hi ,
I found a prog that is crypted with Shrinker 3.4 , I tried to unpack it
I read some tuts , I found 'call [ebp-24]' , then I changed it to
'jmp eip' . I tried Procdump , LordPe ,and nticedump , but didn't get any resault.
It seems that it is protected . I put a bpx on VirtualProtectEx, but some areas
like 0x00500000 never unprotected (image base : 0x00400000 , len = 0x376fd3)(d 500000 , i saw just '??????') ,
so I cound't dump it with nticedump , I got "Error in memory range".
I read a thread that says it is possible to dump it under 98 , is there anyway to do it under NT/XP ?
DeShrink can unpack this prog ...

http://www.woodmann.net/forum/showthread.php?threadid=3118&highlight=shrinker


'pagein' is the problem............

Spl/\j

Hi,
I read that thread .
In LordPE there is a region (499000 - 18000) . It has NOACCESS protection ...
I put a breakpoint on VirtualProtectEx and VirtualQueryEx do "esp+8" . The address was never 499000 ,
so this section was never unprotected , am I right ? if I'm right how can I dump it when it has protection ?

Splaj : in that thread you said "Just pagein each one ....refresh, repeat blah blah. Then you can dump." , I
didn't understand what u mean , especially what to do with "blah blah" How can I dump the section with pagein ?
I type "pagein d 499000 18000 d:\dump" , I got "Failed to dump requested ...Posible reason : invalid mem range".

Hi SiSaLamanta,

read the thread again then, it is some kind of copymem protection, code only decrypted on request only and encrypted back again so you will have find the decryption routine and force it decrypt the whole exe! That region is never decrypted because you prolly have not tried all function of the target program yet, just click around for a while maybe?

Good luck... i work on this the same way i work on Armadillo... you can try other methods recommended on the board too.

Regards,
crUsAdEr

In the WIndows O.S., memory is paged, not all the code/data for a process may be actually "in memory" at once.

Use SoftIce's pagein command (Not icedump or anything like that) to bring the page into logical memory. You can enter any address that resides in the page and it should work. for ex:

pagein 499000

memory is in 4K pages you would have to do this every 4K for entire range you want to bring in, one page at a time. I'm not sure if you can use a range on pagein.


SoftIce warns you tho that pagein isn't always a good idea

-nt20

hi ,
I worked with the prog and all of the prog was unpacked when necessary ...
I found the unpacking routin and I forced that to unpack the whole of file (Thank u crUsAdEr)
and I dumped it . Then I try to fix the IT . I tried RV , when I choose the process I got
"Fixex raw count must be less than row count." so , I tried impRec ...
After all the prog didn't run , I look at the PE and compare my file with the file that I had unpaked with
deShrink . It seems that deshrink is rebuilding Section , my dumped file has 14 sections and Deshrink file has 8 sections.
It has changed RawOffsets and Raw sizes ... How can I do it manually ?

Hey SiSa,

If you debug the decrypting routine a bit more, watch how it is being decrypted... if i remember correctly, original IAT is decrypted first, so once it is decrypted, dump it before it is redirected and manipulated...

then the code starting from OEP will de decrypted i think, something like that... just debug the decrypting routine a bit... regarding sections raw and virtual offset, if you understand the structure of PE file, doesnt matter how many section there are, just play around with it for a while, the file will run with 14 section or 8 section, or even 1 section for that matter i think.

Regards,
crUsAdEr

hi ,
u r right , IT is decrypting first and after that OEP , I don't need to dump the IT , impRec do the work for me ( I know how to do it manualy) ...

I don't know alot about PE , but I want to know !
In a thread splaj said "...and copy+paste to a dump that worked in Win98. Changed PE header and it runs in Win98SE +Win2K."
It's intersting for me to know how , because I unpacked the prog under XP and it doesn't run under 98 . I read about PE a little , is there a good resource that explains everything (not everything , just some to make me understand clearly , as I said , I know a little , I want to learn advanced things about PE ...) or I should work and find it miself ?

---
Crusader : my dumed file resource section is diffrent from the deshrineked one and I can't edit the resoures ...

hi Sisa,

to learn abt resources, read tutorial i guess... n try all the reme on REA... i learnt a great deal there!!!!!!

have fun :>

hi ,
thanx alot ! finally unpakced , there were no need to fix the resources ...