Quote:
|
Originally Posted by Jay
throw us a quick tut together then will you.
|
It will be really short.
Go to the end of packed stream and look for code like this
Code:
pop edx
pushad
mov ebx, PackedStreamSize
mov esi, offset PackedStream
lea edi, RawDataOffset
Just rip decompress function (or use lzo1x from Oberhummer's UCL) and postfilter (only if relocs present). To decrypt imports you will need RC4 key from protector runtime context. And near the key there are original OEP address, ImageBase, IAT address, etc.
P.S. There is an original PE header at the end of unpacked stream . So as I told before it looks like UPX-based product ;)