Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-03-2005, 01:11
imagin
 
Posts: n/a
ActiveM***

Hi,

there has been some detailed tutorial on security Activ*Mark?Read I everything from of this board - from RCE board,and from Woodmann - but always me it doesn't go - programme all the time crash ,though repare import OK .
Progress from LunarDust too I know a.
Something on version 5.3 and higher - thanks.
Reply With Quote
  #2  
Old 03-03-2005, 01:42
peleon peleon is offline
Friend
 
Join Date: Sep 2003
Posts: 174
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
peleon Reputation: 7
It's good you read tutorials but you have to know that many times you have to put some effort on your part and use the debugger to guess where and why an unpacked application is crashing.

If you give here your steps that you have taken to unpack that application, I'm sure that some "ActiveMark unpacker people" here can direct you

Cheers
Reply With Quote
  #3  
Old 03-03-2005, 07:57
imagin
 
Posts: n/a
1) start progg.and dump with PETools(or LordPe)
2) find OEP in dumped.exe (PEiD - detect)
2) launch ImpRec on running progg.
3) find IAT
3) Fix dump Dumped.exe -> Dumped_.exe

EDIT:
OEP second layer?????,,
Each write his search otherwise - by TRW and Softice - I I have Xp so that TRW no-use - examine it in Olly - but I don't know how find OEP for the second layer

Last edited by imagin; 03-03-2005 at 19:48.
Reply With Quote
  #4  
Old 03-03-2005, 18:33
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Unpacking ActiveMark following the steps you said, requires to dump the prog and set the EP of the dump, to the packer second layer's EP.
Are you sure you did it?
Reply With Quote
  #5  
Old 03-03-2005, 22:05
Hero Hero is offline
VIP
 
Join Date: Jan 2005
Posts: 224
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 4
Thanks Rcvd at 2 Times in 2 Posts
Hero Reputation: 1
I trying to learn how to unpack ActiveMArk myself.For finding OEP,I using PEid
Generic OEP finder,Is there anybody who know this OEP is for layer 2 or not?

In addition:I you want to test your algorithm,you can use downloaded yahoo games,
For example Cubic2 is uses activemark and its only 8-9 MB.

sincerely yours
__________________
I should look out my posts,or JMI gets mad on me!
Reply With Quote
  #6  
Old 03-03-2005, 23:17
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
It's very long time since I played with ActiveMark and I don't remember exactly which is the EP found by PEiD. However if I remember well you can find the 2 EPs opening the UNPACKED file with an hexeditor and searching one of this strings: "?AV_com_error@@" or "TdnA" without quotes (they must be near each other) and right after them there must be 2 recognizable addresses (DWORD).
The first is the second layer EP and the second is the OEP. You need the first, compare it with the one from PEiD.
Hope this helps.

Last edited by SystemeD; 03-04-2005 at 19:02. Reason: it's the unpacked file and not the packed one, sorry
Reply With Quote
  #7  
Old 03-03-2005, 23:47
imagin
 
Posts: n/a
According to to me PEID - find OEP for the first layer.(maybe)
But how find OEP for second layer - in each tutorials which I have them it otherwise and malfunction nothing.......
This is for DUMPED file!!!
(for example - search in hex editor string "TdnAVp" or".?AV_com_error@@"and at 24h - this is RVA for OEP......)
(for example2 - search in hex editor string "TdnAVp" and patch before JE to JNE..........)
..........and .......... big nothing - AV...Could it anybody point out concrete instance??(I don't care on what)
tHx
Reply With Quote
  #8  
Old 03-05-2005, 00:34
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Well, I took my old target (protected with ActiveMark 5.3) and gave it a look. I dumped it at the browser window and searched the famous string. Result is in the image attached. The dword highlighted is the RVA of the 2nd layer's EP.
Hero's target has a bit different pattern because it's an old version of the packer (2.7...), the strings are still there but in a different position.
You can check packer version running protected apps with this arg "--AmClientVersion" (without quotes).
Regards,
SystemeD

PS: I edited my previous post because it was wrong...

Last edited by SystemeD; 03-05-2005 at 00:57. Reason: Problem with attachment...
Reply With Quote
  #9  
Old 03-05-2005, 01:27
Hero Hero is offline
VIP
 
Join Date: Jan 2005
Posts: 224
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 4
Thanks Rcvd at 2 Times in 2 Posts
Hero Reputation: 1
Hi SystemD
Quote:
Hero's target has a bit different pattern because it's an old version of the packer (2.7...), the strings are still there but in a different position.
Thanks for checking that,But imagin said:
Quote:
According to to me PEID - find OEP for the first layer.(maybe)
I tested PEid for this version on my work(2.7) and it returns the second layer
OEP(too interesting! ).
But I don't know why my work is not working:
1- Dump running program while browser is showing with LordPE.
2- Using the OEP that I found in ImpRec and find my IT and reconstruct the my dump.

