#1
|
|||
|
|||
Unpacking - Tsunami MPEG DVD Author PRO
Hi,
Target: Tsunami MPEG DVD Author PRO 2.1.5.77 hxxp://download1.pegasys-inc.com/download_files/TDAP-retail-2.1.5.77-en.exe This tool is coded in delphi and seems to be protected by some custom packer, Sections: CODE DATA BSS .idata .tls .rdata .reloc .rsrc PEGASYS0 PEGASYS1 PEGASYS2 011AF000 - 011B090B (PEGASYS2) Some Unpacking routines, no anti-debugging 011A1001 (PEGASYS0) Here i begin to loose track, IDA gets fooled and OllyDbg cant analyse it Code:
011A1001 90 NOP 011A1002 60 PUSHAD 011A1003 E8 03000000 CALL DVDAutho.011A100B 011A1008 -E9 EB045D45 JMP 467714F8 011A100D 55 PUSH EBP 011A100E C3 RETN 011A100F E8 01000000 CALL DVDAutho.011A1015 011A1014 EB 5D JMP SHORT DVDAutho.011A1073 011A1016 BB ECFFFFFF MOV EBX,-14 but i cant spot the OEP Can anyone help me please Greetz, Cobi Last edited by Cobi; 03-07-2006 at 04:47. |
#2
|
||||
|
||||
Hello:
Have you tried dumping to a file after launching it, when all is unpacked in memory? And what about the rebuilding of import table? Did you manage this? For instance, using Import Reconstructor... Just some ideas... Cheers Nacho_dj |
#3
|
|||
|
|||
dvdauthorpro.exe
This is Delphi 6/7 app but i cannot run this app since i don't have SSE instruction compatible procesor (single process , can be dumped from memory ) You see PUSHAD at EP (like UPX ...) ? oep: 9f3628 (no stolen bytes) Dotfix Fakesigner maybe |
#4
|
||||
|
||||
Quote:
Isn't there any fix for that issue? it is astonishing... Cheers Nacho_dj |
#5
|
||||
|
||||
no stolen bytes IAT not scrambled ,packer is somethink like modified aspack ... in olly bp on code section then cca 3x retn, then is IAT rebuilded and jmp to OEP ... but dump doesnt run some fixes needed
I forget you must remove analysist if you want to see some code Last edited by N0P; 03-08-2006 at 00:47. |
#6
|
|||
|
|||
hmm, ok thx, great
Little OEP Script for Olly: Code:
bp 011B090B run sto bc 011B090B bprm 00401000, 005F3000 run bpmc bp 011A1104 run run run run bc 011A1104 rtr sto maybe some anti-dumping? |
#7
|
|||
|
|||
Have you tried standard stack hr bpx? you can then obtain OEP.
If it is a standard packer (upx, asp, etc.) just bpx in IAT, take notice of instruction writing at IAT, rerun and brak at it. Then dump (original IAT will be kept), fix with found OEP, alter IAT pointers with LordPE to point the unscrewed/virgin IAT et voil¨¤ (ImpREC might help you locating real IAT size, I think). Regards, Maximus (btw I found NOP+PUSHAD+CALL in some AsPack EP version) |
#8
|
|||
|
|||
Quote:
|
#9
|
|||
|
|||
@Nacho_dj
lack of "procesor with SSE instruction built-in support" has nothing to do with Delphi appz |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
"Error while unpacking program, code LP5. Please report to author." | gokilaravee | General Discussion | 2 | 06-01-2011 14:34 |