|
|
|
|
#1
08-02-2012, 12:08
|
|||
|
|||
|
@zementmischer I hear ya. I spent a little time looking to rebuild it. The packer code start point has been the end of the text section in my testing with other mpress files. IE betwen the 2 JMPs routines, packer code. I was looking for some patterns to identify it easier. Sometimes there is a pointer of the amount of bytes to the next section from the .text section. mpress2 is all packer code can be removed. You can easily see where the resource mapping was moved from the original code. But it isn't as convenient as UPX including a copy of the original PE section. Anyway here is my mapping of my dump for this target if you are interested.
Name VirtSize VirtAddr SizeRaw PtrRaw Flags Pointing Directories ------------------------------------------------------------------------------------------- .text 001E3000h 00401000h 001E2200h 00000200h E00000E0h .rdata 00063000h 005E4000h 00062000h 001E2400h 40000040h Delay Import Descriptor .data 00009000h 00647000h 00009000h 00244400h C0000040h .rsrc 005A0000h 00650000h 0059F200h 0024D400h C0000040h Resource Table .ImpFix 00005000h 00BF0000h 00004400h 007EC600h C0000040h Import Table Last edited by RedBlkJck; 08-02-2012 at 12:12. Reason: add on 
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
