Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 03-24-2004, 17:42
SvensK
 
Posts: n/a
Hmm, lots of imports the aspr2 plugin can't handle on this one...
Reply With Quote
  #17  
Old 03-24-2004, 20:05
Maltese
 
Posts: n/a
Thank You both Lownoise & Britedream.

So now I understand why the PEiD shows compiler. I must see how a normal program compiled with that particular brand compiler has it's startup code. Got it.

Since there is nothing in the "K" (STACK) window, I do not need a JMP I just fill in the 45 blank "00" bytes with the stolen bytes. Got it.

I apologize...when I learned to crack on the Apple ][e (Don't laugh... I know you are ) *Hey my Algebra teacher got me started. A Push was a push. After looking at another tutorial I saw that MOV DWORD PTR SS:[ESP+number],EBP is the same as PUSH EBP. This is my failure. Now I know.

Thank you everyone for your patience... and willingness to help.

I am using Imprec now. I tried setting size to 1000 and only found 2 instances where dissasemble/hex said no data. I have to go to work... I look at it with Imprec later today after work.

I'll share with you what I find out.

Thanks again everyone!

-Malt

Last edited by Maltese; 03-24-2004 at 20:48.
Reply With Quote
  #18  
Old 03-24-2004, 22:12
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
To svensk

the target runs on this iat:
there are only two exceptions, if you fix the first one you are registered, the second is to correct the stack.(I haven't test the program but it runs fine).
Attached Files
File Type: txt tree.txt (21.0 KB, 25 views)

Last edited by britedream; 03-24-2004 at 22:16.
Reply With Quote
  #19  
Old 03-24-2004, 22:25
SvensK
 
Posts: n/a
Ok, I'll check it out and thanks for the nice scripts for OllyScript btw. Saves alot of time
Reply With Quote
  #20  
Old 03-24-2004, 22:36
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
my pleasure!,

Some time it is usefull to use my script "asprsto", it will stop where we should be looking in the stack, that is 12ffc4:77e814c7(for this program), F9 few times till you are at mov ebp,esp; then follow the execution of your stolen with F8.

Last edited by britedream; 03-24-2004 at 22:38.
Reply With Quote
  #21  
Old 03-24-2004, 22:49
SvensK
 
Posts: n/a
Nice stuff, I followed the stolen bytes during execution with your method.
Still having problems with my dumped exe though. After the trace I end up at:

0041F013 FF15 68274200 CALL DWORD PTR DS:[422768] ; MSVCRT.__set_app_type

I insert the stolen bytes and change the origin to PUSH EBP at 41EFE6 and then dump the exe with OllyDump, unchecking Rebuild Import. I load your tree in ImpRec and press Fix Dump. I load the exe in LordPE and change OEP to 1EFE6. Problem is the exe still wont run.

It crashes at: 0041F115 |. E8 F6020000 CALL dumpLord.0041F410
Reply With Quote
  #22  
Old 03-24-2004, 23:04
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
I don't remeber what the addresses for the two exceptios are, but if u run xp I will be glad to send you the running target.

Last edited by britedream; 03-24-2004 at 23:08.
Reply With Quote
  #23  
Old 03-24-2004, 23:07
SvensK
 
Posts: n/a
Yes, please do that. Maybe I can compare the two and figure it out.
Reply With Quote
  #24  
Old 03-24-2004, 23:09
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
please pm with your email

target has been sent, please check your e-mail. thanks

Last edited by britedream; 03-24-2004 at 23:21.
Reply With Quote
  #25  
Old 03-25-2004, 08:04
Maltese
 
Posts: n/a
BriteDream,

I have the same problem as Svensk (I'm running Xp Pro).

I thought to use Imprec (using Raider's tutorial on Tag&Rename 3.06), to increase the IAT SIZE to 1000? Imprec v1.6f defaults to 918 when I load my patched DVDIdlePro 3.39 (stolen bytes entered and new oep set). Then I've dumped using OllyDump and unchecking: Rebuild Import.

If I load your tree file, then select fix dump, the exe is not executable. It comes up with an exception.

I know that with Tag & rename there was one section you ran across that had ??? and you had to NOP it.

How is it that you got yours to execute and we can't get ours? Is there more patching required?

-Malt
Reply With Quote
  #26  
Old 03-25-2004, 10:26
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
maltese,
don't load my iat, fix yours according to mine.

please pm with your email.

Last edited by britedream; 03-25-2004 at 10:30.
Reply With Quote
  #27  
Old 03-25-2004, 12:36
Maltese
 
Posts: n/a
BriteDream....

Does this make sense?

removed DvdIdlePro.udd and DvdIdlePro.bak (cache if you will for Olly)

1) I loaded Olly 1.10beta
2) Answered NO to analyze
3) F9, SHIFT+F9 26 times
4) ALT M
5) Left Click - code line for DvdIdle Pro
6) CTRL + F11
7) VIEW->TRACE
8) Enter Stolen Bytes
9) @ PUSH EBX (start of Stolen Bytes), I set NEW ORIGIN
10) OllyDump: uncheck Rebuild Import (saved as dump.exe)

* Left Ollydbg running after dumping to dump.exe

11) Loaded Imprec v1.6f
12) Selected DVDIdle Pro as Active Process
13) Pressed IAT Auto Search
14) Pressed Get Imports (left all values at default)
15) Pressed Show Invalid
16) Right clicked on invalid and selected: Trace Level 1 (disasm)
17) Pressed Show Invalid again
18) Right clicked on invalid and selected: Plugin Tracers-> aspr2

* It said no more pointers...see if it works

19) Clicked fix dump.... and patched the dump.exe file from Olly.

Program does not work...

Maybe my options are incorrect on Imprec???

Above the Fix Dump button I have checked: add new section (default)
In options: The only thing checked is: Process Properties (enable debug privilege XP) & Use PE Header From Disk

Did I not do something right? I noticed that Raider had a byte that was invalid in his beginning execution code so he NOP'd it. This exception appears to be happening during a Windows call.

-Malt
Reply With Quote
  #28  
Old 03-25-2004, 13:10
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
please read my three tutorials about stolen, then use my script "asproep" to find out the place for oep and stolen, then fix your stolen and dump from the oep.

RVA for your iat=22000 size= 918

once you get to rebuilding your iat please, let me know I will help you on that, but first get the correct stolen and the correct dump.

if there is anything you didn't understand in my tuts, please pm me.

Last edited by britedream; 03-25-2004 at 13:22.
Reply With Quote
  #29  
Old 03-25-2004, 13:21
Maltese
 
Posts: n/a
BriteDream,

Where can I dl your 3 tutorials? I am looking forward to reading them!

Thanks

-Malt
Reply With Quote
  #30  
Old 03-25-2004, 13:29
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
please check your email
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect SKE unpacking TempoMat General Discussion 10 08-24-2016 17:48
need help unpacking ASProtect Fade General Discussion 8 05-25-2011 22:12
Unpacking asprotect britedream General Discussion 7 09-01-2004 01:46


All times are GMT +8. The time now is 23:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )