![]() Qint64 nNWAddress=findSignature(nImageBase,nImageSize,"8B4024C1E81FF7D083E001") I am using the trick in my projects to fix it if(pDumpOptions->bPatchNWError6002) ![]() xvlk:0045A5AE sub eax, offset _ImageBase xvlk:0045A56A push offset _except_handler4 xvlk:0045A560 _IsNonwritableInCurrentImage proc near CODE XREF: _except_handler4+FF p PEFL_WRITE of osection.flags), and make it ro again. only so we must make it rw, fix the flags (i.e. And the page on which the PE header is stored is read UPX0 & UPX1 in the compressed files, so we have to patch the PE header These supposed to be read only addresses are covered by the sections like not running the floating point initialization code - the result ![]() If this check fails the runtime does "interesting" things still in a read only section by looking at the pe header of the section then it compiles in a runtime check whether that data is C runtime library which references some data in a read only When the compiler detects that it would link in some code from its There is some info in UPX sources: // This works around a "protection" introduced in MSVCRT80, which Sometimes we can unpack protected executables in Windows but there is a runtime error Microsoft Visual C++ Runtime Library
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |