[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[exelist] Re: new ASPack
Such "new" Aspack has some tricks that make unpacking "a little" different
(not harder).
In any case, the last step (assembly instruction) of the loader is always
at <Loader_RVA + 8F> . Put a breakpoint on it (the loader is usually the
.adata object) and read EAX register. Such value will be the original
EntryPoint.
Use Procdump in order to Full Dump the running process (set Options to
"Rebuild New Import Table"). Then use any hex editor (or better, the
built-in ProcDump Pe Editor) to change the Entry_Point_Rva.
btw...the Ieye file original EntryPointRva is 22960h ;)
Note: The number of instructions precedding the jump to the loader is
different for each time you pack an exe file with AsPack. Is it possible
to write an PD script that take this into account?
At 08:43 29/04/99 -0000, you wrote:
>can someone tell how to unpack it?
>I tried, i failed...
>
>ProcDump 1.4 failed
>trw 0.68 failed
>
>( the proggie was at http://www.fmjsoft.com/zip/ieye40.zip, 156k )
>
>can someone help?
>
>
>------------------------------------------------------------------------
>SIGN UP NOW FOR FREE HOME IMPROVEMENT HOW-TO'S
>Receive seasonal how-to's and climate-specific advice via e-mail.
>http://clickhere.egroups.com/click/131
>
>eGroup home: http://www.eGroups.com/group/exelist
>http://www.eGroups.com - Simplifying group communications
>
>
>
Rafael R. Homem d'El-Rey
Programador Assembly
Symbios Technology
------------------
delrey@...
delrey@...
------------------------------------------------------------------------
eGroup home: http://www.eGroups.com/group/exelist
http://www.eGroups.com - Simplifying group communications