|
Thanks Sabor,
You were right, My assumption was wrong, I made right assumption for 3rd DWORD and it works fine. ! I got my target fully unshelled and it's working.
After decrypting 2 encrypted sections of sentinel ( code and data sections)
I made a simple search tool to find begining of first import descriptor in import table. and then I put the address in import Directory entry and also set currect address in IAT.
Then I found Original entry point by looking for a pattern I had from trial version of my target ( which was not protected by shell ) and set in header, and now the target runs well.
I would like to know
If OEM or Import table begining address are stored somewhere in sentinel sections ? or they come from dongle memory?
because it may not be possible to have OEP pattern, or import table begining address by scanning whole import section.
as I remember from long time ago, when I was developing my generic senitnel unsheller for sentinel shell ML-5.1 and ML-5.2 (SSUNSHL), these values could be found in memory while program runs with dongle attached.
but now the target will not run with sentinel shell without dongle, so I can not find those values on memory.
|