Flack
August 23rd, 2002, 04:04
Hey guys,
I was following this tut on generic unpacking and I came to a point that is unclear to me. Its the point where I have to find the IAT start + Size (step 3). The tut says :
"Launch your hexeditor and edit your DUMP.EXE. Search for the following 2 bytes: FFh,25h Look at the address it jumps to on the first occurence (or any other occurence). For example: JMP DWORD PTR [40D2AC]...."
Now, when I search for FF 25 in my dump.exe using my hexeditor, I find many matches. Also, when I find some matches, how do I know what address a jmp jumps to just by looking at the hex of the dump? Does he mean search for FF 25 while in softice? One more thing, what does FF 25 represent and why am I searching for it?
And after that the tut says:
"Now for the length; scroll down untill you see 9x '00' bytes. I'm not sure if 9 is a magic number with this shit but it seems so
Furthermore after those 9x00 you'll see stuff that doesn't look like the above anymore."
How can you be sure that after the 9x00's you found the end of the IAT?
Anyway, up to this point everyhting was going fine. Hopefully someone can clear up these probably stupid questions so that I can continue.
Thanx a lot for your help
,
-Flack
P.S. Heres the link to the tut if someone would like to take a quick look: http://www.woodmann.net/fravia/predator_unpacking.htm
P.P.S. Is the creation of a new IT always required? The reason Im asking is because in one tut, where I unpacked a Neolite packed notepad.exe it ran fine without any need for any IT stuff.
I was following this tut on generic unpacking and I came to a point that is unclear to me. Its the point where I have to find the IAT start + Size (step 3). The tut says :
"Launch your hexeditor and edit your DUMP.EXE. Search for the following 2 bytes: FFh,25h Look at the address it jumps to on the first occurence (or any other occurence). For example: JMP DWORD PTR [40D2AC]...."
Now, when I search for FF 25 in my dump.exe using my hexeditor, I find many matches. Also, when I find some matches, how do I know what address a jmp jumps to just by looking at the hex of the dump? Does he mean search for FF 25 while in softice? One more thing, what does FF 25 represent and why am I searching for it?
And after that the tut says:
"Now for the length; scroll down untill you see 9x '00' bytes. I'm not sure if 9 is a magic number with this shit but it seems so
Furthermore after those 9x00 you'll see stuff that doesn't look like the above anymore."How can you be sure that after the 9x00's you found the end of the IAT?
Anyway, up to this point everyhting was going fine. Hopefully someone can clear up these probably stupid questions so that I can continue.
Thanx a lot for your help
,-Flack
P.S. Heres the link to the tut if someone would like to take a quick look: http://www.woodmann.net/fravia/predator_unpacking.htm
P.P.S. Is the creation of a new IT always required? The reason Im asking is because in one tut, where I unpacked a Neolite packed notepad.exe it ran fine without any need for any IT stuff.