|
|
|||||||
|
|
Thread Tools | Display Modes |
|
#9
08-30-2004, 09:26
|
|||
|
|||
|
First a note PEiD Picks up All Delphi I tried Packing (Delphi 7-8) as Arma 1.xx - 2.xx Overlay so look at section names, if it looks like a Delphi you can bet its alot newer Arma version than PEiD thinks, if you need the exact version there's a tutorial on how to get it posted
 As for your question paul when you break on Create Thread you may see somethin like this (This is Arma 3.75-Test1 posted by Scratch on a Delphi Using Minumum Protection) 7C81082F > 8BFF MOV EDI,EDI --> Land Here 7C810831 55 PUSH EBP 7C810832 8BEC MOV EBP,ESP 7C810834 FF75 1C PUSH DWORD PTR SS:[EBP+1C] 7C810837 FF75 18 PUSH DWORD PTR SS:[EBP+18] 7C81083A FF75 14 PUSH DWORD PTR SS:[EBP+14] 7C81083D FF75 10 PUSH DWORD PTR SS:[EBP+10] 7C810840 FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C810843 FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C810846 6A FF PUSH -1 7C810848 E8 D9FDFFFF CALL kernel32.CreateRemoteThread 7C81084D 5D POP EBP 7C81084E C2 1800 RETN 18 --> F8 To Here 00AFF79B 5E POP ESI --> Return to here 00AFF79C C9 LEAVE 00AFF79D C3 RETN --> F8 Over the Ret once you return look down for a Call EDI such as: 00B184B1 FFD7 CALL EDI click on it and hit F8 to make a breakpoint, F9 to goto it than F7 to Step in and your at the OEP. There's detailed tutorials on Non-Copymem2 Armadildo's so I wont post any more details, better just to consult those documents. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Unpackable packer ? | jackdanielz | General Discussion | 9 | 02-12-2003 05:55 |
Threaded Mode