|
Rule of dumping at OEP relates not only to dll-s, but to exe-s too. It helps to avoid difficulties. For example: dll when runs, decrypts itself using xor. You dump it after part was decrypted. When you run dumped, it tries to decrypt again (but part of it is decrypted already), and you get junk instead of decrypted code. It's just an example, there are other possible problems like getting initial values from data section and then overwriting them. To avoid such things it's better to dump at OEP. Sometimes dump works OK if you dump later, but sometimes it crashes.
|