View Single Post
  #5  
Old 10-29-2013, 21:30
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Later edit.
Here is the link:
Quote:
http://forum.tuts4you.com/topic/31588-problem-unpack-execryptor-2410/#entry148468
And the solution by LCF-AT:
Quote:
Posted 28 March 2013 - 08:04 PM
Hi,

very simple.

R6002 = Section Flag check.So after unpacking your xy section flag was changed [adding writeable flag] and this will checked.Mostly happend in the section where your new IAT is stored.If you change the flag of the section back to original [not writebale] then you get a error so now it can no more write the APIs in this section anymore.So what you have to do now is to find this check and patch the check and save it and then all is working fine again.

You can use a HWBP on the section char in the PE Header....

or try this..

Search this patter #C1E81FF7D083E001#
--------------------------
MOV EAX,DWORD PTR DS:[EAX+24] ; Section char of codesec to eax
SHR EAX,1F
NOT EAX
AND EAX,1
......... ; If eax 0 then R6002 Error So you have always to get value 1 in eax at the end = Not writeable enabled.If you get 0 = Yes writeable enabled for the section xy.Just patch the code first command to mov eax,1 and nop the other 3 commands.

greetz
Reply With Quote