|
|
|
|
#1
03-10-2005, 18:01
|
|||
|
|||
|
Thanks SystemD!
But I still can't make an working dump!??!! WHat I have done Step by Step(in Repaired OllyDbg): 1-Hide My OllyDbg by IsdebuggerPresent(I tested without hiding and no change in result) 2-Set an Breakpoint on GetVersion and run until getting to it. 3-Dump using OllyDump and set OEP to C0B64(for cubis2.exe). (I set to fix Sections,I don't know do it or not) 4-Run ImpRec and set OEP to C0B64 and find IAT and get imports then fix dump. 5-My dump crashes!!!!! 6-If I dump using LordPE,Program is not crashing,But It is not working too. I don't know Why I can't make a correct fixed dump. Any suggestion? sincerely yours
__________________
I should look out my posts,or JMI gets mad on me! 
|
|
#2
03-10-2005, 19:35
|
|||
|
|||
|
Yes - difference is and among dumper with LordPE and PETOOLS - but it will not the main problem - largely problem why programme falls is according to to me in instruction NOP,CALL which must repair !!!(packer AM patching norm.instr.CALL to NOP,CALL) - but which and who repair this???
 (have you in his dump API - LoadLibraryA??) Code:
EXAMPLE: 004014BD 90 NOP 004014BE 90 NOP 004014BF 90 NOP -----/ 004014C0 E8 58C21100 CALL Dumped2_.0051D71D -----/wrong CALL 004014C5 85C0 TEST EAX, EAX 004014C7 74 24 JE SHORT Dumped2_.004014ED 004014C9 8B10 MOV EDX, DWORD PTR DS:[EAX] Last edited by imagin; 03-17-2005 at 03:21.
|
|
#3
03-16-2005, 15:23
|
|||
|
|||
|
Quote:
(RVA 0x26A593) Only use the real OEP for the jump right before the layer2 wants to jump to ExitProcess.
|
|
#4
03-16-2005, 16:57
|
|||
|
|||
|
@ tr1stan
1, this OEP isn't functional (target crash) 2, why 0x26a593??? (string inicant OEP which wrote HERO) 3, it is necessary unpack and bass.dll?? 4, you have some full progress?? 5, what about you CALL and JMP? tHx
|
|
#5
03-16-2005, 17:11
|
||||
|
||||
|
Some steps to get the rebuild program
Hello:
I'm testing a fix to the 5.3.1071 AM release. I have got some programs totally recovered, but other not yet, just trying to fix the bugs of my "AM fixer" program. When I get good results for all I will tell you about. But it is a very good beginning getting the "18 Wheels of Steel - Pedal to the Metal". This is the only one (I have found till today) of the 5.3.1071 AM release that keep in the dumped code the equivalences for the AM calls that you can find inside the dumped code as: 401175 nop 401176 call [AM redirection] If you search in the dumped code (starting the program and when the "you have 60 min left" or similar displays, you have to dump it, as several people in this thread have said) for the [AM redirection] from above, you'll get this in a table, to the rigth of another pointer, pointing to the Name of the correct function. This does not work for all the others programs I have tested but this one. All you have to do is replace the "nop call[AM redirection]", stated as 90E8XXXXXXXX by a call to the pointer of the function that I have told before. Of course, there are another AM redirections, such as: nop jmp [AM redirection] not mov edx, [AM redirection] not mov ebx, [AM redirection] ... All of them are always preceded by a nop, this a great clue! OK, I have builded a table of 'AM redirections', taking all of the table of AM equivalences, that you can find in the dumped file searching for: 1. The 'PEStub' string an then six 0 bytes, then the equivalence table begins. If not try point 2. 2. The 'machine.' string, if fails try point 3. 3. The 'reason=' string, if fails it has to be a different release from 5.3.1071 AM release. Then, you have to subtract to each 'AM redirection' the value of the beginning of the section that holds this table, and subtract the image too. With this you can build a table that contains the offsets of every AM redirection that works for all the AM programs of this release, only adding the beginning of the section that holds the AM equivalences table and adding the image, try this and you will see. Well, if this is a little 'dark' I explain a little bit more detailed in another post. Be lucky with this! Cheers from Spain!  Nacho_dj
|
|
#6
03-17-2005, 22:44
|
|||
|
|||
|
1) Works very well here
 2) This is the OEP for the second layer. As mentioned in some tuts. AM consists of 3 layers: 1.layer is the licence layer 2.layer is the exe protetion layer 3.layer is the actual progam What you have to do is only get the IAT from the real program, paste it into the second layer and simply start the program from the OEP of the second layer, which is at RVA 0x26A593  3) No. 4) Yes. 5) If you rebuilt the program it will simply exit right after execution, becausethe second layer checks if something was changed and if the license is valid. To find the termination of the second layer set a bp on ExitProcess. Once you are at the bp in olly trace back from where the ExitProcess was called. One instruction above "call ExitProcess" there is a push with the exit code and there you change it to "jmp (OEP of the 3. layer)" which will jump to the actual program and everything should work...
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
