#1
|
|||
|
|||
CrypKey + PEBundle = Mess
Hi all, I searched throughout all the forum but cannot find an answer to my questions.
PREMISSES: The target I am unpacking is SwishJukeBox. I am trying to unpack it because the Markus generic crack works only in part. The program is packed 3 times with PEBUNDLE and once with CRYPKEY. OPERATIONS PERFORMED: Unpacking PE Bundle is easy, F8, F8, Follow ESP in dump, HWBP on Execution, F8F8 and we land on the next shell OEP. This done 3 times leads to the Crypkey OEP. To find the REAL OEP, it is a piece of cake, i just need to trace with f8 till i reach weired unpacking sequence. bypassing it studying just a bit the code leads to some final code and to a JMP EAX, F7 on that and we are at the OEP. IAT seems good, so Run LordPE and dump. Run ImpREC, type in OEP and all thunks are OK, except the Kernel32 one that has 4 invalid pointers. QUESTIONS AND CONCERNS: Tracing 1, 2 and 3 does not take to the solution. I tried to go to one invalid thunk in Olly, it leads to code stored in pebundle section where there is some weired code but no signals of real API funcions (maybe are custom coded ones) Now the questions are two: 1) Is it CrypKey or PEBundle responsibles of this IAT mangling? To this question i'm fairly sure that it is PEBundle, since i read on other tutorials that crypkey does not corrupt the IAT. 2) How can i find what API functions have been stolen by PEBundle and restore them? NOTE: If I fix IAT with invalid pointers and leave everything untouched, the executable runs like a charm, but i want to CUT out all pebundle sections, and if i do that, it does not matter if i cut out invalid thunks or not, but the executable crashed reading those thunks. Have anyone encountered this problem again and came up with a solution? -------------------------------------------------------------------------- Second question: (banal) The resource section is a bit mangled and when i open it with reshacker it is not able to display dialogs. What do you advice as resource viewer OR /how can i rebuild resource section? EDIT: Used Res Tuner but discovered that the disabling function is performed at runtime so no need of a resource editor. Thanks to all TmC Last edited by TmC; 11-20-2006 at 01:45. |
#2
|
||||
|
||||
@TmC
Try ResScope at restools.com Maybe this resource viewer/editor can help. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Microsoft starts to mess with Sysinternals tools | MarkusO | General Discussion | 18 | 12-07-2006 19:04 |