Hello britedream
Have few questions if you don't mind.
(1) if you can clarify how did you find the missing api
E1170 / E117C / E1180 / E118C / E1198 / E1224 / E124C
I was able to find E117C i.e. LoadLibraryA but rest was not able to identify. I need to understand how you got the True api.
(2)
>at address :48bc63 = push 48bd65 ,retn
Do you mean we have to assemble the bytes or we have to reach uptil 0x7CFAF9 where we see Push 48BD65 & a Ret.
(3)
>copy section 00C00000 from orignal file to the unpacked
I don't see any section below is section i can see. Which part you are mentioning.
Code:
Number Name VirtSize RVA PhysSize Offset Flag
1 000E0000 00001000 00071000 00000400 C0000040
2 0003A000 000E1000 0003A000 00071400 C0000040
3 00019000 0011B000 00008000 000AB400 C0000040
4 0004E000 00134000 0004E000 000B3400 C0000040
5 .svkp 00010000 00182000 00010000 00101400 C0000040
(4) Stolen Bytes
How did you find the stolen bytes from which part of the code you understood & put back in the required offset.
Regards, Sope.