Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, September 28 2021 @ 03:55 AM CEST
Alex Protector v1.0 beta2 - manually unpacking | 8 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Alex Protector v1.0 beta2 - manually unpacking
Authored by: haggar on Sunday, October 16 2005 @ 02:51 PM CEST
First you need to run "AlexProt I.txt" which will fix obfuscation in first block. You must enter correct block address as input.

Then you need to run second script that will create new IAT. BUT, you need to change something in script so script can find IAT in your case! Script has this two lines inside:

findop code,#ff25????3a00#

This is searching for this opcodes:

00401084 -FF25 84073A00 JMP DWORD PTR DS:[3A0784]

Dou you see this hex bytes FF25 84073A00? That is equal to search signature #ff25????3a00#. In your case it will probably be different so you need to change a little. ????3a00 is a base address of block where is IAT placed in my computer = 3a0000. If this block is in your computer at 5D0000 for example, than you need to change search signatures to #ff25????5D00#. You got it? Then try. It would be good that you read readme.txt that comes with OllyScript plugin and learn how to write scripts. It is very easy and simple.

Btw, I was realy silly with OEP search. There is much easier way. You know that stolen code block and that last jump to false OEP JMP packed.004079DE. Since you know where false OEP is, you just can load target in olly, go to that false OEP in CPU window where will be only zeroes, place there hardware bp on execution and just run target. You will break at false OEP.

Good luck.

 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.75 seconds