I have a pb with the last version of Dreamweaver 6.0 (downloaded on macromedia site).

I want to find the Oep.
So I use softIce 4.0, ICeDump 6.025 on win98.

I load Dreamweaver in softice loader and launch the program.
When softice break, I put tracex command as
/tracex <low eip> <high eip>

low eip is the base adress of the first section
high eip is the top adress of the first section

I wait for...

And softice crash (page default).

Anyone has a solution ?

My suggestion is not to trace.


Put a bpx on GetVersion, and then when SI pops up , scroll up a little bit in the code window. If you see a normal stack frame being created (PUSH EBP, MOV EBP,ESP) followed by exception handler setup (PUSH FS:[0]) etc, you are most likely at the OEP.

THe OEP would be at the PUSH EBP instruction. This works for FlashMX. Now you can just put a bp on the OEP and then dump.

-nt20

Ok fine,

my OEP is AF0E48

so, i pose a bpm AF0E48 X
dump the file as
/dump 400000 987000 c:\dump.exe

Now, i must rebuilt the IAT

I use revirgin 1.3 (fine tools, thanx Tshep!).

I launch original dreamweaver
I launch revirgin
I select the dreamweaver process

I put AF0E48 in OEP
I fetch the iat
push Resolve IAT
push resolve again

in unresolved, there is one link : in fact it is peekmessageA
I edit the link, replace 0700EDDF by BFF55801
Resolve again => ok, all is resolved

Push generated, give the path to my dump file.

revirgin, add a section with new IAT, and resolve the link to iat in directory.

But when i launch the dump exe, it crash, what's wrong ?

And a question perharps for tshep =>
when I push 'generate' in revirgin, the program asks me the dump exe, the path to it.bin and after it continues and show a message box "out of memory", windaube crashs ! what is the good way ?

Hi chdid,
>Ok fine,

>my OEP is AF0E48

>so, i pose a bpm AF0E48 X
>dump the file as
>/dump 400000 987000 c:\dump.exe
>I put AF0E48 in OEP
>I fetch the iat
>push Resolve IAT
>push resolve again

>in unresolved, there is one link : in fact it is peekmessageA
>I edit the link, replace 0700EDDF by BFF55801
>Resolve again => ok, all is resolved

>Push generated, give the path to my dump file.

>revirgin, add a section with new IAT, and resolve the link to iat in directory.

>But when i launch the dump exe, it crash, what's wrong ?

Seems you didn't search the thread in the forum...theres lots of infos in the forum
I'm lazy to write ;D
http://www.woodmann.net/forum/showthread.php?threadid=3320

Did you remember to check with the pe-editor see if the oep is correct after
pasting the dump.exe file?

I have only problem when trying to push the "generate" the third time and it crashed windows otherwise it should be fine.

regards

i.e RawSize=VirtualSize and RawOffset=VirtualOffset for all sections?

Thanx !

I don't fixed my dump....

... no that isn't the OEP, the right one is : 0x97f750

if you put a bpm on 0xaf0e48 you get

Break due to BPMB #0010:00AF0E48 X DR3 (ET=5.45 seconds)
MSR LastBranchFromIp=0097F763
MSR LastBranchToIp=00AF0E48


so look at 0x97F763 :

001b:0097f750 6a02 push 02 (this is OEP)
001b:0097f752 ff1508b2b900 call [KERNEL32!SetErrorMode]
001b:0097f758 68d0f69700 push 0097f6d0
001b:0097f75d ff150cb2b900 call [KERNEL32!SetUnhandledExceptionFilt
001b:0097f763 e9e0161700 jmp 00af0e48

:map32 400000
Owner Obj Name Obj# Address Size Type
Dreamwea .text 0001 001B:00401000 0079946A CODE RW
Dreamwea .rdata 0002 0023:00B9B000 0013436E IDATA RW
Dreamwea .data 0003 0023:00CD0000 0007E038 IDATA RW
Dreamwea .rsrc 0004 0023:00D4F000 00020D40 IDATA RO
Dreamwea PREVIEW 0005 001B:00D70000 00016414 CODE RW

iat rva : b9b000
len : b9cdf8-b9b000 = 1DF8


for the iat there are only 2 redirected call :


peekmessagea and getmessagea

next don't use the automatic Rv paste function because sometimes (v. 1.4 and 1.5) don't work, and set the rva to something strange as 24A50000, instead make the it.bin file and paste it manually :-)

regards,

haec_est