Quote:
|
Originally Posted by el-kiwi
your program is protected with some kind of exe stealth and Neolite 2.0,here is your oep:
click on dump section,ctrl+G and in expression to follow box select 12FFC0,you are here:
0012FFC0 27 78 59 00
now highlight these four value and right click,select breakpoint hardware,on access----> Dword
now shift+F9 once and you land here:
00591DDF .-E9 C8F6F4FF JMP CATCount.004E14AC-----> execute this jump and you are at OEP
004E14AC 55 PUSH EBP
.
|
Here I have to [F8] 00591C90 first, then ESP: 0012FFA0. After [Ctrl+F9], I am at: 00591DDF.
Result: GREATTT! Thanks el-kiwi. ImpRec found all Imports and the file run normally.
You said it was packed by 2 packers. That's why Olly breaks 2 times at the same EP of SFX before OEP?
Just one question, why I have to re-normalize Exports in W98 to have a good dumped file, but not needed on XP since it run OK?