Threaded Mode | Linear Mode

***cw2k*** · 02-01-2018, 11:02 AM

(03-28-2016 10:30 PM)krafg Wrote: Dumping Failed!

(03-28-2016 10:30 PM)krafg Wrote: Well the common major two's problem for that are
* When started the file isn't loaded into memory
->you didn't turn off the dll-flag in the PE-Header to turn it into some 'real' exe

Hmm hard to tell if the exe was load since windows 7 errormessage on loading some exe got suppressed. But if you can make it crash as written in the next step i'll imply that exe was load and started so it can crash.
* that the exe quits to early for the dumper.
dome Simple but dirty trick for that maybe to use LordPE's Break and enter.
when you see 'Click on OK to restore original file state...' don't click ok but try to dump it with dup2 now.
Some other ways to that'll have the same effect:
* change the flags for .text from 0xE0000020 to 0x000000 what means NoAccess or set rawsize to 0
* Fill whole .text section with 0x00 or 0xCC or
* manually place some 0xCC (or 0xEB FE) at the OEP or
* to fix the OEP so it points to the adress of export 'loadPatcher'()

3. (Unpack it)? Whats means?

Well normal patch.exe is mostly packed with UPX an runtime packer. (Image a SFX-Zip that is all the time for ran just extracted into memory)
with some luck "Upx.exe -d packed.exe" might work.
Some other option for unpack UPX may be PEExplorer. Open the patched.exe /check log output and if it says all okay save the it to unpacked.exe

However I elobarated the steps unpacking is not need anymore.