Now this dump should work and show something(I heard that I should see something
about error in activemark),But Is not doing anything.
Any suggestion that why this happens and my dump is not working?

sincerely yours
__________________
I should look out my posts,or JMI gets mad on me!
Reply With Quote
  #10  
Old 03-05-2005, 04:50
imagin
 
Posts: n/a
OK - same progress like HERO (other target) - same problem - why?

Code:
006C7593 >  55              PUSH    EBP                          <<<<-------------- OEP by PEiD
006C7594    8BEC            MOV     EBP, ESP
006C7596    6A FF           PUSH    -1
006C7598    68 C8CB5E00     PUSH    dumped_.005ECBC8
006C759D    68 70D96C00     PUSH    dumped_.006CD970
006C75A2    64:A1 00000000  MOV     EAX, DWORD PTR FS:[0]
006C75A8    50              PUSH    EAX
006C75A9    64:8925 0000000>MOV     DWORD PTR FS:[0], ESP
006C75B0    83EC 58         SUB     ESP, 58

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

006C7619    FF15 60B16E00   CALL    NEAR DWORD PTR DS:[6EB160]       ; kernel32.GetCommandLineA
006C761F    A3 44766E00     MOV     DWORD PTR DS:[6E7644], EAX
006C7624    E8 7E5E0000     CALL    dumped_.006CD4A7
006C7629    A3 A85E6E00     MOV     DWORD PTR DS:[6E5EA8], EAX
006C762E    E8 275C0000     CALL    dumped_.006CD25A
006C7633    E8 695B0000     CALL    dumped_.006CD1A1
006C7638    E8 A2390000     CALL    dumped_.006CAFDF                  ------------ ?????CALL ------'
006C763D    8975 D0         MOV     DWORD PTR SS:[EBP-30], ESI                                     ' 
006C7640    8D45 A4         LEA     EAX, DWORD PTR SS:[EBP-5C]                                     ' 
006C7643    50              PUSH    EAX                                                            '      
006C7644    FF15 F8B16E00   CALL    NEAR DWORD PTR DS:[6EB1F8]       ; kernel32.GetStartupInfoA    '
                                                                                                   '
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX                             '
                                                                                                   '
005F3FFE    8B46 04         MOV     EAX, DWORD PTR DS:[ESI+4]  <<<<-------------- ACCESS VIOLATION-
005F4001    FF70 04         PUSH    DWORD PTR DS:[EAX+4]
005F4004    E8 D4000000     CALL    dumped_.005F40DD
005F4009    EB 35           JMP     SHORT dumped_.005F4040
005F400B    8379 20 00      CMP     DWORD PTR DS:[ECX+20], 0
005F400F  ^ 74 AD           JE      SHORT dumped_.005F3FBE
005F4011    3B30            CMP     ESI, DWORD PTR DS:[EAX]
005F4013    75 0A           JNZ     SHORT dumped_.005F401F
005F4015    8BF0            MOV     ESI, EAX
005F4017    8BCB            MOV     ECX, EBX
005F4019    56              PUSH    ESI
005F401A    E8 BE000000     CALL    dumped_.005F40DD
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
005E5028  FD 83 8F AF 06 94 7D 11 E4 2D DE 9F CE D2 C8 04  &#253;ƒŹŻ.Ħħ}.&#228;-Ţź&#206;ŇČ.
005E5038  DD A6 D8 0A 00 00 00 00 C0 CB 5E 00 00 00 00 00  &#221;&#166;Ř.....Ŕ&#203;^.....
005E5048  2E 3F 41 56 5F 63 6F 6D 5F 65 72 72 6F 72 40 40  .?AV_com_error@@ <<<-----magic string????
005E5058  00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00  ................
005E5068  30 FF 5E 00 23 FF 5E 00 1D FF 5E 00 C4 FE 5E 00  0.^.#.^...^.&#196;ţ^.
EDIT:
Here I found sign. for ActiveMark - to the PEID (without detection version)

[ActiveMark -> Trymedia]
signature = 79117fab9a4a83b5c96b1a48f927b425
ep_only = True

Last edited by imagin; 03-07-2005 at 06:07.
Reply With Quote
  #11  
Old 03-07-2005, 20:36
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Quote:
Originally Posted by Hero
1- Dump running program while browser is showing with LordPE.
Probably the problem is here, dump the program when it reaches the second layer EP (use Olly to set an hardware bp) and use that address as the EP of the dump.

