Question : Checking the application

I know this is impossible or may not, like they said it is.

Kernel32.dll has a function FindFirstFileA with an RVA/EntryPoint of 00013559h.

I would like to know if the application has a block address of 00013559h and is using the function FindFirstFileA even it was compressed by upx or any compressor.

The application that I am analyzing/scanning is not running or launched in the memory/computer.

What are the steps to be doned in order to succed this test?

I am only giving only 50 points for this question, and raise it, if answered is fine with me.

Answer : Checking the application

The application can use FindFirst via static binding or dynamic binding. If it's static binding you can find FindFirstFile function in the import section of application header.

If it's dynamic binding - it's not easy. You have to analyze the code and data sections. At least you can find FindFirstFile entry (btw, it may be unicode). Then you can try to find the code that works with this entry.

What is the exe file is compressed? I'm afraid you have to detect that and decompress it then

Random Solutions

using Task.IsCompleted

HighCharts alternatives

Optional parameters

Outlook hyperlinks take me to my homepage (not the actual link url

Ms-Access is a trouble to me!

PL/SQL Performance

Failover internet routing advice

Translate web site

Multiple $(document).ready() jquery conflicting