Hello,

Im analysing a piece of malware, its packed with an unknown packer, as far as ive seen all it does is xor decryption, ive managed to unpack it and rebuild its import table with imprec, however it does not run, when i traced it , i found that it exits when it tries to read its resource with LoadResource, the resource section seems to be messed up but i have no idea what to do next, how to fix it.

any hint is appreciated.

GCK

Why don't you zip it with a password and post it here? It will help others to help you.

Hello,

its a big file 32mb and im on a slow connection, it has lot of files embedded into its resource, thats why i need to fix the resource section in order to analyze it, every essay dealing with unpacking ive seen doesnt even mention the resources section, if i dumped the executable at its entry point, why is the rsrc section corrupted ? shouldnt it have already fixed it ?

best regards
GCK

Hello galack,

there are tools out there which maybe able to solve your problem. Take a look here http://www.woodmann.com/collaborative/tools/ResFixer.

Regards
Nukacola