Tags: runpe
Rating: 5.0
Easy,
Run ProcHollow1.exe , bp on LoadResource
save loaded resource as childxxxxx.exe and run olly
bp on 00A4215D
the flag is written as byte sequences
00A4215D |. C685 94FEFFFF>MOV BYTE PTR SS:[EBP-16C],41
<span>00A42164 |. C685 95FEFFFF>MOV BYTE PTR SS:[EBP-16B],52
...
--------------
or u can nop this call
00A422E5 |. E8 2AEDFFFF CALL ProcHoll.00A41014
and run
decrypted : ARIA_IS_GOOOD!~!
</span>