Hi folks:

I've released a 0.2 version of OEPFinder. I've added support for a couple of new packers (thanx to binh for contributions) and added a new Tip feature ! Check it out!!!

h**p://foxthree.cjb.net

I need to add support for Win2K and for packed DLLs. This would by my next goal.

+ve Comments/Criticisms welcome...

Signed,
-- FoxThree

That's a great little tool matey. Saves a lot of messing about with Winhex etc.

Any joy with other signatures? Or are other packer/protectors more random?

Hey:

I've collected about another 5 packers that I can add to the next release. But my *main* feature for the next release will be support for Win2K. I know a lot of people moved to Win2K....

As long as the packer's loader doesn't destroy itself after load (as I've seen one packer do) everything should be okay

Signed,
-- FoxThree

keep up the good work, mate

Thanks for the good utility. I've added it to my list of "must-have" favorite utilities:

1) IceDump (the ring 0 code tracer. the best thing since sliced bread

2) ReVirgin

3) LordPE

4) SuperBPM

FWIW, it worked fine in a Win98 environment, on a recent build of ASProtect. Beta of Helpjotter released Apr 4th...

Doesn't have the GetWhatWeWants, in the cluster like normal.. they're not scattered either (aspr 1.4). Not sure. SuperBPM'd the unresolved addresses that RV gave and was able to see the code used instead of the API call

Cool Tool FoxThree, nice implementation. Editable signature plugin in the works?

Thanks too for providing the anti-antibpm cpp source ;-) I've been trying to compile the HookSTCDLL.cpp source with Borland C++ Builder and I'm having a weird linker problem. It compiles without error and I can load the dll from ASM, but it seems to give an incorrect ExportAddressTable RVA for the _ApiHookChain exported function. When I GetProcAddress on this function it doesn't give me a valid address for the function start, pointing to the .data section instead of a proc in the .text section.

This is the first time I've tried to compile APIHooks and I may have a linker setting wrong. There's an example that matches the external declaration you used, in Ah56\Examples\C-ApiWorks\C\CapConsole. You're supposed to use __EXPORT and deffile in order to export ApiHookChain, GetApiHookChain and other functions instead of __declspec(dllexport).

Basically I'm just compiling your code with the default dll linker options. There's probably something I'm missing because my C experience is limited, but I just can't figure out what it is. I haven't tried the command line BCC compiler, just hoping to get it working from C++ Builder. Just wondering if you had an idea on how to compile it properly. I'd like to add the code to an existing C++ module as breakpoint protection (and maybe as a skeleton for other API hooking ;-)

Cheers,
Kayaker

Hi Kayaker:

Thanks for your comments. Indeed, many times I've seen you post answers to my questions as though you'd read what I was having in my mind. (Both for the ReadProcessMemory and some other question that I'd posted a while back... I forget ). For this, I'm thankful to you.

As for the BCC compilation, hmmm my experience in BCC is extremely small (if not none ). I've compiled and tested under Win98SE with VC++ 6.0 with ApiHooks 5.6 from elicz.cjb.net.

If you don't mind, can you try with these settings? I think ApiHooks has a separate set of libs for BCC compiler. I'm sure you're using this correctly already but just wondering...

Thanks,

Signed,
-- FoxThree

Hi FoxThree

I think it's really cool that you and some others are creating new tools and developing and offering them here. It allows us all to study them and have new ideas to think and learn about. Keep it up man! ;-)

Just my luck I don't have VC++. I did include the recommended bApiHooks.lib for Borland compilers, but obviously still got something wrong. Guess it's back to the drawing board. Maybe someone with Borland C++ Builder might give it a try. I suppose RTFM wouldn't hurt either ;p

Kayaker

Hi Kayaker,

I think Laptonic has used APIHook by ElicZ in his CD-Cops unpacker (written in win32asm)... he did upload the source here... maybe you can consult his source code and if Laptonic is still around, he can probably comment on how he did it.

Fox3, me still waiting to a y2k compatible version of your OEP finder :>>

Hi, I havent tried AH library on languages other than MASM.However new AH libray wants hookname structures to be ApiHookChain.There are a lot of examples in AH38 pacakge I guess.However I dont remember any example written in BC.Hope you can make it work.It works very great.

Hi crUsAdEr:

Bah, my win2K install died on me.... and I was close to getting things fixed. Guess, you'll have to wait until this week end....

Signed,
-- FoxThree

Hi foxthree,

Great tool! Just give it your target and wait for the OEP. Now that is a cool way to go.

Regards, Kugi

Fox3,

bugs reported by sPeKKel.. for armadillo itself you should scan the memory space outside its original meory area at image base.. or else the signature bytes will not be unique... (damn armadillo cant even bother to encrypt its own code :<...)

Of course this is a small problem because it only concerns unpacking Armadillo itself but just another bug report :>

Hi crUsAdEr (or is it a friend I know of )

Thanks for the report. Probably, I should've put it in the release notes but I did *NOT* test Arma <guilty face>. Yes, lame of me but I have a valid excuse: I did not have any latest arma protected apps... Hmmm... which reminds me can some of you PM me some ARMA (latest) targets. I'll try to unpack it manually without the help of somebody's dumper... which does not work on 98 LOL (which btw, kicks ass other wise )

Thanks folks,

Signed,
-- FoxThree