Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, September 28 2021 @ 04:34 AM CEST
Alex Protector v1.0 beta2 - manually unpacking | 8 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Alex Protector v1.0 beta2 - manually unpacking
Authored by: haggar on Saturday, October 15 2005 @ 07:51 PM CEST
It can be done without hw bp, I checked it now.

- You placed bp at the end of VirtualAlloc, on last RETN 10 and you break there, right? So keep bp there and keep pressing Shift+F9 untill EAX holds value that is address of block where stolen code is. Did you do it? Wrote down that value, for example X.

- Now keep pressing Shift+F9 untill EAX change that value to some Y. I pressed Shift+F9 5 times, maybe it will not be the same for you.

- Then follow that X value in dump and place memory bp on access on first byte. Now press Shift+F9 once and you should break here:

00411316 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

Press Shift+F9 second time and you should break little below:

00411386 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>

Press third time and you should break in your stolen code block:

003B0000 C7C7 72AFB4DF MOV EDI,DFB4AF72

- If you fail doing this, then please post me all your addresses that you sow in EAX while you where breaking in VirtualAlloc.

Good luck.
 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.81 seconds