|
I am at work now, so I dont have OllyDbg here to retest it. At home, I remember we will see a call to GetProcAddress as call dword ptr[xxx]. Subtract the value of EIP at the line after F12 with 0xB, you will see a cmp xxx and a JE OEP. FSG 1.0 rebuid the IAT with many calls to GetProcAddress, and until the count of import functions go to 0, it will jump to OEP.
Some VC++ app which uses ComCtlxxx.dll will call GetProcAddress many times, so we need to run until the call GetProcAddress is from code of packed exe (check stack), and we need only press F12 only once.
Hope you will solve it !
Regards
|