Unpacking PeP Protector full 3h long

@unpacking @pep @protector @cracking @hacking @software @protection @bypass @realtarget
1:30 Bypass antidebug
3:30 Dealing with resources
15:55 The problem is absence of 'B' like I said but the number '134' is also needed so replacement is not correct
20:15 They are not enought dumped because in txt file we have to delete beginning of strings "name" because script for dumping cannot handle this
37:50 "Size of idata" I should say. We need this size and virtual address of .idata to compute .tls section virtual address
42:15 "Add the address of new section" Its not new section but old and we only change its parameters
50:25 This injection is needed only once to run the target and then we can dump it. Its needed because like I said the jmp/calls are relative and points to this big virtual address so we have to allocate and copy to this address our .idata(you remember we changed parameters for .idata in cff explorer thats why all of this)
54:35 Find OEP
56:48 Correct is 12FFC4 not "twenty"
1:04:15 Recover APIs in IAT
1:10:00 Repair jumps from code to IAT
1:15:40 Its ok I just look at the wrong address in the log
1:53:32 I added a marker to the cursor
2:01:55 I found problem in my script finally that was redundant instruction
2:05:05 Manually repairing some jump to IAT which script didnt make it
2:11:50 Get rid of duplicates APIs in IAT
2:13:45 I mean erun command
2:17:22 Call script for plugin by using build in scripting language in x32dbg. Call LenOfHex.
2:28:40 Need to be 8 but also can be 7 that doesnt make problem
2:29:30 run script in plugin that redirect jumps from code to only one api if the apis in IAT are duplicated and delete the duplicates
2:39:40 Prepare for making dump of image so we have to repair jumps from code section
2:50:20 Dumping image to exe
2:52:40 Adding resources in different way
2:57:45 Adding TLS section
3:04:15 Adding Import Table in Scylla
3:08:40 Adding OEP to dump