I think it's a good chance for interested hackers to pay attention to this topic for a while. well, here is the story. ============================================================= I've been depacking a software for days and now I've got some interesting points about it that wanna share with you. The packer is actually another varient of Shrinker called Shrink 3.5 'cause of different OEP(0x00014C54) and OEP jump instruction that is CALL[EBP-20] instead of CALL[EBP-24]. well, I've obtained the OEP as been mentioned earlier and managed to jump to OEP and then stop there for dumping. But, before it was not straigthforward to get to the CALL as you have to pass 31 SE's to program until you get to the CALL to OEP. Now, the problem is after getting to OEP, I CAN NOT DUMP IT AS .SHRINK0 SECTION HAS BEEN PROTECTED. well, during the 31 exceptions, I've changed the .shrink0 section protection to FULL ACCESS and then I've managed to dump it. Now, another story raised. I've tried ImpRec to reconstruct the IAT of the program. but, when I've changed the EP to OEP in ImpRec it could not manage to find any dll. but, when I use loader EP then it works and finds all imports. maybe, when I change .shrink0 protection to FULL ACCESS then it starts something behind. tracing is not possible as there are many CALLS and CONDITIONAL JUMPS. but, I'm absolutely sure about OEP. by the way, one time I've dumped the unpacked program with ImpRec and it worked. but, concerning IAT, ImpRec could not find anything at OEP. I've tried all Olly Plugins available and they did not work. direct breakpoint on CALL[EBP-20] does not work either, so only sigle stepping and passing 31 exceptions to program works out and gets to the JMP to OEP. even ESP breakpoint technique does not work. so, any idea about this mother...? Thanks,:goofy:
