|
I remember running into a problem with bypassing this before but I don't remember the details. Since that procedure is used for other functions you could try following the return address and nop the jump instead.
Extra bytes 'overlay' might be another reason your file size is smaller than from Nacho_DJ unpacker tool. That tool will not leave a huge amount of extra bytes there and it appends the overlay back to the dump. If you think it's a bug, please PM me a link to the target if its not a problem.
You will not see the PE header you modified in memory unless the dumper is set to use PE from memory instead of PE from disk. I always rebuild the PE sections once the file is dumped and dump using the pe from disk option. Since you are playing around with trying to modify the sections prior to dumping, maybe a dumper with more options might be of better use. Try OllyDumpEx. - jack
|