friedo
June 21st, 2004, 18:54
Hello.
I am newbie in unpacking, read some tuts and just dumped a file (Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks) now but thereīs something mysterious going on here or i made a mistake.
Everything seems to be equal to Ricardos Armadillo Tut part 1 (of course with other application and correct stack-adresses etc.), but first thing was that lordpe comes up with a message that some areas filled with zeros because of no access (i am using win xp).
Anyway, the start of my dump looks unencrypted (and other areas also because many strings are readable too):
005EFC83 >55 push ebp
005EFC84 8BEC mov ebp, esp
005EFC86 6A FF push -1
005EFC88 68 E0606700 push test.006760E0
005EFC8D 68 F0665F00 push test.005F66F0
005EFC92 64:A1 00000000 mov eax, [dword fs:0]
005EFC98 50 push eax
005EFC99 64:8925 00000000 mov [dword fs:0], esp
005EFCA0 83EC 58 sub esp, 58
005EFCA3 53 push ebx
005EFCA4 56 push esi
005EFCA5 57 push edi
005EFCA6 8965 E8 mov [dword ss:ebp-18], esp
005EFCA9 FF15 48813402 call near [dword ds:2348148]
-----------------------------------------------------------
005EFCAF 33D2 xor edx, edx
005EFCB1 8AD4 mov dl, ah
1. Ollydbg can open the dumped exe but tells me that entry seems to be outside of code (but points to oep=5efc83)
2. 0x234814 should be an address of IAT but it points somewhere ollydbg can not access..
q1:
so is this an error in dumping or did somebody else ever had such a phaenomen?
q2:
can i fix this dump in a way or do i have to repeat dump procedure?
q3:
any hints how to solve this and get a right dump?
regards,
friedo
I am newbie in unpacking, read some tuts and just dumped a file (Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks) now but thereīs something mysterious going on here or i made a mistake.
Everything seems to be equal to Ricardos Armadillo Tut part 1 (of course with other application and correct stack-adresses etc.), but first thing was that lordpe comes up with a message that some areas filled with zeros because of no access (i am using win xp).
Anyway, the start of my dump looks unencrypted (and other areas also because many strings are readable too):
005EFC83 >55 push ebp
005EFC84 8BEC mov ebp, esp
005EFC86 6A FF push -1
005EFC88 68 E0606700 push test.006760E0
005EFC8D 68 F0665F00 push test.005F66F0
005EFC92 64:A1 00000000 mov eax, [dword fs:0]
005EFC98 50 push eax
005EFC99 64:8925 00000000 mov [dword fs:0], esp
005EFCA0 83EC 58 sub esp, 58
005EFCA3 53 push ebx
005EFCA4 56 push esi
005EFCA5 57 push edi
005EFCA6 8965 E8 mov [dword ss:ebp-18], esp
005EFCA9 FF15 48813402 call near [dword ds:2348148]
-----------------------------------------------------------
005EFCAF 33D2 xor edx, edx
005EFCB1 8AD4 mov dl, ah
1. Ollydbg can open the dumped exe but tells me that entry seems to be outside of code (but points to oep=5efc83)
2. 0x234814 should be an address of IAT but it points somewhere ollydbg can not access..
q1:
so is this an error in dumping or did somebody else ever had such a phaenomen?
q2:
can i fix this dump in a way or do i have to repeat dump procedure?
q3:
any hints how to solve this and get a right dump?
regards,
friedo
