Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Help: Unpack
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #3  
Old 11-24-2004, 20:05
ivanov ivanov is offline
uninvited_guest
  
Join Date: Aug 2004
Location: Lubljana
Posts: 180
Rept. Given: 58
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 46
Thanks Rcvd at 15 Times in 12 Posts
ivanov Reputation: 3
Thumbs up
Quote:
Originally Posted by el-kiwi
your program is protected with some kind of exe stealth and Neolite 2.0,here is your oep:

click on dump section,ctrl+G and in expression to follow box select 12FFC0,you are here:

0012FFC0 27 78 59 00

now highlight these four value and right click,select breakpoint hardware,on access----> Dword

now shift+F9 once and you land here:


00591DDF .-E9 C8F6F4FF JMP CATCount.004E14AC-----> execute this jump and you are at OEP

004E14AC 55 PUSH EBP
.
Here I have to [F8] 00591C90 first, then ESP: 0012FFA0. After [Ctrl+F9], I am at: 00591DDF.

Result: GREATTT! Thanks el-kiwi. ImpRec found all Imports and the file run normally.

You said it was packed by 2 packers. That's why Olly breaks 2 times at the same EP of SFX before OEP?

Just one question, why I have to re-normalize Exports in W98 to have a good dumped file, but not needed on XP since it run OK?
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 03:00.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )