stanks
December 23rd, 2000, 04:03
Hi!
I have problems with API Spy v2.5. I check apis32.exe with GetTyp (last version) and it says that it is packed with Petite v1.2. This is output from GetTyp:
- --- # GetTyp 2.60 # ----------------- # Copyright (c) 1997-99 by PHaX # ---
- --- # phax@writeme.com # ---------------------- # http://surf.to/phax # ---
- ------------------------------------------------------ # free edition # ---
- [C:\PROGRAM FILES\APIS32\apis32.exe] -----
DOS executable file - 71180 bytes
Portable executable (starting at 232 for 70948 bytes)
Packer: Petite 1.2
Calculated entrypoint: 65536 / 00010000h (RVA: 00018000h)
Required CPU type: 80386
Requires Win 95 or NT 4
Flags:
Relocation info stripped from file
File is executable
Line numbers stripped from file
Local symbols stripped from file
32 bit word machine
Linker version: 6.0
Objects (object align = 00001000h):
Name Virt size RVA Phys size Phys Ofs
.text 00008000h 00001000h 00005000h 00001000h
.rdata 00001000h 00009000h 00001000h 00006000h
.data 00005000h 0000A000h 00000000h 00000000h
.rsrc 00009000h 0000F000h 00009000h 00007000h
.madmat 0000D258h 00018000h 0000160Ch 00010000h
This section .madmat we can see from W32Dasm too (and IDA). I tried with ProcDump (final version) to unpack apis32 (with Petite<1.3) but it doesn't work. ProcDump tells me this:
An error occured at script line 0x8
- Script evaluation failed
or
- Script syntax error
I tried to unpack it manually. This is a piece from W32Dasm (the place i where we jump to real entry point ... i think
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418110(C)
|
:004195BD 8B642414 mov esp, dword ptr [esp+14]
:004195C1 5E pop esi
:004195C2 8BFE mov edi, esi
:004195C4 81C6D7150000 add esi, 000015D7
:004195CA 6A05 push 00000005
:004195CC 59 pop ecx
:004195CD F3 repz
:004195CE A4 movsb
:004195CF 61 popad
:004195D0 669D popf
:004195D2 E989CDFEFF jmp 00406360
:004195D7 E95BE3FEFF jmp 00407937
:004195DC F2 repnz
:004195DD 0B00 or eax, dword ptr [eax]
I think that at 4195d2 is our real entry point. I run ProcDump, choose PE Editor, our target and change entry point from 00018000 to 00006360. But when i click on OK ProcDump is going down to hell. This program has performed al illegal bla bla bla classic shit. What to do? I am confused. Nothing is work (at least i can't find something that is work on this target). Does anybody have an idea? Thanks.
P.S. Sorry for this very long post. Next time it will be much shorter.
Greetz
I have problems with API Spy v2.5. I check apis32.exe with GetTyp (last version) and it says that it is packed with Petite v1.2. This is output from GetTyp:
- --- # GetTyp 2.60 # ----------------- # Copyright (c) 1997-99 by PHaX # ---
- --- # phax@writeme.com # ---------------------- # http://surf.to/phax # ---
- ------------------------------------------------------ # free edition # ---
- [C:\PROGRAM FILES\APIS32\apis32.exe] -----
DOS executable file - 71180 bytes
Portable executable (starting at 232 for 70948 bytes)
Packer: Petite 1.2
Calculated entrypoint: 65536 / 00010000h (RVA: 00018000h)
Required CPU type: 80386
Requires Win 95 or NT 4
Flags:
Relocation info stripped from file
File is executable
Line numbers stripped from file
Local symbols stripped from file
32 bit word machine
Linker version: 6.0
Objects (object align = 00001000h):
Name Virt size RVA Phys size Phys Ofs
.text 00008000h 00001000h 00005000h 00001000h
.rdata 00001000h 00009000h 00001000h 00006000h
.data 00005000h 0000A000h 00000000h 00000000h
.rsrc 00009000h 0000F000h 00009000h 00007000h
.madmat 0000D258h 00018000h 0000160Ch 00010000h
This section .madmat we can see from W32Dasm too (and IDA). I tried with ProcDump (final version) to unpack apis32 (with Petite<1.3) but it doesn't work. ProcDump tells me this:
An error occured at script line 0x8
- Script evaluation failed
or
- Script syntax error
I tried to unpack it manually. This is a piece from W32Dasm (the place i where we jump to real entry point ... i think
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418110(C)
|
:004195BD 8B642414 mov esp, dword ptr [esp+14]
:004195C1 5E pop esi
:004195C2 8BFE mov edi, esi
:004195C4 81C6D7150000 add esi, 000015D7
:004195CA 6A05 push 00000005
:004195CC 59 pop ecx
:004195CD F3 repz
:004195CE A4 movsb
:004195CF 61 popad
:004195D0 669D popf
:004195D2 E989CDFEFF jmp 00406360
:004195D7 E95BE3FEFF jmp 00407937
:004195DC F2 repnz
:004195DD 0B00 or eax, dword ptr [eax]
I think that at 4195d2 is our real entry point. I run ProcDump, choose PE Editor, our target and change entry point from 00018000 to 00006360. But when i click on OK ProcDump is going down to hell. This program has performed al illegal bla bla bla classic shit. What to do? I am confused. Nothing is work (at least i can't find something that is work on this target). Does anybody have an idea? Thanks.
P.S. Sorry for this very long post. Next time it will be much shorter.
Greetz