bakatade
November 14th, 2013, 10:38
1. What is the problem....After I binary paste what I think is the correct amount of data back into the tmp exe and save it to disk, I get an exception when I try to run the new version in OllyDbg.
2. What is the protection.....ExeShield
3. What tools are you using....OllyDbg v2.01
4. What tutorials have you read....Unpacking_EXESHiELD_v3.x_NON-SILENT_by_MaDMAn_H3rCul3s
5. Show your output listing WITH comments....
a. Find the buffer that is holding the exe code.
WriteProcessMemory gives me this:
|hProcess = 00000248
|BaseAddress = MyApp.401000
|Buffer = 00484BE0
|Size = 246750.
|BytesWritten = 050EFF50 -> 4736056.
b. I add the Size to the Buffer to get the end address for the code I need:
00484BE0 + 246750 = 4C0FBE
c. I binary copy the data from address 00484BE0 to 004C0FBE.
d. I open up the *_xshld4 - Copy.exe file and find address 00401000
e. I find my end address by adding 00401000 + 246750 = 43D3DE
f. I select the code from address 00401000 to address 0043D3DE and do a binary paste.
g. Hit F9 in Olly and the application runs just fine.
h. I then right click in the CPU window and select "Copy all modifications to executable" and get an error: "Unable to copy selection to the executable file. Search stopped. Remaining modifications, if any, will not be saved." And it has selected the last 13 lines of the pasted data.
i. I then right click on the selected data and "Undo Selection", this changes all the selected text to ADD BYTE PTR DS:[EAX],AL.
j. I can then right click "Copy all modifications to executable" and it works without issue.
k. Right click again and select "Save file..."
6.NOW ask your question....Can anyone see what I might possibly have missed? When I try to load the saved file and run it in Olly, it throws an unknown exception.
Thanks in advance.
2. What is the protection.....ExeShield
3. What tools are you using....OllyDbg v2.01
4. What tutorials have you read....Unpacking_EXESHiELD_v3.x_NON-SILENT_by_MaDMAn_H3rCul3s
5. Show your output listing WITH comments....
a. Find the buffer that is holding the exe code.
WriteProcessMemory gives me this:
|hProcess = 00000248
|BaseAddress = MyApp.401000
|Buffer = 00484BE0
|Size = 246750.
|BytesWritten = 050EFF50 -> 4736056.
b. I add the Size to the Buffer to get the end address for the code I need:
00484BE0 + 246750 = 4C0FBE
c. I binary copy the data from address 00484BE0 to 004C0FBE.
d. I open up the *_xshld4 - Copy.exe file and find address 00401000
e. I find my end address by adding 00401000 + 246750 = 43D3DE
f. I select the code from address 00401000 to address 0043D3DE and do a binary paste.
g. Hit F9 in Olly and the application runs just fine.
h. I then right click in the CPU window and select "Copy all modifications to executable" and get an error: "Unable to copy selection to the executable file. Search stopped. Remaining modifications, if any, will not be saved." And it has selected the last 13 lines of the pasted data.
i. I then right click on the selected data and "Undo Selection", this changes all the selected text to ADD BYTE PTR DS:[EAX],AL.
j. I can then right click "Copy all modifications to executable" and it works without issue.
k. Right click again and select "Save file..."
6.NOW ask your question....Can anyone see what I might possibly have missed? When I try to load the saved file and run it in Olly, it throws an unknown exception.
Thanks in advance.