|
Koncool
scan crack with pied .9..and use generic OEP FINDER
OEP = 43385F
Good...
Load cracked.exe into ollydebug by choosing..
File..Open
Once file has opened and after olly warning about the file maybe being compressed use Commanline plug-in by choosing...
Plugins..Commanline..Commanline
In Commanline window enter..
HE 43385F
Then straight away press F9..
Olly will stop programs code at line 43385f
STOP DONT DO ANYTHING !!
Run Lord PE,Scan Running Processes and highlight
"trillian_pb_tsrh.exe" <- cracked.exe
Right click in process window and choose...
Dump FULL
Lord PE creates a "Dumped.exe" in Trillians folder
STOP DONT DO ANYTHING !!
Run IMPREC..
Browse Imprec Running Processes and highlight
"trillian_pb_tsrh.exe" <- cracked.exe
Enter into OEP box 3385F
Now Click on
IAT AUTOSEARCH
Imprec will say "maybe found something click GET IMPORTS"
Ok then do that Click..
GET IMPORTS
In Imprec Main window you'll see all the found API's with "Yes"
Good now choose...
FIX DUMP
A browser window will open ..browse to Dumped.exe in Trillian folder and click it...
IMPREC will now rebuilt IAT IMPORTS and save rebuilt file as
DUMPED_EXE..
THATS IT!!!...You can now dissassemble the file in W32DASM or IDA
Note..Although the fixed file runs and disassembles and peid reports it as a Visual C exe the resources still get reported as compressed in Resource Hacker..is this normal or have i missed something??
Thanks
paul333
|