Quote:
Originally Posted by giv
Other solution.
Compress the unpacked file with UPX and it will work.
|
Tried this as well but UPX could not compress the unpacked exe.
Quote:
Originally Posted by RedBlkJck
Maybe you are only at fake oep where the resource section is repaired/remapped after fake oep. Try editing the resources on your manually unpacked file.
|
No the OEP in both files are the same.
Quote:
Originally Posted by giv
]
Search this patter #C1E81FF7D083E001#
--------------------------
MOV EAX,DWORD PTR DS:[EAX+24] ; Section char of codesec to eax
SHR EAX,1F
NOT EAX
AND EAX,1
|
The breakpoint at the location 00541C17 (with the quoted pattern) is hit continuously.
If I set EAX=1 after the AND EAX,1 instruction at the first hit, the unpacked file runs without the error. All other hits will trigger the R6002 error and some other SEHs with EAX modified to 1. So patching here will have to be thoroughly thought of.
Maybe trying to rebuild the peHeader first before dumping might be the most elegant way even though it could be the most time consuming option.