylla workflow in x32dbg

1. While paused at OEP in x32dbg
2. Open Scylla: Plugins → Scylla
3. Verify OEP address is correct in the OEP field
4. Click [IAT Autosearch] → Scylla locates the import table
5. Click [Get Imports] → Scylla resolves all imported function names
6. Review the imports list — remove any invalid entries (right-click → delete)
7. Click [Dump] → saves process memory to disk as unpacked_sample.exe
8. Click [Fix Dump] → patches the IAT into the dumped file
9. Result: standalone unpacked PE ready for static analysis

Verifying the dump

# Open dumped file in Detect-It-Easy
die unpacked_sample.exe
# Should now show compiler (e.g., "MSVC (19.xx)") instead of packer name

# Check entropy
pestudio unpacked_sample.exe
# .text section entropy should be 5.0–6.5, not 7+

# Check imports
# IAT should now contain full import list, not just LoadLibraryA

Common Unpacking Failures and Fixes

ProblemCauseFix
Scylla IAT Autosearch finds nothingWrong OEP — still in stubStep further into the code; look for the function prologue pattern
Many invalid imports in ScyllaPartial unpack — some modules not yet loadedRun further after OEP until all imports resolve, then dump
Dumped file crashes immediatelyStolen bytes — first instructions at OEP are missingManually restore the stolen instructions (covered in Topic 6)
DIE still shows packer after dumpMulti-stage packer — a second packer wraps the firstRepeat the ESP breakpoint technique on the newly dumped file

Anti-Dump Defences

Advanced packers add defences specifically against memory dumping:

  • PE header erasure — zeros the first 0x1000 bytes after unpacking, destroying the DOS and PE headers
  • Guard pages — marks unpacked memory pages as guard pages; any read by a dumper triggers an exception
  • IAT destruction — corrupts the import table after resolution to prevent reconstruction

These advanced techniques are covered in Unit 6 (Self-Defending Malware).