|
good work. last time i did a sent shell i left the wrapper intact and while in memory i patched in the proper dword (solved it seperately), this way the wrapper would pretend the dongle was actually inserted. After I did this I pretended it was a normal application and set a breakpoint on the decrypted code section; the first hit I got was obviously the oep. Many good unpacking masters simply dump the targets and look for the oep by hand, this is not uncommon, then go back and work from there. Regarding the iat, i recall it being very gay. I think 99% of iat is intact just like 2 apis are faked, which are easily traced. You can do a thread search on this forum or woodmann for those apis and find them. I do not recall entirely but it is would not dumb to assume that the queries which decrypt the code sections pretty much finish off the shell packer. I highly doubt any more queries related to the packing/iat are used after you get to oep aside from those 2 faked apis (or was it 1?). Have fun.
|