|
|
|
|
#1
05-16-2004, 11:30
|
|||
|
|||
|
what you just described there sounds like your standard (and old trick i might add) way of handling some apis that always return a specific value into eax. such as GetCommandLineA, GetVersion, GetVersionExA, GetModuleHandleA, and others. why not do a reference lookup to something that writes to [EBP+1AB87] and you should find your answer.
|
|
#2
05-16-2004, 11:50
|
|||
|
|||
|
I had discussion about unpacking svkp dap 7.1 on _http://forum.accessroot.com/, some time ago.
|
|
#3
05-18-2004, 00:36
|
|||
|
|||
|
@bollygud: I figured that out myself but thought that someone knows if SVKP has this wrapping for a one same api always.
From britedreams link i figured out that this api is MessageBoxA (and still it is very strange to me) but that i "inline patch to read the region c50000" If i got this correct i need to add this code to unpacked exe. Well, i did. I made new section and put that SVKP code there but exe crashes again :/ So, correct oep, correct api, correct bytes, good dump, packer code... what i need to do more? This cant be this hard.... btw messageboxa api passes when i add c50000 section but it crashes elsewhere. Anyone want to look at my exe? Last edited by nikola; 05-18-2004 at 00:38.
|
|
#4
05-18-2004, 10:00
|
|||
|
|||
|
don't make new section , just use virtualAlloc to allocate the space needed then read the saved region back.
if you have changed the jmp I had referred to in the link above , please don't cut the invalid apies in importrec , fix the iat ignoring the msg.,if you are adding the region as I indicated. Regards. Last edited by britedream; 05-18-2004 at 12:46.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| svkp | infern0 | General Discussion | 3 | 06-05-2011 18:34 |
| Import Rebuilding Without Import Table | Kerlingen | General Discussion | 11 | 01-13-2005 10:24 |
| The new svkp 143 | britedream | General Discussion | 3 | 09-19-2004 22:22 |
Hybrid Mode
