Code:
Memory map
Address Size Owner Section Contains Type Access Initial
00400000 00001000 Thisapp- PE header Imag R RWE
00401000 00D5B000 Thisapp- .text code Imag R RWE
0115C000 00207000 Thisapp- .rdata Imag R RWE
01363000 000BC000 Thisapp- .data data Imag R RWE
0141F000 00172000 Thisapp- .rsrc resources Imag R RWE
01591000 00016000 Thisapp- PREVIEW SFX,imports,exports Imag R RWE
Use memory Breakpoints they can be effective when all else fails. Almost...well always as far as I know when you want to break on the OEP section, it should be the first section (not the PE Header) often with the section header as ".text".
Vbox is easy...
Load app, clear IsDebuggerPresent Byte, Run the app until the trial screen appears, set a "BP FreeLibrary" when you break set a memory breakpoint on the code section, run...and your at the OEP, dump the app, change entrypoint to OEP, run the packed app not under a debugger, rebuild imports with ImpREC using "Hook", and "Trap Flag", any unresolved imports shouuld be "PeekMessage", and "GetMessage"
Read my tutorial on VBOX 4.6 for a detailed overview.
http://www.exetools.com/forum/showthread.php?t=5953
But since you don't have download privledges yet, if you PM with your email I will be nice enough to send it to you.
Quote:
|
Originally Posted by ReVeR
...is this normal to have more then one .code section?
|
This is not uncommon, its just a charateristic of a packed application where one code section unpacks/decrypts the other before executing it.
Regards...