cooper
November 22nd, 2003, 10:48
Hi!
I need some experienced guys to correct me or give some advice.
Its all about unpacking files packed with FSG 1.33
as a target I took this crackme coded in Asm http://biw.rult.at/crackmes/magic.zip?PHPSESSID=97b76669a143df580a19484e66e8737c
so i first i packed it with FSG 1.33
open packed file with Ollydbg and stop at 459F1F
here I sipmly scrolled down and found cond jump above at 00459FC1
je 00401000 it is OEP for sure
so 1st querstion is there a better way 2 find this jump
then scrolling down and looking for it?
breakpoint at this line and run program until jump is taken
then step into and at this moment full dump eith LordPe
change dump EP to RVA 1000
next fixing Import - I used ImportREC
change OEP 2 1000 =>IAT AutoSearch=>Get Imports
It found all functions with No problems
I dont like creating new section so unchecked this option
looking at dump with Lordpe Import Table at RVA 00059FE5
but its almost the end of file - not enough space for import
i decided to change RVA of Import table to 00002280(where I found empty space)
and size to 23C
now the import is fixed!
But..
is there smth I ve done wrong or lets say smth that could b done better?
Btw what is the better way to make size of dump less?
What bout making dump cleaner and neater - like it was bfore packing?
Thank You.
I need some experienced guys to correct me or give some advice.
Its all about unpacking files packed with FSG 1.33
as a target I took this crackme coded in Asm http://biw.rult.at/crackmes/magic.zip?PHPSESSID=97b76669a143df580a19484e66e8737c
so i first i packed it with FSG 1.33
open packed file with Ollydbg and stop at 459F1F
here I sipmly scrolled down and found cond jump above at 00459FC1
je 00401000 it is OEP for sure
so 1st querstion is there a better way 2 find this jump
then scrolling down and looking for it?
breakpoint at this line and run program until jump is taken
then step into and at this moment full dump eith LordPe
change dump EP to RVA 1000
next fixing Import - I used ImportREC
change OEP 2 1000 =>IAT AutoSearch=>Get Imports
It found all functions with No problems
I dont like creating new section so unchecked this option
looking at dump with Lordpe Import Table at RVA 00059FE5
but its almost the end of file - not enough space for import
i decided to change RVA of Import table to 00002280(where I found empty space)
and size to 23C
now the import is fixed!
But..
is there smth I ve done wrong or lets say smth that could b done better?
Btw what is the better way to make size of dump less?
What bout making dump cleaner and neater - like it was bfore packing?
Thank You.