|
|
#10
08-24-2016, 08:08
|
|||
|
|||
|
Thanks TechLord.
At look at the disassembly of your unpacked Ramsaver I could see that I was totally wrong in saying that there is no IAT redirection I have now been able to trace to point where the decision is made whether to write an API in the IAT table or not. At that location whenever ESI=0xDC or 0x74 the IAT was written and with ESI=0xE6 it was skipped. So I was able to inject this code Code:
009E0000 8A43 3B MOV AL,BYTE PTR DS:[EBX+0x3B] 009E0003 81FE E6000000 CMP ESI,0xE6 009E0009 75 05 JNZ SHORT 009E0010 009E000B BE 74000000 MOV ESI,0x74 009E0010 ^ E9 A161FEFF JMP 009C61B6 Now I am trying to figure out how to fix those redirected calls to 01B00000 which are actually calls to the APIs that are redirected to the VM. I am still reading some tutorials and hoping I can make a break through soon. However any suggestion to the procedure for resolving this redirected calls will be very much appreciated. Thanks, TempoMat 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| need help unpacking ASProtect | Fade | General Discussion | 8 | 05-25-2011 22:12 |
| Unpacking asprotect | britedream | General Discussion | 7 | 09-01-2004 01:46 |
| Tried unpacking DVDIdle Pro - AsProtect | Maltese | General Discussion | 74 | 03-31-2004 04:22 |
Threaded Mode