BitArts Crunched target unpacked but only works on 2k?

[Exocist]

Been scratching my head of this one. I have successfully dumped a BitArts Crunch target from the OEIP and rebuilt the IAT without any probs. As ppl know with BitArts the easiest way to defeat the PE stub checking is to copy the original header back in memory after using VirtualProtect.

Anyway... the program works perfect on Win 2000 but refuses to work on XP and Windows 2003. I have tried dumping and rebuilding the imports on 2003 and XP to see if this fixes the problem but no go. I suspect the IAT is messed up somehow when running under these OS but this has me stumped.

Has anyone had this problem before where youre rebuilt proggies work on one OS but not another? (talking about 2000,2003,XP here)

Have stopped on OEIP with both OllyDbg and SoftIce, tried dumping with both LordPE and PETools, in all cases rebuilt the imports with MackT.

cheers

-Ex

at least u could dump a crunched file successfullly,,, i have downloaded all the possible tuts for unpacking bitarts crunch, and still non of them worked 4 me in unpacking the file successfully...

site:- hxxp://osenxpsuite.net/

the file is an ocx...

i changed its characteristic to exe.

and then debugged it in olly, dumped it using lordpe... did everything but still

no luck...

help needed

thanx

TDW {RES}

[Magic_h2001]

UnPacking : Crunch/PE -> Bit-Arts .OCX
Target : osenxpsuite2005.ocx - hxxp://www.osenxpsuite.net
Difficulty : Easy
Tools needed : WinXP sp2 - Olly - LordPE - ImpRec

ImageBase : 22810000
EP : 229F6000

open target in olly :

/*229F6000*/ PUSH EBP
/*229F6001*/ CALL 229F6006
/*229F6006*/ POP EBP
/*229F6007*/ SUB EBP,6
/*229F600A*/ MOV EAX,EBP
/*229F600C*/ PUSH EBP
/*229F600D*/ PUSHAD
/*229F600E*/ MOV DWORD PTR SS:[EBP+3410],EBP // Set BP on this line
/*229F6014*/ SUB EAX,DWORD PTR SS:[EBP+33EB]
/*229F601A*/ MOV DWORD PTR SS:[EBP+249F],EAX

Set BP on : 229F600E

press F9 ==> Dump ESP ==> select 4 byte from dump ==>
Set Hard BP on access DWORD ==> press Shift+F9 ==> Olly stop here :

/*229F60E5*/ POP EBP
/*229F60E6*/ MOV EAX,DWORD PTR SS:[EBP+340C]
/*229F60EC*/ POP EBP
/*229F60ED*/ JMP EAX // Jmp to OEP
/*229F60EF*/ MOV ESI,340C
/*229F60F4*/ ADD ESI,EBP

Press F7 F7 F7 F7 ==> now we are in OEP :

/*22811360*/ POP EDX // OEP
/*22811361*/ PUSH osenxpsu.2296C9B4
/*22811366*/ PUSH osenxpsu.2296C9B8
/*2281136B*/ PUSH EDX
/*2281136C*/ JMP osenxpsu.22811358
/*22811371*/ ADD BYTE PTR DS:[EAX],AL
/*22811373*/ ADD BYTE PTR DS:[EAX+30000000],AH

Run LordPE ==> Select Loaddll.exe ==> Select osenxpsuite2005.ocx ==> Full Dump.

Run ImpRec ==> Select Loaddll.exe from process ==> Pick DLL ==> Select osenxpsuite2005.ocx

OEP = 22811360-ImageBase = 22811360-22810000 = 1360 ==> IAT Auto Search ==>
Get Imports ==>Fix Dump.

target compiled with VB6(Pcode) & cracking easy.

bro...

when i load the ocx using dllload.exe, set teh break point, adn press f9, the olly

never breaks at the break point.... just keeps on running....

i have tried the other way round.... thou, by changing the characteristic of the

ocx 2 exe... and loading the ocx directly... without the need of dllload.exe.

and followed the same steps... but parts of the ocx still remains packed...

thanx

TDW {RES}

[Unforgiv3N]

that's Amazing Magic_H2K+1
As Always you did it in a minute
Excellent.

[Magic_h2001]

load target in olly ==> after full load ==>set Hard bp on exec' on EP
==> set bp on 004100AF ==>restart olly ==> olly stop ==> F9 ==> olly stop in EP......

thanx... magic...

u r good..... got 2 learn a lot from u.....

i havent done any inline patching.... got 2 learn with some test subjects....

have 2 download some tuts relating inline patching.... i think....

as such practice makes man perfect...

thanx

TDW {RES}