()whore
June 4th, 2001, 01:30
Hello,
Well I will try my luck here since I found no takers in the newbie messageboard. I am posting about a program (Awave studio 7.0), I thought I unpacked and cracked but I have been fooled. While the program would work ok dumped and patched I did more testing and found it would crash when saveing files.
The heart of the problem is a redirected api call (GetProcAddress). In the packed .exe this call was directed to a section in the packing code
005ce1e8 push ebp
... mov ebp,esp
... mov edx,[ebp+0c]
... mov eax,[ebp+08]
... cmp eax,[005db348] ; mem=ffffffff
... jnz 005d3a0e
... mov eax,[edx*4+005db348] ; gets pointer to decryption code
... jmp 005d3a1e
005d3a0e push edx
... push eax
... call kernel32!GetProcAddress
005da1e pop ebp
... ret 0008
This code checked if -1 was pushed if so then return a pointer to some decrpytion code (005cb4bc) in eax else just go ahead with the api.
I have a working IAT thanks to revirgin but that call it wouldn't resolve. I manualy pointed this call to GetProcAddress and that seamed to work. However at one place the program needs the pointer returned from the original (unpacked program) function to decrypt the save file code.
push 04
push ffff
call [4b3...]
move esi,eax
...
...
call esi
I had it patched to skip this check and it didn't seams to be needed untill I tried the save functions.
I could work around this by patching the address to the save file decryption at the right place but in the dumped version there is NOTHING in memory where the decryption routine should be. While in the packed .exe there is code.
I am guessing that somewhere in the packed .exe the code is writen to that location and that my dumped version never runs the unpakcing code so no code gets placed there.
How can I get around this? It seams devlish that even though the program is unpacked and dumped fine it is still useing code from the unpacker. Please help give me some pointers if you can. I am several days on this and running out of steam.
Well I spent today trying to inline patch the program so I wouldn't have to deal with the missing code. I was able to change the oiep and get it to patch the program but the crc check is kicking in. I can skip this check while in SI to see that it works but I can't seam to get around this either, at least not without SI. I can't patch the jump because it is packed code. I have been following Predetors tute on this program but my version is packed with a differnt version of Asprotect. The CRC isn't hardcoded into the .exe like in his tute. Neither was the oeip (it was xor with another number wich was in .exe)
can someone give me some pointers here. I feel I am close to finishing this but can't seam to get over the last hill.
Thanks.
()whore
Well I will try my luck here since I found no takers in the newbie messageboard. I am posting about a program (Awave studio 7.0), I thought I unpacked and cracked but I have been fooled. While the program would work ok dumped and patched I did more testing and found it would crash when saveing files.
The heart of the problem is a redirected api call (GetProcAddress). In the packed .exe this call was directed to a section in the packing code
005ce1e8 push ebp
... mov ebp,esp
... mov edx,[ebp+0c]
... mov eax,[ebp+08]
... cmp eax,[005db348] ; mem=ffffffff
... jnz 005d3a0e
... mov eax,[edx*4+005db348] ; gets pointer to decryption code
... jmp 005d3a1e
005d3a0e push edx
... push eax
... call kernel32!GetProcAddress
005da1e pop ebp
... ret 0008
This code checked if -1 was pushed if so then return a pointer to some decrpytion code (005cb4bc) in eax else just go ahead with the api.
I have a working IAT thanks to revirgin but that call it wouldn't resolve. I manualy pointed this call to GetProcAddress and that seamed to work. However at one place the program needs the pointer returned from the original (unpacked program) function to decrypt the save file code.
push 04
push ffff
call [4b3...]
move esi,eax
...
...
call esi
I had it patched to skip this check and it didn't seams to be needed untill I tried the save functions.
I could work around this by patching the address to the save file decryption at the right place but in the dumped version there is NOTHING in memory where the decryption routine should be. While in the packed .exe there is code.
I am guessing that somewhere in the packed .exe the code is writen to that location and that my dumped version never runs the unpakcing code so no code gets placed there.
How can I get around this? It seams devlish that even though the program is unpacked and dumped fine it is still useing code from the unpacker. Please help give me some pointers if you can. I am several days on this and running out of steam.
Well I spent today trying to inline patch the program so I wouldn't have to deal with the missing code. I was able to change the oiep and get it to patch the program but the crc check is kicking in. I can skip this check while in SI to see that it works but I can't seam to get around this either, at least not without SI. I can't patch the jump because it is packed code. I have been following Predetors tute on this program but my version is packed with a differnt version of Asprotect. The CRC isn't hardcoded into the .exe like in his tute. Neither was the oeip (it was xor with another number wich was in .exe)
can someone give me some pointers here. I feel I am close to finishing this but can't seam to get over the last hill.
Thanks.
()whore
