#31
|
|||
|
|||
I cant get the program to run with either value of EAX, 0043809C or 00437478, something is still wrong , I think we might need to see your whole tut, to backtrack where we have gone wrong, I've come up with the exact same problems as Ferrari all the way along.
Last edited by Pompeyfan; 03-03-2004 at 03:41. |
#32
|
|||
|
|||
you may want to check you have dumped in the correct place,
or that your IAT is correct. another quick thing is have you reset the oep point to 00437578 the stolen bytes are 00437578 > $ 55 PUSH EBP ; real OEP 00437579 . 8BEC MOV EBP,ESP 0043757B . 83C4 F4 ADD ESP,-0C 0043757E . 53 PUSH EBX 0043757F . B8 78744300 MOV EAX,dumped_.00437478 if your IAT is correct and you have dumped in the right place all should be working Best Wishes R@dier |
#33
|
|||
|
|||
Quote:
|
#34
|
|||
|
|||
hurray!!! R@dier success...i wrongly fixed the IAT. Now it's unpacked successfully. Thank you very very much. Thank you LaBBA for a nice tut. Thank u pompeyfan for starting this topic. Thank u Markus-Djm, and my old friend...oops...Sir JMI and everyone else
now i'l try practicing somemore apps. |
#35
|
|||
|
|||
I eagerly await your tutorial release R@dier, I suspect you have used LaBBa's method #1 for the stolen bytes or a modification of it.
|
#36
|
|||
|
|||
Okay, I'll do the dumping again later today too, thanks for that.
|
#37
|
|||
|
|||
@Nilrem
Hi, No I don't really use LaBBa Method for stolen bytes the tut will we posted tomorrrow after a couple of changes tonight @ ferrari Well done :-) Best Wishes R@dier |
#38
|
|||
|
|||
Pompeyfan if are unable to do it...then i'l upload some screenshots on the IAT part.
And also i think there is a mistake in the last part of LaBBa's tut....PE Editor EP = OEP - BASE = 437578 - 400000 = 37578 <--- correct EP = 437589 - 400000 = 37589 <--- wrong (fake OEP) If u have done this right then most probably u've done wrong in the Imprec part like i did. I wud like to help u. Another tut by Labba...see the link... In this he has explained the IAT part. His english is bit poor but anywayz thank u LaBBa...atleast u have shared ur knowledge....u have tried to explain it in best possible way...Everyone is a noob at some stage. Anyways even LaBBA has recieved criticism for his tuts http://www.woodmann.net/forum/showthread.php?t=4958 R@dier i m eagerly waiting for ur tut ...i wanna know that easy way of finding the Stolen bytes. btw i got some Aspr targets --> AIMPR 2.20- http://www.elcomsoft.com/ --> SIGuardian 1.71- http://www.siguardian.com<-- ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov |
#39
|
|||
|
|||
Thanks mate, actually I did manage to successfully complete the unpacking today, not sure what I did wrong last time, I thought I did it the way you said last time, anyway the main thing is I did it right this time, the problem was certainly with the dumping and fixing of the IAT table.
I'll have to try a couple more now, just to make sure I have fully learned this new skill, I'm pretty happy to have finnished my first anyway. |
#40
|
|||
|
|||
Hum, i'm eagerly waiting for this tut since i get an error while performing the tc eip<900000 trick. Anytime i do it on Asprotect last versions (1.23RC4) i get an
<target_exe> made a crash in "unknown" error... Am i the only one having this bug or what, i'm using ollydebug 1.10 step2 on WinME... Plus i can't get the IsDebuggerPresent plugin to work, i use a tool called OllyGhost by Syn (Fool IsDebuggerPresent and can enable Kernel32 bps). Anyone got a clue how to defeat this bug... or i just can't unpack the latest version of Aspr anymore. Thx |
#41
|
|||
|
|||
I don't get that error, I suggest reporting it to Oleh directly or indirectly on the OllyDbg forums, have you tried using OllyDbg v1.10 step 1? That's what I'm currently using and it is working fine for aspr and isdebuggerpresent dll.
hxxp://www.grinders.withernsea.com/tools/odbg110b1.rar |
#42
|
|||
|
|||
Where is your tutorial R@dier, any news?
I like your other tutorials very much, sry my english sucks BTW this is my first post in this Forum, hi to all who read this |
#43
|
|||
|
|||
Hi Phantom,
Its available here http://www.exetools.com/forum/showthread.php?s=&threadid=3594 |
#44
|
|||
|
|||
i used both v1.10step1 and step2... it didn't work so i switch back to version 1.09d and i still get the same stuff... quite strange...
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
little question about manually unpacking | MaRKuS-DJM | General Discussion | 3 | 11-13-2003 00:43 |