Hi Guys,
Today I am going to continue my previous tutorial that after we can repair the import table of dumped PE from the memory.
If you try to run the dumped PE from memory, you will realize that the application cannot run properly that suddenly the application exits the process after the start. This error is caused by the process that we dump from the memory hash wrong original entry point (OEP) This is normal for packed PE
How to detect original entry point?
If you are using IDA, it will tell you that the application will jump to something that does not exist because the code in that memory address is still not identified initially. We can assume that could be the original application entry point. Here I use UPX packager.
We can also use the flow chart from IDA to identify where the code execution will stop. Check the unk_411659
We can set the break point just before the call to unk_411659 or ptr byte_411659 memory address and run the application in debug mode
when the breakpoint hit then we can now check the next memory it points because the address of the unpacked code has been assigned during runtime that we can assume as the new original entry point
if we double click at byte_411659 then we will go to that address as below
We are now in the data section where we can change into code by pressing “C” or goto edit menu and select menu code
Now it looks like this that is more interesting.
Now we know that this is the new original entry point to the unpacked applcaition in the memory.
With the help of Scylla wen can now Fix our dump with the OEP that we have from the IDA which is 00411659
Now when do the fix dump, the new entry point will be assigned to the PE header. If we open with the PEStudio then we can see the Entry-Point has been updated
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 