The problem manifests itself when trying to execute an unpacked executable file. The original file is packaged with UPX (3.91 +) [modified], which is reported by Detect It Easy.
The unpacking process looked like this:
- Using x64dbg the instructions were found:
lea rax, qword ptr ss: [rsp-80]
push 0
cmp rsp, rax
jne ***. 7FF7181DAD39
sub rsp, FFFFFFFFFFFFFF80
jmp ***. 7FF71816CE3C
- A valid entry point was defined by
jmpdata:***.7FF71816CE3C - Using the Scylla module, with an indication of the true entry point, a dump and a fix of the dump were made.
Note: there were 2 undefined imports when dumping, but I ignored them by deleting
After running the fixed dump, an error occurred:
EXCEPTION_DEBUG_INFO:
dwFirstChance: 1
ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
ExceptionFlags: 00000000
ExceptionAddress: 00007FFF02E2C286 <ntdll>
NumberParameters: 2
ExceptionInformation [00]: 0000000000000000 Read
ExceptionInformation [01]: 00007FF71818F2C0 Inaccessible Address
First attempt at exception at 00007FFF02E2C286 (C0000005, EXCEPTION_ACCESS_VIOLATION)!
I would also like to note that the original application did not want to fully work under the x64dbg debug, just as it completed its work when it was attached to the process.
Sorry for the mistakes, I am still quite new and have only been doing this for the last 2 days. Thank you for your attention!
I think that the source file is protected from this, which is probably obvious, but I do not know what to do at all, and the desire to achieve the goal does not disappear.
Execution environment:
OS Name: Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
System Type: x64-based PC