ActiveM***

1) start progg.and dump with PETools(or LordPe)
2) find OEP in dumped.exe (PEiD - detect)
2) launch ImpRec on running progg.
3) find IAT
3) Fix dump Dumped.exe -> Dumped_.exe

EDIT:
OEP second layer?????,,
Each write his search otherwise - by TRW and Softice - I I have Xp so that TRW no-use - examine it in Olly - but I don't know how find OEP for the second layer

[SystemeD]

Unpacking ActiveMark following the steps you said, requires to dump the prog and set the EP of the dump, to the packer second layer's EP.
Are you sure you did it?

[Hero]

I trying to learn how to unpack ActiveMArk myself.For finding OEP,I using PEid
Generic OEP finder,Is there anybody who know this OEP is for layer 2 or not?

In addition:I you want to test your algorithm,you can use downloaded yahoo games,
For example Cubic2 is uses activemark and its only 8-9 MB.

sincerely yours

[SystemeD]

It's very long time since I played with ActiveMark and I don't remember exactly which is the EP found by PEiD. However if I remember well you can find the 2 EPs opening the UNPACKED file with an hexeditor and searching one of this strings: "?AV_com_error@@" or "TdnA" without quotes (they must be near each other) and right after them there must be 2 recognizable addresses (DWORD).
The first is the second layer EP and the second is the OEP. You need the first, compare it with the one from PEiD.
Hope this helps.

According to to me PEID - find OEP for the first layer.(maybe)
But how find OEP for second layer - in each tutorials which I have them it otherwise and malfunction nothing.......
This is for DUMPED file!!!
(for example - search in hex editor string "TdnAVp" or".?AV_com_error@@"and at 24h - this is RVA for OEP......)
(for example2 - search in hex editor string "TdnAVp" and patch before JE to JNE..........)
..........and .......... big nothing - AV...Could it anybody point out concrete instance??(I don't care on what)
tHx

[SystemeD]

Well, I took my old target (protected with ActiveMark 5.3) and gave it a look. I dumped it at the browser window and searched the famous string. Result is in the image attached. The dword highlighted is the RVA of the 2nd layer's EP.
Hero's target has a bit different pattern because it's an old version of the packer (2.7...), the strings are still there but in a different position.
You can check packer version running protected apps with this arg "--AmClientVersion" (without quotes).
Regards,
SystemeD

PS: I edited my previous post because it was wrong...

[Hero]

Hi SystemD

Quote:

Hero's target has a bit different pattern because it's an old version of the packer (2.7...), the strings are still there but in a different position.

Thanks for checking that,But imagin said:

Quote:

According to to me PEID - find OEP for the first layer.(maybe)

I tested PEid for this version on my work(2.7) and it returns the second layer
OEP(too interesting! ).
But I don't know why my work is not working:
1- Dump running program while browser is showing with LordPE.
2- Using the OEP that I found in ImpRec and find my IT and reconstruct the my dump.

Now this dump should work and show something(I heard that I should see something
about error in activemark),But Is not doing anything.
Any suggestion that why this happens and my dump is not working?

sincerely yours