Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Help Finding VA_DecryCall and VA_DecryCallCore
04-08-2016, 05:02 AM
Post: #1
Help Finding VA_DecryCall and VA_DecryCallCore
Hello,

I'm trying "IC 4.3 5.2 StringDecryptScript LabelsOllyDebug" for newer loader but after few days searching I can't find correct offset for VA_DecryCall and VA_DecryCallCore can anyone help me how to find it.

Thanks.
Find all posts by this user
Quote this message in a reply
07-26-2016, 05:36 PM
Post: #2
RE: Help Finding VA_DecryCall and VA_DecryCallCore
Oh dear thats years now.

Well in the beginning you use the script with the old and original version it was supposed to be used.

Load the Dll twice in olly. The base adress should stay the same.
If it's changing it's because of ASLR
Disable it using EMET.

Well VA_DecryCall is the adress of the Call that does the string decryption.
You may find that easy while debugging the ioncube dll and come across encrypted strings.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication