#1
|
|||
|
|||
Problem unpacking a Morphined .exe
Hi to all,
i have some problem to unpack an exe file that PEid tell me that is packed with: Morphine 1.4 - 2.7 -> Holy_Father & Ratter/29A So i follow the GOOD tutorial made by KaGra. So after i find the "magic" jump "JMP EAX" to the OEP, i stop and dump using Ollydump putting the new OEP and uncheck "Rebuild Import". After i use the PE Editor of LordPe and look to Sections. I have 4 sections the bit .text section and 3 sections (with size 1000 each). Automatically Ollydump put me the total size of the sections so i delete the 3 sections and utomatically i have the size - 3000 big (the 3 sections * 1000). After i check the size of the .text section and VirtualSize = Rawsize = and is .text section size - 1000 (the PE header size). I save all but the app not start (error: ReadProcessMemory or WriteProcessMemory partially complete). Please can help to understand what i mistake? Ah .. the ImageBase is a strange 19F0000 (not the usually 01000000 or 00400000). THX NaSTy |
#2
|
|||
|
|||
Try to see that, here is sources and executeble of Morphine 2.7:
wasm.ru/baixado.php?mode=tool&id=188 |
#3
|
|||
|
|||
Thanks,
the problem is that i want to understand how to fix the original Image Base and the size . Also why the Morphine can encrypt one file several times. Please tell me advices about. Thanks NaSTy |
#4
|
|||
|
|||
Quote:
Quote:
|
#5
|
|||
|
|||
Yes Vodu,
i just resolved in way that you have explained. To find this "original" value, i track the sections table information in Olly using the VirtualAlloc/return bp. Then with the original values i have fixed the right RawOffset/Rawsize VirtualOffset/VirtualSize. Thanks a lot for your advice too. NaSTy |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Armadillo 8.6 unpacking problem | eAGLe_eYe | General Discussion | 8 | 03-11-2013 22:43 |
Unpacking problem | Pompeyfan | General Discussion | 16 | 01-11-2004 19:40 |
Manual Unpacking problem | Nilrem | General Discussion | 15 | 01-10-2004 17:41 |