JoePub
December 5th, 2010, 04:13
Hi All,
I am in the process of analyzing a VB executable that was packed with yoda's protector v1.03.3.
I have found the OEP and dumped the executable, I have also managed to rebuild the import table.
The executable doesn't run though (imports are loaded, etc, but then hangs) so I can continue my analysis. I think it something to do with the VB header, project info and friends.
Some VB P-Code disassemblers seem to manager to read it but WKTVBDE and VBResQ don't appear to believe it's a VB executable
I have tried WKTVBDE with other VB executables and it seems to work fine, it reports that it finds the VB table and the loads the executable.
I think there is an issue with the VB headers that are pushed onto the stack on the first instruction at the OEP, so I was wondering if anyone has found the details for the various structures that are present so that I can check that they are good.
Also has anyone seen this problem after dumping an VB exe packed with yoda's protector?
Thanks Guys.
I am in the process of analyzing a VB executable that was packed with yoda's protector v1.03.3.
I have found the OEP and dumped the executable, I have also managed to rebuild the import table.
The executable doesn't run though (imports are loaded, etc, but then hangs) so I can continue my analysis. I think it something to do with the VB header, project info and friends.
Some VB P-Code disassemblers seem to manager to read it but WKTVBDE and VBResQ don't appear to believe it's a VB executable
I have tried WKTVBDE with other VB executables and it seems to work fine, it reports that it finds the VB table and the loads the executable.
I think there is an issue with the VB headers that are pushed onto the stack on the first instruction at the OEP, so I was wondering if anyone has found the details for the various structures that are present so that I can check that they are good.
Also has anyone seen this problem after dumping an VB exe packed with yoda's protector?
Thanks Guys.