Thread: Request for EZCD x86 unpack Tutorial
View Single Post
  #26  
Old 11-03-2017, 03:55
mr.exodia mr.exodia is offline
Retired Moderator
  
Join Date: Nov 2011
Posts: 783
Rept. Given: 490
Rept. Rcvd 1,123 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 716 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
I changed "push 100" to "push 0", put a breakpoint on the first occurrence of EB03, run, revert the patch to not trigger crc checks and you get a 'clean' IAT. You still have to move the IAT with a tool like UIF though...

The push 100 is a call that decrypts a buffer I believe, but I didn't look at it for a long time.
The Following User Says Thank You to mr.exodia For This Useful Post:
Benten (11-04-2017)