December 9, 200816 yr Ok so i thought this was the OEP.66003575 FF15 98100066 CALL DWORD PTR DS:[66001098] ; ntdll.RtlLeaveCriticalSection6600357B C3 RETN6600357C 55 PUSH EBP ; unpakme.00405013 - OEP6600357D 8BEC MOV EBP,ESP6600357F 6A FF PUSH -1When i dump the file I get an error when opening it. Am I missing something?
December 9, 200816 yr Ok well i've unpacked it. I sort of cheated and had a look at pavka's unpacked .exe. I don't understand why the starting address has to be placed there.Also how do we remove extra sections that arn't needed to minimise the file size?http://rapidshare.com/files/171648398/dump.rar
December 9, 200816 yr Ok well i've unpacked it. I sort of cheated and had a look at pavka's unpacked .exe. I don't understand why the starting address has to be placed there.Also how do we remove extra sections that arn't needed to minimise the file size?http://rapidshare.com/files/171648398/dump.rarwhen you reach the moleboxed oep (esp trick and go inside call eax) run the program and search for intermodular calls. You'll see one call:msvbvm60.ThunRTMain<==== It's always placed before the oep in vb programsThe OEP is this:00401128 68 4C1B4000 PUSH 00401B4C ; ASCII "VB5!6&vb6chs.dll"0040112D E8 F0FFFFFF CALL 00401122 ; JMP to msvbvm60.ThunRTMainFix the iat is easy.... for remove extra section I have used DIE becuse it scans the sections... example ( section a:code,section b:imports,section c:resource,section d:none... maybe it is an "extra section"....). Then you can wipe those sections and rebuild the exe with LordPe.RegardsNoScONf Edited December 10, 200816 yr by nosconf
Create an account or sign in to comment