#1
|
|||
|
|||
GetRight Pro 6 beta 6 & Arma|====D
Hi,
I am having a problem unpacking GetRight Pro 6 beta 7. Well, not a problem, because it unpacks good and it runs, but I'm experiencing some funny behaviours and strange codes that i want to check here to ensure i'm not completely gone puff!. GetRight is protected with Standard+CodeSplicing+IAT Elimination. I Load it in Olly dbg, run script Armadillo.v.4.0-4.4.Standard.osc and after a while the script shows OEP: 005D9454 (001D94C4 without IB). At this point, i already notice a strange thing: OEP looks very funny to be a C++ OEP. It is not 558B etc for C++ 6 nor 6A etc for C++ 7.0. PEiD will later say C++ wthout other infos. I fire up arminline 0.92, fill values and everything goes perfect. I dump with LordPE and fix IAT with ImpREC(perfect IAT). I try to run the executable and whoa! it runs. OK. Now let's recall it from the tray Icon and here is the second funny behaviour: NO ICONS ON MENUS OR TOOLBARS. After a while of thinking, i open the file with ResHack to ensure that the resources were not messed up by the dumper. I can see all the resourced and dialogs without problems and NO "packed by an exe compressor" appears. I tried to analyse the executable with the Resurrection Team Utility Armadumper, and the OEP is the same as mine. Last strange behaviour: In all armadillo unpacked files, i delete the text1, data1, adata, pdata sections because they are related to armadillo (adata only if not needed for IAT rebasement). If I delete the text section in getright the executable crashes, and this does not happen in all other executables i unpacked so far. So i have a complete and running executable (no errors or exceptions are shown) with no icons on toolbar and menus, strange OEP instructions at the beginning and crashes on deletion of Armadillo sections. Am I wrong? If not, what or where is the problem? I can't figure out it. Attach: My unpacked file. Edit: 17/04 Better Optimised File: Fixed OEP and removed unused sections. Still icons problem. Last edited by TmC; 04-17-2006 at 06:47. |
#2
|
||||
|
||||
Your EP looks like this:
Code:
005D94C4 E8 6FAE0000 CALL getright.005E4338; This is the OEP! Found By: fly 005D94C9 ^E9 16FEFFFF JMP getright.005D92E4 Code:
005D94C4 E8 6FAE0000 CALL getright.005E4338 <-Your OEP 005D94C9 ^E9 16FEFFFF JMP getright.005D92E4 <-Jump To OEP Code:
005D92E4 6A 60 PUSH 60 005D92E6 68 48196B00 PUSH getright.006B1948 005D92EB E8 0C9CFFFF CALL getright.005D2EFC 005D92F0 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 005D92F4 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70] 005D92F7 50 PUSH EAX 005D92F8 FF15 C4284901 CALL DWORD PTR DS:[14928C4] I haven't had time to do a full trace and investigate, but I did trace it in as far as 005D8943 which is a call that the program never returns from (terminates)...might be a good starting point. I'll look into it some more if I get time this evening, but its easter and we need to talk my daughter out and let you hunt for eggs, etc...
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. |
#3
|
|||
|
|||
its unpacked correctly, its like ftprush and lot of arma apps. it GetEnvVariable
arma during unpacking sets enviroment variables, like reigstration codes, unicode,ascii or markers that target isnt unpacked. and you have 2 ways: 1 patch all jne after getenvvar 2 inlinepatch exe with filling all env var that original packed arma sets 2nd way is most perfect. when you do that icons are back but getright uses own regcodes so unpack doesnt register it |
#4
|
|||
|
|||
Quote:
|
#5
|
||||
|
||||
Yeah, corrupting like this is rare, but I've seen crashes or becoming UNREGISTERED in some apps !
Maybe they don't use this to detect unpacked file, just to use Arma variables as registration info. |
#6
|
|||
|
|||
well for example as i said ftprush can be unpacked and is regged like most of arma apps, but due no set env vars its ends in infinite waiting for message, so freezes. only way to fix it is use SetEnvironmentVariable and set all he expects to fool him. with getright it doesnt crash but icons are gone, patching it helps but not for all. havent tried to use SetEnv. also new getright become crap, when he added bittorrent he fucked up all www ftp downloads. it crashes like hell. better is old 5.2e. and author seems doesnt give a fuck about people replays, because when i posted bugs on board he havent fixed them since 7 betas, still also there is no downloading of stream. so that download menager become crap, better is hidownload or others, that have ftp www streams and dont crash so often
|
#7
|
||||
|
||||
Quote:
I am on that forum all the time also. The problem is that if the author cant reproduce the error he can't fix it. I have always used it and will always use it. Quote:
Interestingly enough after I bought my key for pro,...around beta2 I haven't had any problems until beta7 (some problems with the DynaZIP dll causing errors when download completes and Getright is to ShelExecute the file.). I had orginally thought that Getright was still trying to access ArmAccess.dll and was crashing then (SEH handling the Access Violation with ExitProcess), OllyDBG is not breaking on anything though. I don't believe its too complicated, probably just a CRC check, maybe MD5, but nothing exotic, Getright author hasn't been real anti-revsersing savvy until v5.x he added Armadillo 3.78. Prior versions used the same Keygen for many years. The resources problem....I'm stumped. I'm not familiar with that part of the executable, never needed to mess with it. Sounds to me like its just simply not setting EnableWindow(), or it may be something more devious
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. |
#8
|
|||
|
|||
well if someone writes that, delete mirror doesnt work since 7 betas and instead of delete does pause or even sometimes crash. then i dont know how to michael i can reproduce better error. because its on every download with mirrors :P
another thing now its its mixed ftp & www downs and you do segmented download, mostly today ftp allows 1 login per ip. but it tries even 4 for 1 ftp, and we got window with login & pass. when you press cancel it also aborts instead of skiping this mirror. and mirrors there are 15 so it can use 10 for 10 segments instead of 3 |
#9
|
||||
|
||||
Oh I'm not saying that you making up anything, or that Micheal can't fix it, I should have phased it differently I guess.
I don't know about the segmented download problems, I'm still on dial-up So I don't use segmented downloads. I hate living in BFE
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. |
#10
|
|||
|
|||
search the file for ascii string "GR_PROTECTED", change it to "TEMP" and icons are back
__________________
http://youtu.be/H0QfVDebLFg |
#11
|
|||
|
|||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Getright detects IceExt! | Viper Zx | General Discussion | 5 | 01-28-2004 04:03 |
Problems with the IAT for Getright 5.0 | Harding | General Discussion | 5 | 06-02-2003 21:33 |