0rp
May 11th, 2004, 18:53
k, i have a selfdecrypting dll, decrypted and bped at its oep.
if i use procdump to dump this instance, it doesn't work (DllMain returns FALSE). why does procdump LoadLibrary this image instead of doing some ReadProcessMemorys ? however, if i use other tools, i get a image, but this dump does not work.
i searched the forum and found some tricks (double load the same image, and diff them to get reloc differences), but i did not find a complete tutorial.
are there some tuts about this topic?
thx a lot
if i use procdump to dump this instance, it doesn't work (DllMain returns FALSE). why does procdump LoadLibrary this image instead of doing some ReadProcessMemorys ? however, if i use other tools, i get a image, but this dump does not work.
i searched the forum and found some tricks (double load the same image, and diff them to get reloc differences), but i did not find a complete tutorial.
are there some tuts about this topic?
thx a lot