Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Unpacking - Tsunami MPEG DVD Author PRO (https://forum.exetools.com/showthread.php?t=9318)

Cobi 03-07-2006 04:44

Unpacking - Tsunami MPEG DVD Author PRO
 
Hi,
Target: Tsunami MPEG DVD Author PRO 2.1.5.77
hxxp://download1.pegasys-inc.com/download_files/TDAP-retail-2.1.5.77-en.exe
This tool is coded in delphi and seems to be protected by some custom packer,

Sections:

CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
PEGASYS0
PEGASYS1
PEGASYS2


011AF000 - 011B090B (PEGASYS2) Some Unpacking routines, no anti-debugging
011A1001 (PEGASYS0) Here i begin to loose track, IDA gets fooled and OllyDbg cant analyse it

Code:

011A1001  90              NOP
011A1002  60              PUSHAD
011A1003  E8 03000000      CALL DVDAutho.011A100B
011A1008  -E9 EB045D45      JMP 467714F8
011A100D  55              PUSH EBP
011A100E  C3              RETN
011A100F  E8 01000000      CALL DVDAutho.011A1015
011A1014  EB 5D            JMP SHORT DVDAutho.011A1073
011A1016  BB ECFFFFFF      MOV EBX,-14

After unpacking the CODE Section the Program creates a thread with a simple anti-debugging-loop (Thread-Proc: 004E1390)
but i cant spot the OEP :(

Can anyone help me please :o

Greetz,
Cobi

Nacho_dj 03-07-2006 19:17

Hello:

Have you tried dumping to a file after launching it, when all is unpacked in memory?
And what about the rebuilding of import table? Did you manage this? For instance, using Import Reconstructor...

Just some ideas... :)

Cheers :cool:

Nacho_dj

hosiminh 03-07-2006 22:07

dvdauthorpro.exe

This is Delphi 6/7 app but i cannot run this app since i don't have SSE instruction compatible procesor (single process , can be dumped from memory )

You see PUSHAD at EP (like UPX ...) ?

oep: 9f3628 (no stolen bytes)
Dotfix Fakesigner maybe

Nacho_dj 03-07-2006 23:44

Quote:

This is Delphi 6/7 app but i cannot run this app since i don't have SSE instruction compatible procesor
So, hosiminh you cannot run any Delphi appli in your computer NEVER?

Isn't there any fix for that issue? it is astonishing...

Cheers :cool:

Nacho_dj

N0P 03-08-2006 00:42

no stolen bytes IAT not scrambled ,packer is somethink like modified aspack ... in olly bp on code section then cca 3x retn, then is IAT rebuilded and jmp to OEP ... but dump doesnt run some fixes needed
I forget you must remove analysist if you want to see some code

Cobi 03-08-2006 03:31

hmm, ok thx, great :)
Little OEP Script for Olly:
Code:

bp  011B090B
run
sto
bc  011B090B

bprm 00401000, 005F3000
run
bpmc

bp  011A1104
run
run
run
run
bc  011A1104
rtr
sto

The next Problem will be to fix the dump, only thing i get is an weird message-box,...
maybe some anti-dumping?

Maximus 03-08-2006 04:48

Have you tried standard stack hr bpx? you can then obtain OEP.
If it is a standard packer (upx, asp, etc.) just bpx in IAT, take notice of instruction writing at IAT, rerun and brak at it. Then dump (original IAT will be kept), fix with found OEP, alter IAT pointers with LordPE to point the unscrewed/virgin IAT et voil¨¤ (ImpREC might help you locating real IAT size, I think).

Regards,
Maximus
(btw I found NOP+PUSHAD+CALL in some AsPack EP version)

Cobi 03-08-2006 05:41

Quote:

I found NOP+PUSHAD+CALL in some AsPack EP version
I seems like AsPack with some custom Overlay

hosiminh 03-08-2006 15:12

@Nacho_dj
lack of "procesor with SSE instruction built-in support" has nothing to do with Delphi appz


All times are GMT +8. The time now is 17:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX