![]() ![]() ![]() The rebasing can be performed via the Edit->Segments->Rebase program option. In this case it came from 00500000, however. When you are pulling in code from parts of memory like this it will not nessessarily know what address the program is based and if it were to guess it would probably use 00400000 by default. ![]() You will, however, see all the new functions in their decoded form. Once you open this new file in IDA you will see that this is seen as a binary file but not a normal executable one (no PE headers, no exports/inports, etc). From here you can right click and select Backup->Save data to file. In Immunity Debugger (OllyDbg) press ALT+M to view the memory maps and locate 00500000.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |