Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-06-2003, 20:21
koncool
 
Posts: n/a
TSRh UPX

Most of you guys know Trillian from Cerulean Studios.
hxxp://trillian.net.ru/ has the latest beta and crack by
TSRh. I tried to upx -d the file to see the differences
(no crack stealing just knowledge) but it appears
that TSRh have modified their UPX just to make it
impossible to upx-d. I tried to unpack it the manual
way, but I got stuck. I dumped the process with
LPE-DLXb and rebuild it with the PE Editor function.
It didn't run. I used ImpREC 1.6 FINAL but it still
doesn't run. I tried to realign it using both ProcDump
and LordPE but it STILL doesn't run. What am I doing
wrong?

P.S. kaloom, you're not the smallest (refering to age) unpacker in here
Reply With Quote
  #2  
Old 09-06-2003, 20:47
Qubert
 
Posts: n/a
Try Bratalarms "Generic Unpacker for UPX". h++p://processor.at/asm.


Qubert
Reply With Quote
  #3  
Old 09-06-2003, 21:29
sinker
 
Posts: n/a
maybe you could try FileScanner............
That's a nice tool~
Reply With Quote
  #4  
Old 09-07-2003, 00:43
bunion bunion is offline
Friend
 
Join Date: Apr 2002
Posts: 227
Rept. Given: 45
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
bunion Reputation: 11
Koncool

scan crack with pied .9..and use generic OEP FINDER

OEP = 43385F

Good...

Load cracked.exe into ollydebug by choosing..

File..Open

Once file has opened and after olly warning about the file maybe being compressed use Commanline plug-in by choosing...

Plugins..Commanline..Commanline

In Commanline window enter..

HE 43385F

Then straight away press F9..

Olly will stop programs code at line 43385f

STOP DONT DO ANYTHING !!

Run Lord PE,Scan Running Processes and highlight

"trillian_pb_tsrh.exe" <- cracked.exe

Right click in process window and choose...

Dump FULL

Lord PE creates a "Dumped.exe" in Trillians folder

STOP DONT DO ANYTHING !!

Run IMPREC..

Browse Imprec Running Processes and highlight

"trillian_pb_tsrh.exe" <- cracked.exe

Enter into OEP box 3385F

Now Click on

IAT AUTOSEARCH

Imprec will say "maybe found something click GET IMPORTS"

Ok then do that Click..

GET IMPORTS

In Imprec Main window you'll see all the found API's with "Yes"

Good now choose...

FIX DUMP

A browser window will open ..browse to Dumped.exe in Trillian folder and click it...

IMPREC will now rebuilt IAT IMPORTS and save rebuilt file as

DUMPED_EXE..

THATS IT!!!...You can now dissassemble the file in W32DASM or IDA

Note..Although the fixed file runs and disassembles and peid reports it as a Visual C exe the resources still get reported as compressed in Resource Hacker..is this normal or have i missed something??

Thanks

paul333
Reply With Quote
  #5  
Old 09-07-2003, 01:06
koncool
 
Posts: n/a
Thanks paul3333. I didn't use OllyDbg. Now I know what I missed
You can open LordPE and extract the RSRC section from the
TRILLIAN_PB_TSRH.EXE and import it in cracked.exe if i'm not
mistaken. Thanks for your help.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )