Log in

View Full Version : IDAPro problem??


MTB
November 6th, 2001, 19:27
The target is Co__V, a ray trace program used in optics, protected by an Activator dongle.

IDA version 4.04 seems to have problems dissassebling it, however W32dasm 8.93 seems to be working ok. First section of both dissassemblies are posted below.

First can I get IDA to work on this code?

Second why didn't IDA pick a sigature file for it?

I probably can crack it using W32dasm, but really would prefer to use IDA since it does a significantly better job.

Thanks
MTB

--------------------------------------------------------------------------
IDA posted below

5F401000 ; Format : Portable executable for IBM PC (PE)
5F401000 ; Section 1. (virtual address 00001000)
5F401000 ; Virtual size : 0009628B ( 615051.)
5F401000 ; Section size in file : 00096400 ( 615424.)
5F401000 ; Offset to raw data for section: 00000600
5F401000 ; Flags 60000020: Text Executable Readable
5F401000 ; Alignment : 16 bytes ?
5F401000 ; Exported entry 3030.
5F401000
5F401000 model flat
5F401000
5F401000 ; ---------------------------------------------------------------------------
5F401000
5F401000 ; Segment type: Pure code
5F401000 _text segment para public 'CODE' use32
5F401000 assume cs:_text
5F401000 ;org 5F401000h
5F401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
5F401000
5F401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
5F401000
5F401000
5F401000 public MFC42_3030
5F401000 MFC42_3030 proc near ; CODE XREF: MFC42_1168+Ap
5F401000 ; MFC42_1169+11p ...
5F401000
5F401000 arg_0 = dword ptr 0Ch
5F401000
5F401000 push esi
5F401001 push edi
5F401002 mov edi, ecx
5F401004 cmp dword ptr [edi], 0
5F401007 jz short loc_5F401032
5F401009
5F401009 loc_5F401009: ; CODE XREF: MFC42_3030+43j
5F401009 mov eax, dword_5F4CB000


--------------------------------------------------

W32dasm below

:00401000 CC int 03
:00401001 CC int 03
:00401002 CC int 03
:00401003 CC int 03
:00401004 CC int 03
:00401005 E90F030000 jmp 00401319

* Referenced by a CALL at Address:
|:009A34A5
|
:0040100A E9BA020000 jmp 004012C9

* Referenced by a CALL at Address:
|:009A3719
|
:0040100F E997020000 jmp 004012AB

* Referenced by a CALL at Address:
|:0040128B
|

DakienDX
November 7th, 2001, 12:26
Hello MTB !

The code IDA has disassembled is a disassembly of MFC42.DLL, starting at the beginning of the code section.

I suppose that the W32Dasm listing is the start of the program you want to disassemble.

I don't know what the problem is, but I think IDA has been somehow set to disassemble all used DLLs. (even I don't know if that option exists)

I've just tried IDA 4.04 and IDA 4.1 on eight files using MFC42.DLL and could not reproduce the error.

What platform (DOS, Win32 Console, Win32 GUI) and version of IDA are you using?

Is it possible to upload the .EXE and the needed .DLLs somewhere? (if needed)

BTW.: If this threat leads to an "Anti-IDA-Tricks" post, we should discontinue it very soon.

MTB
November 7th, 2001, 21:27
Hi DakienDX
First of all thanks for helping me with this problem.

IDA 4.04 running under windows 98SE

I have a high speed modem on this end, so I can upload the entire program if you want to some local ftp or other site. The other option, would be to zip the installation disk, then using RAR, break it down to 1.4 Mb size pieces and email it to you.

I also could burn you a copy of the CD and snail mail it someplace.

Your call.

Thanks again
MTB

DakienDX
November 8th, 2001, 12:17
Hello MTB !

I think burning the program on a CD is a bad idea.

Even if it has 650 MB, it would be easier to download.

How big is the program?

I think uploading would be a good suggestion. Please email me the link, since too many downloads may kick the program before anybody has it completely downloaded.
If you plan to upload it on a FTP, please email me also the username and password.

MTB
November 8th, 2001, 19:41
DakienDX
Zipped the CD up 45Mb's. Do you have an FTP site, or know of one we can use?
MTB

DakienDX
November 9th, 2001, 11:35
Hello MTB !

Since the problem how to get the files from you to me isn't of public interest, I won't reply on this topic any more.

Please email me your email address and we will communicate by that way.