View Single Post
  #5  
Old 05-11-2005, 01:24
Nukacola's Avatar
Nukacola Nukacola is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 49
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Nukacola Reputation: 2
oh sorry but i haven't much time last days so i can't repost.
I see that i have done a big mistake cos i don't
call dword ptr:[IAT_address] i call call dword ptr:[ImportTable_address]
and there's no valid IAT in the file. There are 2 IAT but both aren't valid i guess. And no one is set in the PE header IAT entry field. But i have a Import Table located at 1000h cos vb6 app.

Ok the protection i'm dealing with is again securom v4.8xx.

here a snippet of the code..

Code:
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
PUSH EBP
MOV EBP,ESP
SUB ESP,0C
PUSH s*******.00401AB6                   ; SE handler installation
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,2C
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-C],ESP
MOV DWORD PTR SS:[EBP-8],s*******.00401338
MOV EDX,DWORD PTR SS:[EBP+8]
XOR ESI,ESI
LEA ECX,DWORD PTR SS:[EBP-24]
MOV DWORD PTR SS:[EBP-1C],ESI
MOV DWORD PTR SS:[EBP-24],ESI
MOV DWORD PTR SS:[EBP-2C],ESI
MOV DWORD PTR SS:[EBP-30],ESI
MOV DWORD PTR SS:[EBP-34],ESI
CALL DWORD PTR DS:[939510]  ;this call guide also to secu but no problem fixing this one
LEA EAX,DWORD PTR SS:[EBP-28]
PUSH EAX
PUSH 800
INC EAX
CALL s*******.00911E00 ;this call also guide to sec but i can't fix it so easy as the one above
MOV ECX,DWORD PTR SS:[EBP+C]
PUSH ESI
PUSH ESI
PUSH ESI
PUSH ECX
LEA EDX,DWORD PTR SS:[EBP-30]
PUSH s*******.006203B0
PUSH EDX
DAA
CALL s*******.00911FC0 ;here again also secu
PUSH EAX
CALL s*******.0061FB50 ;here no secu call
i also try to rip the code for the Call securom out and load it in my dump at the same address, but the ressolver is using code out of the securom sections i have removed so it crashed..
Reply With Quote