0

I've been following along lena151's tutorials on reverse engineering and all is going well except for unpacking. I'm running olly on a 64 bit windows 7 machine and it works fine except when the EP is always "JMP 71B00000" after following the jump an address is moved into EAX and then another one into ECX. A call is made to ECX and I get an exception that I can't pass to the program. This only happens when I step the code from the EP though. Could anyone explain to me what this is?

YasirA
  • 9,531
  • 2
  • 40
  • 61
user1241223
  • 35
  • 4
  • 10
  • You seem to try unpacking a packed EXE. These programs are highly optimized and some are obfuscated and includes anti debugging codes. Looking at the given instruction, you're likely stepped in to a trap. – Jay Jul 22 '12 at 19:07
  • but even unpacked programs have this same EP. Could it be part of windows? – user1241223 Jul 24 '12 at 20:11
  • 1
    I think you are seeing some anti-debugging technique in action. – jcopenha Jul 29 '12 at 20:26
  • Possible duplicate: http://stackoverflow.com/questions/11917336/ollydbg-incorrectly-replaces-lines-with-jmp-71b00000-in-win7x64 ? – M. Suleiman Mar 30 '13 at 08:09

1 Answers1

1

Ollydbg cannot disassemble the binaries for 64-bit processor. I think you'd be better off with a virtual machine running a x86_32 system.

And from OllyDbg 2.0's page:

And once again: no, this version does not work under Win64!

M. Suleiman
  • 858
  • 4
  • 22