VBOX upnacking question

[D-Jester]

Code:

Memory map
Address    Size       Owner      Section    Contains                     Type   Access    Initial
00400000   00001000   Thisapp-              PE header                    Imag   R         RWE
00401000   00D5B000   Thisapp-   .text      code                         Imag   R         RWE
0115C000   00207000   Thisapp-   .rdata                                  Imag   R         RWE
01363000   000BC000   Thisapp-   .data      data                         Imag   R         RWE
0141F000   00172000   Thisapp-   .rsrc      resources                    Imag   R         RWE
01591000   00016000   Thisapp-   PREVIEW    SFX,imports,exports          Imag   R         RWE

Use memory Breakpoints they can be effective when all else fails. Almost...well always as far as I know when you want to break on the OEP section, it should be the first section (not the PE Header) often with the section header as ".text".

Vbox is easy...
Load app, clear IsDebuggerPresent Byte, Run the app until the trial screen appears, set a "BP FreeLibrary" when you break set a memory breakpoint on the code section, run...and your at the OEP, dump the app, change entrypoint to OEP, run the packed app not under a debugger, rebuild imports with ImpREC using "Hook", and "Trap Flag", any unresolved imports shouuld be "PeekMessage", and "GetMessage"

Read my tutorial on VBOX 4.6 for a detailed overview.

http://www.exetools.com/forum/showthread.php?t=5953

But since you don't have download privledges yet, if you PM with your email I will be nice enough to send it to you.

Quote:

Originally Posted by ReVeR

...is this normal to have more then one .code section?

This is not uncommon, its just a charateristic of a packed application where one code section unpacks/decrypts the other before executing it.

Regards...