Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  [help] Unpacking VMP 3 C++ application

Topic created on: March 12, 2023 14:25 CDT by tejinaji .

Hello. I'm sorry if wrong dir.
Please, can anyone help with placing OEP.
As I understand I've found original entry point, but when Im trying to put it there Im getting an Access Violation Error.
Coz it tries to read the debug area in memory which is not dumping.

EDX 0x01305636 ------------> debug325:01305636

.text:0044A0D0 sub_44A0D0 proc near ; DATA XREF: .rdata:005AD3D8↓o
.text:0044A0D0 push ebp
.text:0044A0D1 mov ebp, esp
.text:0044A0D3 push 0FFFFFFFFh
.text:0044A0D5 push offset SEH_44A0D0
.text:0044A0DA mov eax, large fs:0
.text:0044A0E0 push eax
.text:0044A0E1 mov large fs:0, esp
.text:0044A0E8 sub esp, 0C08h
.text:0044A0EE push ebx
.text:0044A0EF push esi
.text:0044A0F0 push edi
.text:0044A0F1 mov dword_FFFFFFF0[ebp], esp
.text:0044A0F4 mov esi, ecx
.text:0044A0F6 mov edx, [esi+74h]
.text:0044A0F9 mov edi, edx
.text:0044A0FB or ecx, 0FFFFFFFFh
.text:0044A0FE xor eax, eax

.text:0044A100 repne scasb < -------- right there im getting access_violation_error coz debug325:01305636 does not exist in dumped exe

.text:0044A102 not ecx
.text:0044A104 dec ecx
.text:0044A105 cmp ecx, 2
.text:0044A108 jbe short loc_44A11B
.text:0044A10A push edx
.text:0044A10B call sub_449DA0
.text:0044A110 add esp, 4
.text:0044A113 test eax, eax
.text:0044A115 jz loc_44A4DC
.text:0044A11B
.text:0044A11B loc_44A11B: ; CODE XREF: sub_44A0D0+38&#8593;j
.text:0044A11B call j_mfc42_1205
.text:0044A120 push 0
.text:0044A122 call j_mfc42_1134
.text:0044A127 add esp, 4
.text:0044A12A push 0
.text:0044A12C lea eax, [esi+0C4h]
.text:0044A132 push eax
.text:0044A133 lea ecx, [esi+0D4h]
.text:0044A139 push ecx
.text:0044A13A call j_gdiplus_GdiplusStartup
.text:0044A13F mov ecx, esi
.text:0044A141 call j_mfc42_2621
.text:0044A146 call sub_44A030
.text:0044A14B push 0
.text:0044A14D lea ecx, dword_FFFFF400[ebp]
.text:0044A153 call sub_44C0D0
.text:0044A158 mov dword_FFFFFFFC[ebp], 0
.text:0044A15F lea edx, dword_FFFFF400[ebp]
.text:0044A165 mov [esi+20h], edx
.text:0044A168 mov eax, [esi+74h]
.text:0044A16B push eax
.text:0044A16C lea ecx, dword_FFFFFEA4[ebp]
.text:0044A172 call j_mfc42_860
.text:0044A177 mov byte ptr dword_FFFFFFFC[ebp], 1
.text:0044A17B lea ecx, dword_FFFFF400[ebp]
.text:0044A181 call j_mfc42_2514
.text:0044A186

No posts found under this topic.
Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit