#1
|
|||
|
|||
installshield trialware
hi
i have a program that protected with installshield trialware. peid detected it as safedisc 3.00.00. finding the oep is easy. but my problem is IAT. the tecnique that used in it is for example : CALL DWORD PTR DS:[XXXXXXXX] and in XXXXXXXX : push SEED1 pushfd push ad push esp push SEED2 call dll.YYYYYYY add esp,8 push 0 pop eax popad popfd retn and function YYYYYYYY use seed1 and seed2 and the position of caller function to produce the adress of dll import. i can manually corect IAT by watching some place in YYYYYYY function. but i need a way to automate it. i test patching YYYYYYY function to correct IAT or ollyscript. but in each approach i have some problem. have anyone any way to automate correction of IAT? regards |
#2
|
||||
|
||||
Hello toro:
I have read several times your post, but I cannot understand which the problem is. Have you tried the IAT rebuilding with ImportReconstructor? What the results have been, if so? If the address of the APi is a combination of seed1, seed2 and RVA of the call (is this right?), in any case you need the resultant address to be pointing to a valid imported function address. So, could you explain a little bit more what do you want to do? Cheers Nacho_dj |
#3
|
|||
|
|||
hi Nacho_dj
i used imprec with no success. it create wrong IAT. i can found the correct address for each IAT cell by setting a bp on the end of YYYYYYYY function. but i want to correct IAT automatically. i patched the YYYYYYYY function to correct the related IAT cell in each call. but it is not enough. because i can not sure that all of api used when i run the program. i wrote a script that inject a call for each cell of IAT and execute it. so this script can found an api address for each cell but the result of YYYYYYY function is depend of the caller function. so the result from injection is not true. so in any of this approach i can not correct IAT. this is my problem. |
#4
|
|||
|
|||
It is not trivial task, but:
1. You should inject your DLL in the reversing process 2. It DLL must patch code place before "ret", that jumps to imported function. 3. In series, you must scan and call all import-calling places, for the restoring original calls. 4. And som other things ... For details read attach. |
#5
|
|||
|
|||
Looks a promising tutorial...I have been translating with babelfish to english but I'm even more confused with direct read into russian
Is that same tutorial translated into english somewhere? Thanks |
#6
|
|||
|
|||
There is one in Dutch (NFS Underground II).
|
#7
|
||||
|
||||
Hello toro:
Could you PM the target name? I would like to have a look to it. Thanks and cheers! Nacho_dj |
#8
|
|||
|
|||
It's probably Safecast protection. I've coded safecast unpacker, but I need more targets to test it before I release it. I have 2 targets (2.65 & 3.0), but it's not enough, so could you PM the target name/link, too?
Steps to unpack Safecast: 1. find OEP and IAT ;) 2. break on OEP 3. make tracer to get real api on every iat entry (imprec is not good enough), but not overwrite iat yet 4. search for fake api calls in section code: 0xFF15 - CALL [xxxx] 0xFF25 - JMP [xxxx] 0xE9 - JMP xxxx 0x8bxx - mov r32,[xxxx] and trace to get real api 5. fix fake api calls/jmps, so they use proper iat entry (from point 3) 6. search for redirected calls in section code: these calls point to code: push ecx push eax call xxxx which points to code like this: mov eax, 6FBh pop ecx lea eax, [eax+ecx] mov eax, [eax] jmp eax or this: mov eax, 324Bh pop ecx add eax, ecx mov eax, [eax] jmp eax and trace until get back to code section. In this step protection engine restore a few bytes in redirected call instruction and after this instruction. You can hook WriteProcessMemory to see this. 7. update iat and fix header 8. dump file 9. use imprec to buil import table 10. if target works fine, be happy ;) Last edited by ajron; 12-16-2005 at 22:50. |
Thread Tools | |
Display Modes | |
|
|