![]() Seems to me that the original code has been unpack to 0x400000 memory range…. A interesting thing to note is the EAX (OEP) after calling 0x006f1105. Interestingly after calling the function the memory maps get filled with tons of stuff. So far there are nothing of interest here… Figure 4. Now let’s take a look at the memory map (figure 4). On hitting the breakpoint, we can see that 0圆F10CA had been modified. the codes doesn’t look right… Perhaps we could place a breakpoint and look into it. Tracing the jmp instructions bring us to the figure below. Looking at IDA Pro we can see the following jmp instruction at the end of the graph.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |