Bacchus
08-19-2009, 11:57 PM
Hello,
been reading quite a few of tutorials lately about .net reverse engineering and I came across one that deals with unpacking. So I thought I would write a very small application, load it and then try to save it from memory.
I fired up WinDbg because it seems to be the only debugger that works on my vista 64 bit and I attached the debugger to my application. WinDbg displays the following:
ModLoad: 00000000`001d0000 00000000`001d8000 C:\Projects\UnpackTest\UnpackTest\bin\Debug\Unpack Test.exe
Next I fired up WinHex so I can dump app. Going to the offset 1d0000 I can see the beginning of my app, however offset 1d8000 comes up as invalid in WinHex. (Now I know that the app is 8k, so I can only assume 1d0000-1d8000 is exactly that, but I just can't figure out how to jump 8000 bytes from the first location in winhex - the radio button option reading "relative to current position is disabled").
What am I doing wrong?
Thanks
EDIT: As a follow up I dumped 8000 bytes from 1d0000 however when compared to the original it appears that the end is missing and that there are some extra 0 bytes somewhere in the 8000 bytes I dumped. I guess I just most likely don't have enough knowledge to understand why this happened, but hopefully someone will shed some light.
Absolutely no one can help?
been reading quite a few of tutorials lately about .net reverse engineering and I came across one that deals with unpacking. So I thought I would write a very small application, load it and then try to save it from memory.
I fired up WinDbg because it seems to be the only debugger that works on my vista 64 bit and I attached the debugger to my application. WinDbg displays the following:
ModLoad: 00000000`001d0000 00000000`001d8000 C:\Projects\UnpackTest\UnpackTest\bin\Debug\Unpack Test.exe
Next I fired up WinHex so I can dump app. Going to the offset 1d0000 I can see the beginning of my app, however offset 1d8000 comes up as invalid in WinHex. (Now I know that the app is 8k, so I can only assume 1d0000-1d8000 is exactly that, but I just can't figure out how to jump 8000 bytes from the first location in winhex - the radio button option reading "relative to current position is disabled").
What am I doing wrong?
Thanks
EDIT: As a follow up I dumped 8000 bytes from 1d0000 however when compared to the original it appears that the end is missing and that there are some extra 0 bytes somewhere in the 8000 bytes I dumped. I guess I just most likely don't have enough knowledge to understand why this happened, but hopefully someone will shed some light.
Absolutely no one can help?