Quote:
Originally Posted by Hero
Now this dump should work and show something(I heard that I should see something
about error in activemark),...
Exactly, I've done it and I obtain a msgbox saying: "Unable to start ActiveMark client engine due to an internal error."
I will try to attach my dump.

@imagin:
The image I tried to attach in my last post contained the following dump, it's my old target and here you can see after TdnAVpF@ the dword 001F9903 which is the rva of the second layer EP (so add 400000 for the address in Olly).
Code:
0014D370   58 23 55 00 00 00 00 00  2E 3F 41 56 5F 63 6F 6D   X#U......?AV_com
0014D380   5F 65 72 72 6F 72 40 40  00 00 00 00 00 00 00 00   _error@@........
0014D390   54 64 6E 41 56 70 46 40  03 99 1F 00 71 A5 06 00   TdnAVpF@.™..q&#165;..
0014D3A0   E0 DE 0B 00 4C 06 00 00  63 31 36 38 34 35 39 64   ¨¤&#222;..L...c168459d
0014D3B0   33 38 65 35 31 62 32 33  63 38 37 63 38 64 63 65   38e51b23c87c8dce
0014D3C0   35 34 37 31 37 66 34 35  00 00 00 00 00 00 00 00   54717f45........
You can see that the pattern is a bit different from the previous version of the packer, i.e.:

Code:
001636D0   74 77 61 72 65 5C 00 00  54 64 6E 41 43 42 B9 3F   tware\..TdnACB&#185;?
001636E0   AE 4F 26 00 64 0B 0C 00  00 65 0F 00 00 03 00 00   &#174;O&.d....e......
001636F0   34 37 32 36 36 62 34 66  35 63 64 62 39 65 33 35   47266b4f5cdb9e35
00163700   61 35 30 63 37 65 37 63  34 36 38 66 63 37 30 31   a50c7e7c468fc701
Remember that important parts are "TdnA" and the long hex number that follows. Hope this help,
Bye
Reply With Quote
  #12  
Old 03-10-2005, 18:01
Hero Hero is offline
VIP
 
Join Date: Jan 2005
Posts: 224
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 4
Thanks Rcvd at 2 Times in 2 Posts
Hero Reputation: 1
Thanks SystemD!
But I still can't make an working dump!??!!
WHat I have done Step by Step(in Repaired OllyDbg):
1-Hide My OllyDbg by IsdebuggerPresent(I tested without hiding and no change in result)
2-Set an Breakpoint on GetVersion and run until getting to it.
3-Dump using OllyDump and set OEP to C0B64(for cubis2.exe).
(I set to fix Sections,I don't know do it or not)
4-Run ImpRec and set OEP to C0B64 and find IAT and get imports then fix dump.
5-My dump crashes!!!!!
6-If I dump using LordPE,Program is not crashing,But It is not working too.
I don't know Why I can't make a correct fixed dump.
Any suggestion?

sincerely yours
__________________
I should look out my posts,or JMI gets mad on me!
Reply With Quote
  #13  
Old 03-10-2005, 19:35
imagin
 
Posts: n/a
Yes - difference is and among dumper with LordPE and PETOOLS - but it will not the main problem - largely problem why programme falls is according to to me in instruction NOP,CALL which must repair !!!(packer AM patching norm.instr.CALL to NOP,CALL) - but which and who repair this???
(have you in his dump API - LoadLibraryA??)

Code:
EXAMPLE:
004014BD    90              NOP
004014BE    90              NOP
004014BF    90              NOP                        -----/ 
004014C0    E8 58C21100     CALL    Dumped2_.0051D71D  -----/wrong CALL
004014C5    85C0            TEST    EAX, EAX
004014C7    74 24           JE      SHORT Dumped2_.004014ED
004014C9    8B10            MOV     EDX, DWORD PTR DS:[EAX]

Last edited by imagin; 03-17-2005 at 03:21.
Reply With Quote
  #14  
Old 03-15-2005, 21:30
SnipER.UA
 
Posts: n/a
I have another question about AM.
Old game (2 years or so) named Codename: Silver has crypted resource files. This files are handled by AM and decrypted in memory. So only PACKED .exe work correctly.
I can dump and fix .exe, but I really don't know how to unpack that damn resources :-(
Maybe someone know how to deal with this AM trick...
Reply With Quote
  #15  
Old 03-16-2005, 15:23
tr1stan
 
Posts: n/a
Quote:
Originally Posted by Hero
Thanks SystemD!
6-If I dump using LordPE,Program is not crashing,But It is not working too.
I don't know Why I can't make a correct fixed dump.
Any suggestion?
Your OEP is not correct, you have to set the layer2 OEP
(RVA 0x26A593)
Only use the real OEP for the jump right before the layer2 wants to
jump to ExitProcess.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 08:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )