Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 03-02-2004, 09:17
Pompeyfan
 
Posts: n/a
I cant get the program to run with either value of EAX, 0043809C or 00437478, something is still wrong , I think we might need to see your whole tut, to backtrack where we have gone wrong, I've come up with the exact same problems as Ferrari all the way along.

Last edited by Pompeyfan; 03-03-2004 at 03:41.
Reply With Quote
  #32  
Old 03-02-2004, 12:43
 
Posts: n/a
you may want to check you have dumped in the correct place,
or that your IAT is correct.

another quick thing is have you reset the oep point to
00437578

the stolen bytes are
00437578 > $ 55 PUSH EBP ; real OEP
00437579 . 8BEC MOV EBP,ESP
0043757B . 83C4 F4 ADD ESP,-0C
0043757E . 53 PUSH EBX
0043757F . B8 78744300 MOV EAX,dumped_.00437478

if your IAT is correct and you have dumped in the right place
all should be working

Best Wishes

[email protected]
Reply With Quote
  #33  
Old 03-02-2004, 16:13
ferrari
 
Posts: n/a
Quote:
Originally posted by [email protected]
you may want to check you have dumped in the correct place,
or that your IAT is correct.

another quick thing is have you reset the oep point to
00437578

the stolen bytes are
00437578 > $ 55 PUSH EBP ; real OEP
00437579 . 8BEC MOV EBP,ESP
0043757B . 83C4 F4 ADD ESP,-0C
0043757E . 53 PUSH EBX
0043757F . B8 78744300 MOV EAX,dumped_.00437478

if your IAT is correct and you have dumped in the right place
all should be working

Best Wishes

[email protected]
[email protected] i think u r right ...i'l do the imprec part again and check...i'l be back
Reply With Quote
  #34  
Old 03-02-2004, 21:00
ferrari
 
Posts: n/a
hurray!!! [email protected] success...i wrongly fixed the IAT. Now it's unpacked successfully. Thank you very very much. Thank you LaBBA for a nice tut. Thank u pompeyfan for starting this topic. Thank u Markus-Djm, and my old friend...oops...Sir JMI and everyone else


now i'l try practicing somemore apps.
Reply With Quote
  #35  
Old 03-02-2004, 21:43
Nilrem
 
Posts: n/a
I eagerly await your tutorial release [email protected], I suspect you have used LaBBa's method #1 for the stolen bytes or a modification of it.
Reply With Quote
  #36  
Old 03-03-2004, 03:44
Pompeyfan
 
Posts: n/a
Okay, I'll do the dumping again later today too, thanks for that.
Reply With Quote
  #37  
Old 03-03-2004, 06:27
 
Posts: n/a
@Nilrem
Hi,
No I don't really use LaBBa Method for stolen bytes
the tut will we posted tomorrrow after a couple of changes tonight


@ ferrari

Well done :-)


Best Wishes
[email protected]
Reply With Quote
  #38  
Old 03-03-2004, 12:28
ferrari
 
Posts: n/a
Pompeyfan if are unable to do it...then i'l upload some screenshots on the IAT part.
And also i think there is a mistake in the last part of LaBBa's tut....PE Editor

EP = OEP - BASE = 437578 - 400000 = 37578 <--- correct

EP = 437589 - 400000 = 37589 <--- wrong (fake OEP)

If u have done this right then most probably u've done wrong in the Imprec part like i did. I wud like to help u. Another tut by Labba...see the link... In this he has explained the IAT part. His english is bit poor but anywayz thank u LaBBa...atleast u have shared ur knowledge....u have tried to explain it in best possible way...Everyone is a noob at some stage.

Anyways even LaBBA has recieved criticism for his tuts

http://www.woodmann.net/forum/showthread.php?t=4958

[email protected] i m eagerly waiting for ur tut ...i wanna know that easy way of finding the Stolen bytes.

btw i got some Aspr targets
--> AIMPR 2.20- http://www.elcomsoft.com/

--> SIGuardian 1.71- http://www.siguardian.com<-- ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov
Reply With Quote
  #39  
Old 03-03-2004, 18:46
Pompeyfan
 
Posts: n/a
Thanks mate, actually I did manage to successfully complete the unpacking today, not sure what I did wrong last time, I thought I did it the way you said last time, anyway the main thing is I did it right this time, the problem was certainly with the dumping and fixing of the IAT table.
I'll have to try a couple more now, just to make sure I have fully learned this new skill, I'm pretty happy to have finnished my first anyway.
Reply With Quote
  #40  
Old 03-05-2004, 18:14
Don Killah
 
Posts: n/a
Hum, i'm eagerly waiting for this tut since i get an error while performing the tc eip<900000 trick. Anytime i do it on Asprotect last versions (1.23RC4) i get an
<target_exe> made a crash in "unknown" error...

Am i the only one having this bug or what, i'm using ollydebug 1.10 step2 on WinME... Plus i can't get the IsDebuggerPresent plugin to work, i use a tool called OllyGhost by Syn (Fool IsDebuggerPresent and can enable Kernel32 bps).

Anyone got a clue how to defeat this bug... or i just can't unpack the latest version of Aspr anymore. Thx
Reply With Quote
  #41  
Old 03-05-2004, 23:09
Nilrem
 
Posts: n/a
I don't get that error, I suggest reporting it to Oleh directly or indirectly on the OllyDbg forums, have you tried using OllyDbg v1.10 step 1? That's what I'm currently using and it is working fine for aspr and isdebuggerpresent dll.

hxxp://www.grinders.withernsea.com/tools/odbg110b1.rar
Reply With Quote
  #42  
Old 03-06-2004, 07:24
Phantom
 
Posts: n/a
Where is your tutorial [email protected], any news?
I like your other tutorials very much, sry
my english sucks BTW this is my first
post in this Forum, hi to all who
read this
Reply With Quote
  #43  
Old 03-06-2004, 16:41
 
Posts: n/a
Hi Phantom,

Its available here



http://www.exetools.com/forum/showthread.php?s=&threadid=3594
Reply With Quote
  #44  
Old 03-11-2004, 22:11
Don Killah
 
Posts: n/a
i used both v1.10step1 and step2... it didn't work so i switch back to version 1.09d and i still get the same stuff... quite strange...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
little question about manually unpacking MaRKuS-DJM General Discussion 3 11-13-2003 00:43


All times are GMT +8. The time now is 03:09.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX