|
|
#21
03-01-2004, 14:13
|
|||
|
|||
|
you have to NOP quite a bit
all this must be nop-ed 00A5683D FF50 28 CALL DWORD PTR DS:[EAX+28] 00A56840 E8 4668A500 CALL 014AD08B 00A56845 0F58EB ADDPS XMM5,XMM3 00A56848 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX so it becomes: 00A56824 F3: PREFIX REP: ; Superfluous prefix 00A56825 334424 38 XOR EAX,DWORD PTR SS:[ESP+38] 00A56829 3E:EB 01 JMP SHORT 00A5682D ; Superfluous prefix 00A5682C 6981 D0CE9277 8A>IMUL EAX,DWORD PTR DS:[ECX+7792CED0],1EB> 00A56836 6968 0B D04A0158 IMUL EBP,DWORD PTR DS:[EAX+B],58014AD0 00A5683D 90 NOP 00A5683E 90 NOP 00A5683F 90 NOP 00A56840 90 NOP 00A56841 90 NOP 00A56842 90 NOP 00A56843 90 NOP 00A56844 90 NOP 00A56845 90 NOP 00A56846 90 NOP 00A56847 90 NOP 00A56848 90 NOP 00A56849 90 NOP 00A5684A 90 NOP 00A5684B 90 NOP 00A5684C 90 NOP 00A5684D 90 NOP 00A5684E EB 01 JMP SHORT 00A56851 00A56850 F2: PREFIX REPNE: ; Superfluous prefix then continue the process, eventually you will find 00A565C5 55 PUSH EBP ; start of stolen bytes 00A565C6 EB 01 JMP SHORT 00A565C9 00A565C8 E8 8F442400 CALL 00C9AA5C 00A565CD 8BEC MOV EBP,ESP 00A565CF 81EC 0C000000 SUB ESP,0C 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| little question about manually unpacking | MaRKuS-DJM | General Discussion | 3 | 11-13-2003 00:43 |
Threaded Mode