|
BitArts Crunched target unpacked but only works on 2k?
Been scratching my head of this one. I have successfully dumped a BitArts Crunch target from the OEIP and rebuilt the IAT without any probs. As ppl know with BitArts the easiest way to defeat the PE stub checking is to copy the original header back in memory after using VirtualProtect.
Anyway... the program works perfect on Win 2000 but refuses to work on XP and Windows 2003. I have tried dumping and rebuilding the imports on 2003 and XP to see if this fixes the problem but no go. I suspect the IAT is messed up somehow when running under these OS but this has me stumped. Has anyone had this problem before where youre rebuilt proggies work on one OS but not another? (talking about 2000,2003,XP here) Have stopped on OEIP with both OllyDbg and SoftIce, tried dumping with both LordPE and PETools, in all cases rebuilt the imports with MackT. cheers -Ex ;) |
at least u could dump a crunched file successfullly,,, i have downloaded all the possible tuts for unpacking bitarts crunch, and still non of them worked 4 me in unpacking the file successfully...
site:- hxxp://osenxpsuite.net/ the file is an ocx... i changed its characteristic to exe. and then debugged it in olly, dumped it using lordpe... did everything but still no luck... help needed thanx TDW {RES} |
1 Attachment(s)
UnPacking : Crunch/PE -> Bit-Arts .OCX
Target : osenxpsuite2005.ocx - hxxp://www.osenxpsuite.net Difficulty : Easy Tools needed : WinXP sp2 - Olly - LordPE - ImpRec ImageBase : 22810000 EP : 229F6000 open target in olly : /*229F6000*/ PUSH EBP /*229F6001*/ CALL 229F6006 /*229F6006*/ POP EBP /*229F6007*/ SUB EBP,6 /*229F600A*/ MOV EAX,EBP /*229F600C*/ PUSH EBP /*229F600D*/ PUSHAD /*229F600E*/ MOV DWORD PTR SS:[EBP+3410],EBP // Set BP on this line /*229F6014*/ SUB EAX,DWORD PTR SS:[EBP+33EB] /*229F601A*/ MOV DWORD PTR SS:[EBP+249F],EAX Set BP on : 229F600E press F9 ==> Dump ESP ==> select 4 byte from dump ==> Set Hard BP on access DWORD ==> press Shift+F9 ==> Olly stop here : /*229F60E5*/ POP EBP /*229F60E6*/ MOV EAX,DWORD PTR SS:[EBP+340C] /*229F60EC*/ POP EBP /*229F60ED*/ JMP EAX // Jmp to OEP /*229F60EF*/ MOV ESI,340C /*229F60F4*/ ADD ESI,EBP Press F7 F7 F7 F7 ==> now we are in OEP : /*22811360*/ POP EDX // OEP /*22811361*/ PUSH osenxpsu.2296C9B4 /*22811366*/ PUSH osenxpsu.2296C9B8 /*2281136B*/ PUSH EDX /*2281136C*/ JMP osenxpsu.22811358 /*22811371*/ ADD BYTE PTR DS:[EAX],AL /*22811373*/ ADD BYTE PTR DS:[EAX+30000000],AH Run LordPE ==> Select Loaddll.exe ==> Select osenxpsuite2005.ocx ==> Full Dump. Run ImpRec ==> Select Loaddll.exe from process ==> Pick DLL ==> Select osenxpsuite2005.ocx OEP = 22811360-ImageBase = 22811360-22810000 = 1360 ==> IAT Auto Search ==> Get Imports ==>Fix Dump. target compiled with VB6(Pcode) & cracking easy. |
bro...
when i load the ocx using dllload.exe, set teh break point, adn press f9, the olly never breaks at the break point.... just keeps on running.... i have tried the other way round.... thou, by changing the characteristic of the ocx 2 exe... and loading the ocx directly... without the need of dllload.exe. and followed the same steps... but parts of the ocx still remains packed... thanx TDW {RES} |
that's Amazing Magic_H2K+1
As Always you did it in a minute Excellent. |
load target in olly ==> after full load ==>set Hard bp on exec' on EP
==> set bp on 004100AF ==>restart olly ==> olly stop ==> F9 ==> olly stop in EP...... |
thanx... magic...
u r good..... got 2 learn a lot from u..... i havent done any inline patching.... got 2 learn with some test subjects.... have 2 download some tuts relating inline patching.... i think.... as such practice makes man perfect... thanx TDW {RES} |
| All times are GMT +8. The time now is 18:15. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX