[DiscordArchive] after binary patching, what brakes?
[DiscordArchive] after binary patching, what brakes?
Original source
well i was talking about packing/unpacking as in if you use for example UPX, you can pack the executable in this case it's just compression no encryption you write a loader that unpacks the compressed data in memory and runs it, but you can unpack it and run the unpacked version instead
rektbyfaith
03-10-2023, 04:34 PM #21Archived author: ZaDarkSide • Posted: 2023-03-10T16:34:38.895000+00:00
Original source
well i was talking about packing/unpacking as in if you use for example UPX, you can pack the executable in this case it's just compression no encryption you write a loader that unpacks the compressed data in memory and runs it, but you can unpack it and run the unpacked version instead
Original source
they are part of unpacking many other things (mostly related to the entrypoint, anti debugging etc.)
rektbyfaith
03-10-2023, 04:34 PM #22Archived author: Fabian • Posted: 2023-03-10T16:34:41.002000+00:00
Original source
they are part of unpacking many other things (mostly related to the entrypoint, anti debugging etc.)
Original source
so you must unfuck the entrypoint, remove the checks, and should work unpacked?
rektbyfaith
03-10-2023, 04:35 PM #23Archived author: ZaDarkSide • Posted: 2023-03-10T16:35:36.921000+00:00
Original source
so you must unfuck the entrypoint, remove the checks, and should work unpacked?
Original source
no
rektbyfaith
03-10-2023, 04:35 PM #24Archived author: Fabian • Posted: 2023-03-10T16:35:53.925000+00:00
Original source
no
Original source
you have to fully rebuild the process that the wow client does before reaching the entrypoint when unpacked
rektbyfaith
03-10-2023, 04:36 PM #25Archived author: Fabian • Posted: 2023-03-10T16:36:57.829000+00:00
Original source
you have to fully rebuild the process that the wow client does before reaching the entrypoint when unpacked
Original source
that is MUCH work
rektbyfaith
03-10-2023, 04:37 PM #26Archived author: Fabian • Posted: 2023-03-10T16:37:04.059000+00:00
Original source
that is MUCH work
Original source
and even then it most likely won't run unpacked
rektbyfaith
03-10-2023, 04:37 PM #27Archived author: Fabian • Posted: 2023-03-10T16:37:20.034000+00:00
Original source
and even then it most likely won't run unpacked
Original source
many things there rely on your current base address etc.
rektbyfaith
03-10-2023, 04:37 PM #28Archived author: Fabian • Posted: 2023-03-10T16:37:29.168000+00:00
Original source
many things there rely on your current base address etc.
Original source
from my understanding any program that is executed in memory is automatically unpacked/unencrypted etc., you can dump the unpacked/unencrypted version from memory back to another binary, then you need to do some fixups, like rebuild IAT, and recalculate RVA, remove some checks etc.
rektbyfaith
03-10-2023, 04:38 PM #29Archived author: ZaDarkSide • Posted: 2023-03-10T16:38:04.237000+00:00
Original source
from my understanding any program that is executed in memory is automatically unpacked/unencrypted etc., you can dump the unpacked/unencrypted version from memory back to another binary, then you need to do some fixups, like rebuild IAT, and recalculate RVA, remove some checks etc.
Original source
So don't even try that, you won't be successful xD
rektbyfaith
03-10-2023, 04:38 PM #30Archived author: Fabian • Posted: 2023-03-10T16:38:08.975000+00:00
Original source
So don't even try that, you won't be successful xD
1 Guest(s)
1 Guest(s)