Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-03-2004, 18:49
K3nny's Avatar
K3nny K3nny is offline
VIP
 
Join Date: Jul 2003
Posts: 106
Rept. Given: 25
Rept. Rcvd 13 Times in 6 Posts
Thanks Given: 11
Thanks Rcvd at 1 Time in 1 Post
K3nny Reputation: 13
Problem with fixing IAT

Icon Catcher v4.0.12
This program is protected with ASProtect 1.23 RC4 - 1.3.08.24.
I found OEP at 406D1C (it's true?) and I wanted fix IT with ImpREC. But I can't find all imports.

Can somebody help me?

Link: hxxp://wxw.helexis.com/ic/iconcatc.zip

Here is my incomplete tree:
Attached Files
File Type: txt tree.txt (19.1 KB, 17 views)
Reply With Quote
  #2  
Old 01-03-2004, 20:41
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
your OEP isn't correct.
OEP: 4BDF70

stolen bytes:
push ebp
mov ebp,esp
sub esp,0c
mov eax,4BDB98

IAT:
Reply With Quote
  #3  
Old 01-03-2004, 20:48
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
write @Adress 4BFB40 in binary: 180F4B00 and it should be registered

and rename the dump to "IconCatcher.exe" or it won't work correctly

Last edited by MaRKuS-DJM; 01-03-2004 at 20:51.
Reply With Quote
  #4  
Old 01-04-2004, 03:18
K3nny's Avatar
K3nny K3nny is offline
VIP
 
Join Date: Jul 2003
Posts: 106
Rept. Given: 25
Rept. Rcvd 13 Times in 6 Posts
Thanks Given: 11
Thanks Rcvd at 1 Time in 1 Post
K3nny Reputation: 13
wow! your possibilities are perfect thanks from CZ...

how you found OEP ??? I traced it with OlyDBG TC EIP<500000 but it stopped at 406D1C

Last edited by K3nny; 01-04-2004 at 03:32.
Reply With Quote
  #5  
Old 01-04-2004, 03:40
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
yes, that's right!!! i think it's that code:

00406D1C 50 PUSH EAX
00406D1D 6A 00 PUSH 0
00406D1F E8 F8FEFFFF CALL IconCatc.00406C1C
00406D24 BA 00F14B00 MOV EDX,IconCatc.004BF100
00406D29 52 PUSH EDX
00406D2A 8905 D8344C00 MOV DWORD PTR DS:[4C34D8],EAX
00406D30 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
00406D33 C742 08 00000000 MOV DWORD PTR DS:[EDX+8],0
00406D3A C742 0C 00000000 MOV DWORD PTR DS:[EDX+C],0
00406D41 E8 8AFFFFFF CALL IconCatc.00406CD0
00406D46 5A POP EDX
00406D47 58 POP EAX
00406D48 E8 A7CCFFFF CALL IconCatc.004039F4
00406D4D C3 RETN

after the ret, you are @temp-OEP!
OEP = temp-OEP - stolen bytes
Reply With Quote
  #6  
Old 01-04-2004, 19:26
K3nny's Avatar
K3nny K3nny is offline
VIP
 
Join Date: Jul 2003
Posts: 106
Rept. Given: 25
Rept. Rcvd 13 Times in 6 Posts
Thanks Given: 11
Thanks Rcvd at 1 Time in 1 Post
K3nny Reputation: 13
ohhh...I must read some tutorials
__________________
k3dT
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help to fixing API-Calls Nukacola General Discussion 6 05-11-2005 16:49
Import OS Fixing MaRKuS-DJM General Discussion 31 07-16-2004 23:20
Fixing an EXE to not call a DLL? Barry General Discussion 11 06-03-2004 00:37


All times are GMT +8. The time now is 01:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )