EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-07-2006, 04:44
Cobi Cobi is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 55
Thanks: 0
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Cobi Reputation: 0
Unpacking - Tsunami MPEG DVD Author PRO

Hi,
Target: Tsunami MPEG DVD Author PRO 2.1.5.77
hxxp://download1.pegasys-inc.com/download_files/TDAP-retail-2.1.5.77-en.exe
This tool is coded in delphi and seems to be protected by some custom packer,

Sections:

CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
PEGASYS0
PEGASYS1
PEGASYS2


011AF000 - 011B090B (PEGASYS2) Some Unpacking routines, no anti-debugging
011A1001 (PEGASYS0) Here i begin to loose track, IDA gets fooled and OllyDbg cant analyse it

Code:
011A1001   90               NOP
011A1002   60               PUSHAD
011A1003   E8 03000000      CALL DVDAutho.011A100B
011A1008  -E9 EB045D45      JMP 467714F8
011A100D   55               PUSH EBP
011A100E   C3               RETN
011A100F   E8 01000000      CALL DVDAutho.011A1015
011A1014   EB 5D            JMP SHORT DVDAutho.011A1073
011A1016   BB ECFFFFFF      MOV EBX,-14
After unpacking the CODE Section the Program creates a thread with a simple anti-debugging-loop (Thread-Proc: 004E1390)
but i cant spot the OEP

Can anyone help me please

Greetz,
Cobi

Last edited by Cobi; 03-07-2006 at 04:47.
Reply With Quote
  #2  
Old 03-07-2006, 19:17
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 172
Thanks: 11
Thanked 166 Times in 28 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello:

Have you tried dumping to a file after launching it, when all is unpacked in memory?
And what about the rebuilding of import table? Did you manage this? For instance, using Import Reconstructor...

Just some ideas...

Cheers

Nacho_dj
Reply With Quote
  #3  
Old 03-07-2006, 22:07
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Thanks: 2
Thanked 1 Time in 1 Post
Groans: 0
Groaned at 0 Times in 0 Posts
hosiminh Reputation: 1
dvdauthorpro.exe

This is Delphi 6/7 app but i cannot run this app since i don't have SSE instruction compatible procesor (single process , can be dumped from memory )

You see PUSHAD at EP (like UPX ...) ?

oep: 9f3628 (no stolen bytes)
Dotfix Fakesigner maybe
Reply With Quote
  #4  
Old 03-07-2006, 23:44
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 172
Thanks: 11
Thanked 166 Times in 28 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Quote:
This is Delphi 6/7 app but i cannot run this app since i don't have SSE instruction compatible procesor
So, hosiminh you cannot run any Delphi appli in your computer NEVER?

Isn't there any fix for that issue? it is astonishing...

Cheers

Nacho_dj
Reply With Quote
  #5  
Old 03-08-2006, 00:42
N0P's Avatar
N0P N0P is offline
Friend
 
Join Date: Aug 2003
Location: Prague[CzechRepublic]
Posts: 57
Thanks: 19
Thanked 7 Times in 6 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
N0P Reputation: 7
no stolen bytes IAT not scrambled ,packer is somethink like modified aspack ... in olly bp on code section then cca 3x retn, then is IAT rebuilded and jmp to OEP ... but dump doesnt run some fixes needed
I forget you must remove analysist if you want to see some code

Last edited by N0P; 03-08-2006 at 00:47.
Reply With Quote
  #6  
Old 03-08-2006, 03:31
Cobi Cobi is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 55
Thanks: 0
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Cobi Reputation: 0
hmm, ok thx, great
Little OEP Script for Olly:
Code:
bp   011B090B
run
sto
bc   011B090B

bprm 00401000, 005F3000
run
bpmc

bp   011A1104
run
run
run
run
bc   011A1104
rtr
sto
The next Problem will be to fix the dump, only thing i get is an weird message-box,...
maybe some anti-dumping?
Reply With Quote
  #7  
Old 03-08-2006, 04:48
Maximus Maximus is offline
Friend
 
Join Date: Nov 2005
Posts: 39
Thanks: 0
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Maximus Reputation: 0
Have you tried standard stack hr bpx? you can then obtain OEP.
If it is a standard packer (upx, asp, etc.) just bpx in IAT, take notice of instruction writing at IAT, rerun and brak at it. Then dump (original IAT will be kept), fix with found OEP, alter IAT pointers with LordPE to point the unscrewed/virgin IAT et voil (ImpREC might help you locating real IAT size, I think).

Regards,
Maximus
(btw I found NOP+PUSHAD+CALL in some AsPack EP version)
Reply With Quote
  #8  
Old 03-08-2006, 05:41
Cobi Cobi is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 55
Thanks: 0
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Cobi Reputation: 0
Quote:
I found NOP+PUSHAD+CALL in some AsPack EP version
I seems like AsPack with some custom Overlay
Reply With Quote
  #9  
Old 03-08-2006, 15:12
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Thanks: 2
Thanked 1 Time in 1 Post
Groans: 0
Groaned at 0 Times in 0 Posts
hosiminh Reputation: 1
@Nacho_dj
lack of "procesor with SSE instruction built-in support" has nothing to do with Delphi appz
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Error while unpacking program, code LP5. Please report to author." gokilaravee General Discussion 2 06-01-2011 14:34
The new present from the IDA's author : Hex-Rays Decompiler g0d Reversing Software 7 09-18-2007 19:50


All times are GMT +8. The time now is 18:32.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX