I want to analyze a file in OllyDbg, however, the "address of entry point" in this file is 0x0000. So it will run the MZ signature as beginning part of the ASM code.
Most debuggers are also unable to debug it directly.
How could I find the original entry point to modify the header?
If AddressOfEntryPoint in EXE set to 0 - so EXE and have no this entry point. In this case, for not crash EXE must have the TLS callbacks - look for IMAGE_TLS_DIRECTORY (IMAGE_DIRECTORY_ENTRY_TLS) and AddressOfCallBacks must be not 0. So this is real entry point(s) of this EXE - no other option, otherwise EXE will crashes.
Most debuggers are also unable to debug it directly.
This happens if debugger set breakpoint on entrypoint. In this case "entrypoint" will be on MZ - and when debugger set breakpoint (0xcc opcode) here - damage MZ signature. As result in process initialization was exception (user32.UserClientDllInitialize -> ntdll.CsrClientConnectToServer -> RtlImageNtHeaderEx (error because MZ damaged by breakpoint) )
But if debugger has not set a breakpoint on entrypoint - no problem in debugging.
So solution is to look for IMAGE_DIRECTORY_ENTRY_TLS.AddressOfCallBacks or set breakpoint to LdrpCallTlsInitializers
really this was CLR (.NET) image - in this images type entry point is formal and not used after xp. system ignore it and call _CorExeMain in mscoree.dll as entry point.
But if you try to debug this with the debugger which auto set breakpoint to entrypoint (how debugger thinks) - the MZ (IMAGE_DOS_HEADER) is damaged. as result RtlImageNtHeader[Ex] return 0 (error) for EXE and application crashed (under this debugger)