Exploring The Stack

If in some cases the strings in the PE is encrypted and decrypted using a function.

The best way of analysing the PE is during the run time. and searching for string refferences.

For example when the Pop us for invalid code is being shown in the out put. at that time serch for string refferences and then on search for instructions that are required to be found.

Create some breakpoints before the instruction, after identifying the function called to Encrypt and Decrypt the Strings.