|
svkp dumping problem
Hi again
I'm unpacking a svkp target and I have found the OEP and is just about to dump, but Olly can't grab the process to dump it. And the same goes for LordPE. Is there a way around this? Edit: PEiD reports svkp v1.3 btw /SvensK |
olly can dump
the plug-in of olly can dump,
can you tell me how to find the oep with ollydbg. |
Hi,
What is the name of the program. |
The program is Download Accelerator Plus v7.0.
Direct d/l url: hxxp://download.speedbit.com/dap7.exe Edit: And no, of course Olly's dump plug-in couldn't dump it. That's why I mentioned it. Edit2: Finding the OEP is a piece of cake. 1. Just load the exe in PEiD and get the OEP from the Generic OEP Finder and write it down. 2. Load the exe in Olly and scoll down to the OEP, right-click the code and Follow Selection in Dump. 3. Right-click first byte of the OEP in Dump and BPH, on write, Byte. 4. Press F9, see the first byte in the dump changed to 55. 5. Scroll down to OEP again and press F2 while on the 55. 6. Press F9 again and you're at the OEP. 7. This is where you wanna dump. If you know how to rebuild the IAT, please lemme know. |
OllyDump v2.20.108
name:OllyDump v2.20.108
you can search with google.com. |
maybe
maybe prodump can ,i dump with prodump ,and can see some resource,but can not run it.
|
@SvensK
Thanks for the info you have posted, Most Handy :) Could you post a bit of info about IAT rebuilding or PM me Thanks R@dier |
Re: maybe
Quote:
Edit: To R@dier - I was hoping to get some help myself. :) |
Peid is wrong, your oep should be 4c7b90 or close to
it, this is I think ,why u are having hard time. |
This is my first encounter with this protection,I did
download the latest version and protected one of my programs with it , and I did unpack it correctly,but this is a demo version of the protection,tonight I will try to unpack your program. regards |
Ok, thanks for your feedback britedream.
As you might have guessed, this is also my first time working with svkp :) |
@SvensK
LOL, I miss read your post about IAT hehehe. I will take a look tonight at this protector as well, I have never seen it before, so should be interesting ;) Best Regards R@dier |
Hi,
there is a difference between the demo and the registered version.in the demo once i stop on stack break point, eax shows the oep , and by setting bpm on the code section ,it stops on oep, while the registered version once stop on stack break point, eax shows packer code ,and if u bpm on code section it stops there, but with stolen byets as in our case , it stops at 4c7b90 with many nops above it . if u read the packer features it says,among other things, Possibility to Move code from entry point, so we truly need the packer registered version to confirm this, and make things easier for us to find the stoln bytes if any. britedream |
Hello Everybody,
For svkp we have to recover from program bytes ripped from the execution of program & some from stack manipulation. Stack manipulation start address --> 0xEB6B385 & end address --> 0xEB6C82D If somebody wants to practice Evaluator's Excellent Pseudo_code exercise at woodmann's forum, can have a look at it. The url for it hxxp://66.98.132.48/forum/showthread.php?t=4805 I have tried to recover the bytes but it's not perfect. Code:
:004C7B26 55 PUSH EBPCode:
:004C7B46 57 PUSH EDICode:
:004C7B56 50 PUSH EAXR@dier / SvensK / Everybody You can use Gaia's / Zilot's excellent Import Rec Plugin which will find majority of the api some 7 or 10 not found we need to find manually. more later... Regards, Sope. |
jmp from packer to 4c7b90 I found it to be
jmp Dword ptr ss:[esp-4] |
| All times are GMT +8. The time now is 20:59. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX