#1
|
|||
|
|||
Unpacked Files under XP SP1 doesn't work on SP2
I found some cracks (unpacked files) that work on XP SP1, but not on SP2.
If this is due to Kernel changes, should be there any modification to the tool, e.g Olly, ImpRec or QuickUnpack? And I have a program unpacked on SP1 and it works. I can load it successfully and see all program strings using Olly. Now I do the same under SP2, the unpacked result differs in size from the previous. Olly cannot load it due to error: "Don't know how to bypass command at...Try to change EIP or pass exception to program". I don't receive this error when loading the first unpacked file under SP1. Any idea? |
#2
|
|||
|
|||
Any attaches?
|
#3
|
|||
|
|||
it is attached now,
pls take a look. Thanks. |
#4
|
|||
|
|||
There're no unpacked-and-not-working files in your attach
Last edited by amitophia; 04-22-2005 at 05:26. |
#5
|
||||
|
||||
btw the original target isn't run under WinXp SP2. Maybe cos it's protected by Themida... And amitophia is right the job isn't complete i guess.
|
#6
|
|||
|
|||
sorry, attached is the unpacked and not working on SP2.
|
#7
|
|||
|
|||
Program's not working under xp sp0 too. And that's why:
If you look at the import table you can see that all entries are referenced by ordinals. This means that it will work only with those versions of dll's which was loaded when you've dumped target. For example, kernel32.dll!Beep has ordinal number 27 in xpsp0 and number 29 in xpsp2. To work around this problem, go to xpsp1, convert all ordinal imports to name imports (maybe it cannot be done with all imports. If it's the case, leave ordianls for such dlls) I think there're some tools that can do this automatically. You can load unpacked program and dump it with option "Reconstruct imports" (or something like this) set. Last edited by amitophia; 04-21-2005 at 04:41. |
#8
|
|||
|
|||
ami,
it works! i load the original target with Olly and got the OEP, than fix the unpacked using ImpRec. btw, the developer just released another tool that I cannot unpack it using the same way (maybe uses newer protection system). Peid 0.93 cannot detect OEP and Olly got crashed. please take a look,the target downloaded from: http://rapidshare.de/files/1429442/Target.rar.html Last edited by ivanov; 04-26-2005 at 00:49. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IDA .sig file doesn't work when target is 16 bits? | ycloud | General Discussion | 4 | 04-24-2004 22:44 |