 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
08-19-2009, 11:57 PM
|
|||
|
|||
Hello,
been reading quite a few of tutorials lately about .net reverse engineering and I came across one that deals with unpacking. So I thought I would write a very small application, load it and then try to save it from memory. I fired up WinDbg because it seems to be the only debugger that works on my vista 64 bit and I attached the debugger to my application. WinDbg displays the following: ModLoad: 00000000`001d0000 00000000`001d8000 C:\Projects\UnpackTest\UnpackTest\bin\Debug\Unpack Test.exe Next I fired up WinHex so I can dump app. Going to the offset 1d0000 I can see the beginning of my app, however offset 1d8000 comes up as invalid in WinHex. (Now I know that the app is 8k, so I can only assume 1d0000-1d8000 is exactly that, but I just can't figure out how to jump 8000 bytes from the first location in winhex - the radio button option reading "relative to current position is disabled"). What am I doing wrong? Thanks EDIT: As a follow up I dumped 8000 bytes from 1d0000 however when compared to the original it appears that the end is missing and that there are some extra 0 bytes somewhere in the 8000 bytes I dumped. I guess I just most likely don't have enough knowledge to understand why this happened, but hopefully someone will shed some light. Absolutely no one can help? Last edited by Git : 08-20-2009 at 06:36 AM. 
|
Linear Mode
