Softice newbie, packed win32 exe question.
From: Vinay (devnull001_at_fastmail.fm)
Date: 09/23/04
- Next message: Jonathan Needle: "Installing a device lower filter"
- Previous message: J.P. Iribarren: "Re: High frequency output on parallel port, how?"
- Messages sorted by: [ date ] [ thread ]
Date: 23 Sep 2004 00:52:41 -0700
(First off, I need this towards malware analysis, not cracking s/w
protection.)
I have only recently started using SI. I need to use a plug-in that
works only for SI (for an unpacking+reverse engineering project). I
have an exe packed with UPX compression. I could step through it
easily using Visual Studio and some other debuggers. However, I simply
can't get SI to break at the PE entry-point 0x40xxxx address at all. I
loaded it through the Symbol Loader which first complains that it has
no debug info - which is fine. Then it immediately executes the binary
without breaking at the entry-point - how do I break it at that entry
point? (I could perhaps break it at some API calls later in the
process' execution, but I really need to break at the entry point of
the PE exe file, not later). This process works just fine with the
unpacked version of the exe - it correctly drops into SI saying
"breakpoint by symbol loader".
Also, I couldn't find any equivalent of "pause", "continue" and
"restart" in SI (yet, and I looked quite hard in the docs).. how do I
do these?
I have spent several hours searching on Google/SI docs for info, but
couldn't find any yet.. and decide to post on a few Win32 groups.
Do let me know if you do..
Thanks a lot in advance!
Vinay.
- Next message: Jonathan Needle: "Installing a device lower filter"
- Previous message: J.P. Iribarren: "Re: High frequency output on parallel port, how?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
