jomamameister
January 22nd, 2002, 17:54
hello all,
would like to get some feedback in trying to figure out the new eip of a packed program. it's obvious you can get it if you manually trace. we also know that unpackers do this themselves. i would appreciate anyone sharing this info. where do we start? can we do this without really unpacking the prog, or can we do it after a dump that we did not manually follow while looking for the eip. obviously, the packer is following some algorithm or set of algorithms to do this whenever it reaches its time to load the new eip so the old prog can load and run. thanks for any input. packing and unpacking is a fascinating area of learning right now and as i've said before, i believe we need to become familiar with these tricks.
thanks,
jomamameister
would like to get some feedback in trying to figure out the new eip of a packed program. it's obvious you can get it if you manually trace. we also know that unpackers do this themselves. i would appreciate anyone sharing this info. where do we start? can we do this without really unpacking the prog, or can we do it after a dump that we did not manually follow while looking for the eip. obviously, the packer is following some algorithm or set of algorithms to do this whenever it reaches its time to load the new eip so the old prog can load and run. thanks for any input. packing and unpacking is a fascinating area of learning right now and as i've said before, i believe we need to become familiar with these tricks.
thanks,
jomamameister