#1
|
|||
|
|||
TSRh UPX
Most of you guys know Trillian from Cerulean Studios.
hxxp://trillian.net.ru/ has the latest beta and crack by TSRh. I tried to upx -d the file to see the differences (no crack stealing just knowledge) but it appears that TSRh have modified their UPX just to make it impossible to upx-d. I tried to unpack it the manual way, but I got stuck. I dumped the process with LPE-DLXb and rebuild it with the PE Editor function. It didn't run. I used ImpREC 1.6 FINAL but it still doesn't run. I tried to realign it using both ProcDump and LordPE but it STILL doesn't run. What am I doing wrong? P.S. kaloom, you're not the smallest (refering to age) unpacker in here |
#2
|
|||
|
|||
Try Bratalarms "Generic Unpacker for UPX". h++p://processor.at/asm.
Qubert |
#3
|
|||
|
|||
maybe you could try FileScanner............
That's a nice tool~ |
#4
|
|||
|
|||
Koncool
scan crack with pied .9..and use generic OEP FINDER OEP = 43385F Good... Load cracked.exe into ollydebug by choosing.. File..Open Once file has opened and after olly warning about the file maybe being compressed use Commanline plug-in by choosing... Plugins..Commanline..Commanline In Commanline window enter.. HE 43385F Then straight away press F9.. Olly will stop programs code at line 43385f STOP DONT DO ANYTHING !! Run Lord PE,Scan Running Processes and highlight "trillian_pb_tsrh.exe" <- cracked.exe Right click in process window and choose... Dump FULL Lord PE creates a "Dumped.exe" in Trillians folder STOP DONT DO ANYTHING !! Run IMPREC.. Browse Imprec Running Processes and highlight "trillian_pb_tsrh.exe" <- cracked.exe Enter into OEP box 3385F Now Click on IAT AUTOSEARCH Imprec will say "maybe found something click GET IMPORTS" Ok then do that Click.. GET IMPORTS In Imprec Main window you'll see all the found API's with "Yes" Good now choose... FIX DUMP A browser window will open ..browse to Dumped.exe in Trillian folder and click it... IMPREC will now rebuilt IAT IMPORTS and save rebuilt file as DUMPED_EXE.. THATS IT!!!...You can now dissassemble the file in W32DASM or IDA Note..Although the fixed file runs and disassembles and peid reports it as a Visual C exe the resources still get reported as compressed in Resource Hacker..is this normal or have i missed something?? Thanks paul333 |
#5
|
|||
|
|||
Thanks paul3333. I didn't use OllyDbg. Now I know what I missed
You can open LordPE and extract the RSRC section from the TRILLIAN_PB_TSRH.EXE and import it in cracked.exe if i'm not mistaken. Thanks for your help. |
Thread Tools | |
Display Modes | |
|
|