If we double click at byte_411659 then we will go to that address as below When the breakpoint hit then we can now check the next memory it points because the address of the unpacked code has been assigned during runtime that we can assume as the new original entry point We can set the break point just before the call to unk_411659 or ptr byte_411659 memory address and run the application in debug mode We can also use the flow chart from IDA to identify where the code execution will stop.
We can assume that could be the original application entry point. If you are using IDA, it will tell you that the application will jump to something that does not exist because the code in that memory address is still not identified initially. This error is caused by the process that we dump from the memory hash wrong original entry point (OEP) This is normal for packed PE If you try to run the dumped PE from memory, you will realize that the application cannot run properly that suddenly the application exits the process after the start.
Today I am going to continue my previous tutorial that after we can repair the import table of dumped PE from the memory.
0 kommentar(er)
