Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-14-2005, 23:00
deroko's Avatar
deroko deroko is offline
cr4zyserb
  
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
You can dump that part of memory but here are a few tricks:
1st virtual.exe is extracted by aspack before original asprotect gains control
2nd when you reach that entrypoint you may use dump regions to dump code from lordpe
3rd now when you have dumped region you have to fix peheader, actually you have to add completely new PE header b/c in dump there is no peheader (deleted)
4th fix imports by examing aspack import loading process and we know that aspack keeps whole import table, so dump it, and apply that to newly dumped file, fix import RVA in peheader and voila you can load that exe in IDA with all imports

here is example of virtual.exe used in Serv-u asprotect 2.1 ske :
http://rapidshare.de/files/8713096/dumped.rar.html
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 00:30.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )