cooper
June 15th, 2004, 04:21
Anyone has studied the unpacking algo?
so as for me I did it the following way:
look for 95 8B 07 40 78 bytes
-------
XCHG EAX,EBP
MOV EAX,DWORD PTR DS:[EDI]
INC EAX
-------
look down 8 bytes for
JMP DWORD PTR DS:[EBX+C]
set bp after break step into oep
tested on many executables - works fine.
here is amy script for ollydbg
// FSG 2.0 OEP Finder
// by cooper @ http://www.woodmann.net
var x
findop eip, #958B0740#
mov x, $RESULT
add x,8
bp x
run
sto
bc x
cmt eip, "This is the entry point"
ret
also add to userdb.txt of peid if you use it:
[FSG v2.0->bart/xt]
signature = 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13
ep_only=true
so as for me I did it the following way:
look for 95 8B 07 40 78 bytes
-------
XCHG EAX,EBP
MOV EAX,DWORD PTR DS:[EDI]
INC EAX
-------
look down 8 bytes for
JMP DWORD PTR DS:[EBX+C]
set bp after break step into oep
tested on many executables - works fine.
here is amy script for ollydbg
// FSG 2.0 OEP Finder
// by cooper @ http://www.woodmann.net
var x
findop eip, #958B0740#
mov x, $RESULT
add x,8
bp x
run
sto
bc x
cmt eip, "This is the entry point"
ret
also add to userdb.txt of peid if you use it:
[FSG v2.0->bart/xt]
signature = 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13
ep_only=true