vbdisease
January 9th, 2002, 07:51
hi ho,
i need some hints for my first *real* unpacking task.
i followed many threads about aspr, most of them going
over my head, but i wanted to try it myself.
before today i used unpack-toolz (like caspr..) or
did it via trw (pnewsec,makepe...). Now i stumbled about
this app:
h**p://208.38.138.151/icontoany/i2asetup.exe
peid said its asprotected (v1.22x - v1.3). so i found
something to play and learn!
after reading many tutz about unpacking i started my quest
of searching the OEP. i traced till my fingers bleed.
but, i found nothing really satisfying. till the trace,
i found out, that this app is a d5 app. hrmm.. i started
dede, attached it to active process and decomplied the b*tch.
the build-in pe-editor told me the OEP would be 4B1B75.
glad about my first victory i started procdump162 to dump the process.
then i launched rv 12b9 and attached it to running app.
its give me the following message:
"image import deskriptor corrupted, enter the OEP..."!
Ha, i had the OEP! i thought...tried it and received a lot of garbage
so, that wasnt the correct one.
i begun to tace again, it tooked me many hours, and everytime i thought
i found the real OEP, i tried it out in rv...with no result.
my "best" IT.txt is attached.
so, dudes, could someone give me a clue what i did wrong?
i begin to think that my starting point may be wrong.
someone out there who takes my hand and lead me trough the
troubled streets of unpacking?
regards
vbdisease
i need some hints for my first *real* unpacking task.
i followed many threads about aspr, most of them going
over my head, but i wanted to try it myself.
before today i used unpack-toolz (like caspr..) or
did it via trw (pnewsec,makepe...). Now i stumbled about
this app:
h**p://208.38.138.151/icontoany/i2asetup.exe
peid said its asprotected (v1.22x - v1.3). so i found
something to play and learn!

after reading many tutz about unpacking i started my quest
of searching the OEP. i traced till my fingers bleed.

but, i found nothing really satisfying. till the trace,
i found out, that this app is a d5 app. hrmm.. i started
dede, attached it to active process and decomplied the b*tch.
the build-in pe-editor told me the OEP would be 4B1B75.
glad about my first victory i started procdump162 to dump the process.
then i launched rv 12b9 and attached it to running app.
its give me the following message:
"image import deskriptor corrupted, enter the OEP..."!
Ha, i had the OEP! i thought...tried it and received a lot of garbage

so, that wasnt the correct one.
i begun to tace again, it tooked me many hours, and everytime i thought
i found the real OEP, i tried it out in rv...with no result.
my "best" IT.txt is attached.
so, dudes, could someone give me a clue what i did wrong?
i begin to think that my starting point may be wrong.
someone out there who takes my hand and lead me trough the
troubled streets of unpacking?
regards
vbdisease