FlashFXP v1.4:
http://bigskysoft.tucows.com/files2/ffxp14.zip

OEP = 0052B8B0

Fill this into Revirgin(1.2 beta 3) then press "Fetch IAT", it causes 100% CPU utilization.
OS: Win2K server build 2195

Do I need to change NumberOfSections from FFFF to 9 in the memory?

Yes I located the problem, it comes from the way rv calculates the process size, I fixed this.

You can download again the new file, the build num is unchanged.

regards,

tsehp

bug disappeared. thx

u welcome, never hesitate to signal some more while in beta test.

Just curious if you could send me a brief tutorial on unpacking flashfxp when you are done. Thanks in advance, Nitrus.

Nitrus!!
My old pal!!!!!
hehe
Long long time no see buddy
How's everything?
Hope you're allrighty..
Hugs..


Latigo

hi Nitrus,

Please read the post by +SplAj:
h**p://www.woodmann.net/forum/showthread.php?s=&threadid=1810

for FlashFXP 1.4,
OEP = 0052B8B0
IT = 00533000

Set a "BPX VirtualProtectEx", F12, then press F10 to trace a while, you will see the "JMP [ESP-30]". OEP = dword ptr [esp-30]. Suspend it with a "JMP EIP", then use the RAM Editor of WinHex to change the NumberOfSections from FFFF to 9. Make a full dump with LordPE & kill the process.

Set a "BPX LoadLibraryA do "db *(esp+4)", re-run FlashFXP. When you see "oleaut32.dll", press F12, then scroll up a few lines, you will see the following code:

001B:00576C14 JMP 00576B9E
001B:00576C16 MOV EDX,[EBP+0040AFBE]
001B:00576C1C MOV ESI,[EBP+0040AFAE]
001B:00576C22 TEST ESI,ESI
001B:00576C24 JZ 00576FC7
001B:00576C2A ADD ESI,EDX
001B:00576C2C AND DWORD PTR [EBP+0040B0AA],00
001B:00576C33 MOV EAX,[ESI+0C]
001B:00576C36 AND DWORD PTR [ESI+0C],00 <---------------Clear the Import Table
001B:00576C3A TEST EAX,EAX
001B:00576C3C JZ 00576FC7
001B:00576C42 ADD EAX,EDX
001B:00576C44 MOV EBX,EAX
001B:00576C46 PUSH EAX
001B:00576C47 CALL [EBP+0040AF18]
001B:00576C4D TEST EAX,EAX
001B:00576C4F JNZ 00576CE1
001B:00576C55 PUSH EBX
001B:00576C56 CALL [EBP+0040AF1C] <--------------Here is LoadLibraryA( )
001B:00576C5C TEST EAX,EAX
001B:00576C5E JNZ 00576CE1

Clear all breakpoints, set a "BPM 576C36 X", then re-start FlashFXP. When SoftICE pops up again at CS:576C36, just type "dd esi", you will see the good import table Dump the IT & IAT.(esi = 533000h, IT length = 1CCh, dump length = 3000h).

Paste the IT & IAT(total 3000h bytes) to the dumped exe at file offset 133000h, fix the EntryPoint & Data Directory. All is OK.

Hope this helps.

Seems that both RV & ImportREC can't rebuild the IT without manual modification of the FlashFXP's code.

Heya...

about flashFXP u should try talking to Nchanta, he already
unpacked flashFXP - pGC
send him a prvt msg and have fun =)
cya
.........................:::Bengaly:::..........................................................

Thanks everyone. I had already successfully built a new exe before i received your messages. Also, hi Latigo. LTNS, how are things.

hola latigo, nitrus bengaly thanks for the reference ;D

splaj+'s essay explains it all, however if someone wants a more "in-depth" tutor especially concerning the IAT rebuilding, then email me nchanta@optusnet.com.au and ill whip one up...

hi, ya

just notice here, excuse my english:

001B:00576C1C MOV ESI,[EBP+0040AFAE]
001B:00576C22 TEST ESI,ESI

the MOV and TEST are used to check if IAT are wraped, ESI gets the RAV of IAT. so at the line 001B:00576C22, type:
r esi 0
go the OEP, dumped it, u get a unwraped IAT, isnt it?

regards.

Have you tried that? You will not get a good IT in such way coz a GPF will appear
The following instructions which destroy the IT/IAT are in a loop(loop for each imported DLL). That means they will be executed many times. Suspend it before the whole loop begins, then dump the IT/IAT. I prefer the following way to suspend a process, coz it will cause no CPU utilization, while "JMP EIP" causes 100% CPU utilization:
push 7FFFFFFF
call kernel32!Sleep

optusnet.com.au )) oo another australian cracker
Gday mate :P


ThrawN