|
ActiveM***
Hi,
there has been some detailed tutorial on security Activ*Mark?Read I everything from of this board - from RCE board,and from Woodmann - but always me it doesn't go - programme all the time crash ,though repare import OK . Progress from LunarDust too I know a. Something on version 5.3 and higher - thanks. |
It's good you read tutorials but you have to know that many times you have to put some effort on your part and use the debugger to guess where and why an unpacked application is crashing.
If you give here your steps that you have taken to unpack that application, I'm sure that some "ActiveMark unpacker people" here can direct you ;) Cheers |
1) start progg.and dump with PETools(or LordPe)
2) find OEP in dumped.exe (PEiD - detect) 2) launch ImpRec on running progg. 3) find IAT 3) Fix dump Dumped.exe -> Dumped_.exe EDIT: OEP second layer?????,, Each write his search otherwise - by TRW and Softice - I I have Xp so that TRW no-use - examine it in Olly - but I don't know how find OEP for the second layer |
Unpacking ActiveMark following the steps you said, requires to dump the prog and set the EP of the dump, to the packer second layer's EP.
Are you sure you did it? |
I trying to learn how to unpack ActiveMArk myself.For finding OEP,I using PEid
Generic OEP finder,Is there anybody who know this OEP is for layer 2 or not? In addition:I you want to test your algorithm,you can use downloaded yahoo games, For example Cubic2 is uses activemark and its only 8-9 MB. sincerely yours |
It's very long time since I played with ActiveMark and I don't remember exactly which is the EP found by PEiD. However if I remember well you can find the 2 EPs opening the UNPACKED file with an hexeditor and searching one of this strings: "?AV_com_error@@" or "TdnA" without quotes (they must be near each other) and right after them there must be 2 recognizable addresses (DWORD).
The first is the second layer EP and the second is the OEP. You need the first, compare it with the one from PEiD. Hope this helps. |
According to to me PEID - find OEP for the first layer.(maybe) :rolleyes:
But how find OEP for second layer - in each tutorials which I have them it otherwise and malfunction nothing....... This is for DUMPED file!!! (for example - search in hex editor string "TdnAVp" or".?AV_com_error@@"and at 24h - this is RVA for OEP......) (for example2 - search in hex editor string "TdnAVp" and patch before JE to JNE..........) ..........and .......... big nothing - AV...Could it anybody point out concrete instance??(I don't care on what) tHx |
Well, I took my old target (protected with ActiveMark 5.3) and gave it a look. I dumped it at the browser window and searched the famous string. Result is in the image attached. The dword highlighted is the RVA of the 2nd layer's EP.
Hero's target has a bit different pattern because it's an old version of the packer (2.7...), the strings are still there but in a different position. You can check packer version running protected apps with this arg "--AmClientVersion" (without quotes). Regards, SystemeD PS: I edited my previous post because it was wrong... |
Hi SystemD
Quote:
Quote:
OEP(too interesting! :D ). But I don't know why my work is not working: 1- Dump running program while browser is showing with LordPE. 2- Using the OEP that I found in ImpRec and find my IT and reconstruct the my dump. Now this dump should work and show something(I heard that I should see something about error in activemark),But Is not doing anything. Any suggestion that why this happens and my dump is not working? sincerely yours |
OK - same progress like HERO (other target) - same problem - why?
Code:
006C7593 > 55 PUSH EBP <<<<-------------- OEP by PEiDHere I found sign. for ActiveMark - to the PEID (without detection version) :rolleyes: [ActiveMark -> Trymedia] signature = 79117fab9a4a83b5c96b1a48f927b425 ep_only = True |
Quote:
Quote:
I will try to attach my dump. @imagin: The image I tried to attach in my last post contained the following dump, it's my old target and here you can see after TdnAVpF@ the dword 001F9903 which is the rva of the second layer EP (so add 400000 for the address in Olly). Code:
0014D370 58 23 55 00 00 00 00 00 2E 3F 41 56 5F 63 6F 6D X#U......?AV_comCode:
001636D0 74 77 61 72 65 5C 00 00 54 64 6E 41 43 42 B9 3F tware\..TdnACB¹?Bye |
Thanks SystemD!
But I still can't make an working dump!??!! WHat I have done Step by Step(in Repaired OllyDbg): 1-Hide My OllyDbg by IsdebuggerPresent(I tested without hiding and no change in result) 2-Set an Breakpoint on GetVersion and run until getting to it. 3-Dump using OllyDump and set OEP to C0B64(for cubis2.exe). (I set to fix Sections,I don't know do it or not) 4-Run ImpRec and set OEP to C0B64 and find IAT and get imports then fix dump. 5-My dump crashes!!!!! 6-If I dump using LordPE,Program is not crashing,But It is not working too. I don't know Why I can't make a correct fixed dump. Any suggestion? sincerely yours |
Yes - difference is and among dumper with LordPE and PETOOLS - but it will not the main problem - largely problem why programme falls is according to to me in instruction NOP,CALL which must repair !!!(packer AM patching norm.instr.CALL to NOP,CALL) - but which and who repair this??? :rolleyes:
(have you in his dump API - LoadLibraryA??) Code:
EXAMPLE: |
I have another question about AM.
Old game (2 years or so) named Codename: Silver has crypted resource files. This files are handled by AM and decrypted in memory. So only PACKED .exe work correctly. I can dump and fix .exe, but I really don't know how to unpack that damn resources :-( Maybe someone know how to deal with this AM trick... |
Quote:
(RVA 0x26A593) Only use the real OEP for the jump right before the layer2 wants to jump to ExitProcess. |
| All times are GMT +8. The time now is 22:42. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX