Reverse Engineering Asked by haxerl on February 22, 2021
I have a packed program. I have found the oep of the program but the problem is every call to the system dll like kernel32, user32, … change to a call to the heap. So the packer first allocate a big chunk of heap, copy the dll function to the heap and then instead of the call to dll it call the heap.
So my question is is there anyway to dump the heap to section? if not then how can i fix the iat in this situation?
Edit: After some experiments, i found that it use asprotect to pack. The iat got obfuscate, instead of call to the function it call to the heap and then the heap will jump to another heap which contain a part of the function and then jump to the real function. So the problem now boil down to how can i fix the iat for it to run? I did set hardware breakpoint on the time the iat create but the function doesn’t get written in the iat
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP