Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-20-2005, 15:47
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Loader or inline-patching for Safecast.

Hi all,
I've read some threads and tuts about loaders and inline patching and I tried to apply them on a target protected by Safecast (Safedisc) 2.20.020, but it seems this target is a bit different from the other ones.
What I need is to patch a dll extracted by the packer, written on the temp dir and loaded with LoadLibrary.
My problems are:
1 - (At the moment) I think I can't use a loader because when I try to start the app with CreateProcess, the registration form appear but after the real app doesn't start. It seems the protector acts like a debugger of itself so it doesn't work if this process has already a parent process which started it. Does exist another way to do that?
2 - If I try to inline patch it, I have no rights to write on the loaded dll space and moreover I don't know where the dll will be loaded so I don't have the right address to patch. I must use VirtualProtect?
3 - Does other packers work this same way?
Thanks
Reply With Quote
  #2  
Old 05-20-2005, 19:46
sHice
 
Posts: n/a
To make sure if the app acts like a debugger of itself set a bpx on DebugActiveProcess and see if it breaks.But i think your assumption is very probable because newer versions of safedisc do this.
Quote:
Originally Posted by SystemeD
2 - If I try to inline patch it, I have no rights to write on the loaded dll space and moreover I don't know where the dll will be loaded so I don't have the right address to patch. I must use VirtualProtect?
If you debug the app you'll get LOAD_DLL_DEBUG_INFO if a dll is loaded or you can use the ToolHelp api to check if the dll is loaded -> you have the ImageBase -> you can patch (if the memory is protected use VirtualProtectEx to make it writeable).After you patched the dll call DebugActiveProcessStop so that safedisc can start to debug the app.But all this only works if the dll is loaded before safedisc starts to debug the app!If the dll is loaded after the call to DebugActiveProcess you have to look for another solution.
Quote:
Originally Posted by SystemeD
3 - Does other packers work this same way?
armadillo with debugblocker for example
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Inline patch or loader for Asprotec 1,24-1.3???? the_beginner General Discussion 22 12-31-2004 02:19
Inline Patching MaRKuS-DJM General Discussion 1 01-24-2004 23:03


All times are GMT +8. The time now is 15:41.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )