PDA

View Full Version : how to dump the application in lena151's 24th tutorial?

kenn
June 12th, 2011, 06:52
Hi all,
I am an awkward amateur reverser, I need your help. I am trying to test lena's tutorial, the one in the 24th is a tough one, I dumped it and fixed IAT but dumped exe doesn't work, I don't know what's wrong. Could you help me?
ZaiRoN
June 12th, 2011, 13:20
Tell us more info. i.e.: did you change the oep? what kind of tool did you use to dump the file? and so on...
kenn
June 12th, 2011, 14:28
Quote:
[Originally Posted by ZaiRoN;90500]Tell us more info. i.e.: did you change the oep? what kind of tool did you use to dump the file? and so on...

I followed the instructions just as in the tutorial. At first I dumped it using ollydbg's dump plugin, but I couldn't fix IAT with Imprec because dumped file did not allow to add new section so I tried to dump it with LordPE but I couldn't find the application in the precess list, I learnt that LordPE doesn't see processes over 60, I bypassed it by running it in administration mode, I dumped it with Lordpe and fixed IAT with Imprec and I entered OEP just as showed in the tutorial. I read similar complain in another forum but nobody posted a solution. It's maybe my OS? I have Win7 32 bit.
Here these guys had the same problem

Quote:
Some points,
(1) Dumping with the Ollydump plugin was ineffective. Had to do with LordPE (Not an option, a must).
(2) I have PCTools ThreatFire on my system and it wouldn't let
me do any of this (although tuts 1 to 23 are fine). I eventually had to do it in VirtualBox. Suspending TF didn't helpeither. Only way was to uninstall or use it in virtualization like Sun/Oracle Virtual Box or in Vmware.

Quote:
Hello all.
I have been over Lena’s tutorial 24 a number of times and never managed to get it right, so I skipped it and continued on, thinking it must be something I am doing wrong, I came back to it this weekend and have gone over and ever it and still cant get it right.
I can go through the process quite quick now i have done it that many times, dumping, fixing IAT and rebuilding, exactly as in the tutorial, but whenever I run the fixed dump the entry point is always wrong 0081262C, it should be 0041262C, I get an error and it terminates.
Another thing is that if I dump using anything other than LordPE, eg PEtools, then ImpREC won’t fix the repaired dump, I get a message, Not enough space, can't add any section to this dump file.
I have tried this with several modified Olly’s and end up failing.
I could do with a little help if anyone has time.
Thank you very much.
KAMAG.
ZaiRoN
June 13th, 2011, 08:24
Quote:
I entered OEP just as showed in the tutorial
Are you sure is it right? I mean, are you working on the same version used inside the tutorial?

Are you sure you fix all the functions? What did Imprec say trying to fix the dumped file?
I assume the rebuilded file crashes when you run it, where does it crash? Try loading the file inside a debugger focusing your attention on the crash, it will surely give you some answers!
kenn
June 13th, 2011, 09:27
I watched 26th tutorial, it gives some clues. I think Armadillo messes up PE header.
ZaiRoN, first of all thank you for help. I am trying to dump version build 5.0.0.132 in the package. I found OEP correctly by following the instructions.
Could you please try it and tell me how you do it?
kenn
June 25th, 2011, 05:17
I did it at last, Let me tell you how proudly :P
The trick lies in stopping at OEP before dumping it. Thanks to you pseudonym, he suggested that to me in PM. I had dumped it without stopping at entry point so dumped exe didn't work. I found original installation soft on the net I installed it in VirtualBox in XP then I opened it in olly with hidedebugger and StrongOD together( you must tick off all options in StrongOD otherwise it crashes). I put memory breakpoint at OEP on access in the memory map pane then started the application in olly, it stopped at breakpoint then I dumped it with LordPE, fixed IAT with Imprec. It works now.
snakeninny
September 22nd, 2012, 23:55
Quote:
[Originally Posted by kenn;90563]I did it at last, Let me tell you how proudly :P
The trick lies in stopping at OEP before dumping it. Thanks to you pseudonym, he suggested that to me in PM. I had dumped it without stopping at entry point so dumped exe didn't work. I found original installation soft on the net I installed it in VirtualBox in XP then I opened it in olly with hidedebugger and StrongOD together( you must tick off all options in StrongOD otherwise it crashes). I put memory breakpoint at OEP on access in the memory map pane then started the application in olly, it stopped at breakpoint then I dumped it with LordPE, fixed IAT with Imprec. It works now.


have you ever succeeded in dumping with olly? lordpe worked fine, and both dumped files take 7,630,848 bytes, but as you know, imprec kept saying "can't add any section to this dump file" on the olly one. why?
kenn
September 23rd, 2012, 03:47
Quote:
[Originally Posted by snakeninny;93278]have you ever succeeded in dumping with olly? lordpe worked fine, and both dumped files take 7,630,848 bytes, but as you know, imprec kept saying "can't add any section to this dump file" on the olly one. why?

Honestly it has been a long time since I dumped it, even I forgot how I managed it, just follow your intuition. Above post of mine suggests what I met
Quote:
I followed the instructions just as in the tutorial. At first I dumped it using ollydbg's dump plugin, but I couldn't fix IAT with Imprec because dumped file did not allow to add new section so I tried to dump it with LordPE but I couldn't find the application in the precess list, I learnt that LordPE doesn't see processes over 60, I bypassed it by running it in administration mode, I dumped it with Lordpe and fixed IAT with Imprec and I entered OEP just as showed in the tutorial. I read similar complain in another forum but nobody posted a solution. It's maybe my OS? I have Win7 32 bit.
Here these guys had the same problem