Hi all.

As always im goin to prove with the following question that i am a newbie .
It's the following:

When i read about manual unpacking, i see that i have to trace or bp myself to the original program entry point. Well that makes sense for me but - then i dump from 00400000 to 004***** - uhm?
I dont understand why i have to trace to the OEP, breakpoint on it and then dump - i miss the connecting line between those two acts.
If i just dump a program in memory that is already unpacked there, why do i need to find the entry point first - i could then just bp on any api inside the prog and dump from there. Hmm.

Help and tutorial tips are welcome - guess im just not able to see the wood because of the trees .

cya

Joda

Hi Joda,

well first thing is to find the OEP so that when you dumped the file you can fix the PE Header to make it run, but i think you already understand this
And about just breaking on any API in the Program, ofcourse you can do that but then you don't have a "clean" dump because the program has changed a lot of values and stuff around (probably)
So the main thing is to first find the OEP (Because then you know where the original file "really" begins) and when your at the OEP dump the file, then fix the file
So there won't be any values changed and you have a "clean" dump heh.
I hope you understand me

Cya...

CoDe_InSiDe

Hi Code_Inside.

Uhm well - i guess that was too logical .

Thx for answering,

Joda