You have a point about many of the tutorials out there.
People usually rely on tools, so when you get a tutorial wanting to learn...learn and learn some more you start reading stuff like "use this tool, no run that script..and congrats you made it!", which of course this is not my spirit.
In the end, that's alright if somebody uses a tool, but at least he should explain to the readers what the f*ck is going on.
When I will have the time I will add some stuff, and don't worry about bothering me because people like you, are the reason why I created this forum.
Inlining ACProtect v1.32
Re: Inlining ACProtect v1.32
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
-
- Posts: 1
- Joined: Fri Dec 16, 2011 2:34 pm
Re: Inlining ACProtect v1.32
Hi
Thanks for your useful article. I did benefit from it much.
I have one question that is how can I reach the oep of this progii
Pleas help
Regards.
Ahmedbaker
Thanks for your useful article. I did benefit from it much.
I have one question that is how can I reach the oep of this progii
Pleas help
Regards.
Ahmedbaker
Re: Inlining ACProtect v1.32
Hi Ahmed, I have written this article long time ago so I do not remember much about this case.
However, if I remember correctly ACProtect had stollen the oep and redirects with several jumps from its own code to the real instructions of the oep before the execution flow goes completely inside the real code of the prog.
My advice would be, if you have any previous experience with manual unpacking, to monitor the section (usually .text) where the code of the app is located, using mem bp on access, in order to get as close to the oep as possible and then check the stack in order to trace back gradually the real oep.
I am not sure if this would also work, but you can also try to reach the part where the packer starts jumping to the instructions of the real oep and set the oep there. If this is not inside a virtual allocated memory area, should work.
You will probably have to deal also with imports redirection. In this case use HW BPs on access on IAT's entries and locate where the redirection occurs. I think, patching one or two jumps was enough to avoid import redirections.
I hope this helped. Thanks for visiting.
H_T_P
However, if I remember correctly ACProtect had stollen the oep and redirects with several jumps from its own code to the real instructions of the oep before the execution flow goes completely inside the real code of the prog.
My advice would be, if you have any previous experience with manual unpacking, to monitor the section (usually .text) where the code of the app is located, using mem bp on access, in order to get as close to the oep as possible and then check the stack in order to trace back gradually the real oep.
I am not sure if this would also work, but you can also try to reach the part where the packer starts jumping to the instructions of the real oep and set the oep there. If this is not inside a virtual allocated memory area, should work.
You will probably have to deal also with imports redirection. In this case use HW BPs on access on IAT's entries and locate where the redirection occurs. I think, patching one or two jumps was enough to avoid import redirections.
I hope this helped. Thanks for visiting.
H_T_P
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)