|
First of all you need try OEP_SBOEP script. If it works fine and you stoped on OEP or SBOEP (Stolen Bytes OEP) you can try next steps.
If the app Delphi protected you should try to correct INIT table. If it was stolen and it's a really Delphi application you will get "table_INIT.bin" dump. This dump is necessary for Emulation API and IAT repair script.
So next step is for all apps (Delphi and other languages). Try to use "Repair IAT and APIs calls.osc" script. If no errors you can make dump of the target. PE Dumper plug-in by FKMA is recommended. Press "Get EIP as OEP" button and check "Fix raw sizes" and "Make header size 0x1000" options then press "Dump" button.
Then you need delete all asprotect sections. Don't delete original dump! You need it to repair Resources.
Next step is repairing TLS and Reallocation directories. You need find right bytes in the unpacked file (right bytes you can see in the protected apps) and change invalid addresses to the right.
Next step is Resource directory. You need make dump of ".rsrc" section from unpacked file (original dump) with Resource Binder and merge it with dump (that already hasn't asprotect sections and TLS & relloc repaired) in the PE Tools.
Then you can repair IAT using ImpREC.
There are more hard examples. When developer used CRC checks, Envelope checks, Polymorphic Markers, Encryption sections (you can't do anything if you haven't valid or blacklisted key). For this cases I can't explain what's to do in the "two words". You need read tuts and understand all schema of protector's work.
I started work on translations comments in the scripts and then I will try to translate all tuts by vnekrilov. If someone has a lot of time and knows English well - you can help me.
|