I'm having a prob with this macromedia program. I'm using a bpx seterrormode after i push the try button and three lines away i have a jmp to eip.Until here all is O.K. When itry to dump it procdump tells me that"these procceses can't be dumped" and pedump tells me that it can't create a buffer with that size?Recently i have removed vbox from Dreamweaver Mx (same vbox version) with no prblems.
Any suggestions?

Hajo

12mb dumped.exe == LordePE

I've tried to dump it with lord pe but i get an error message"could not grab process memory".Whit the second dump engine he had dump me the file but he warns me that half of it it is filled with zeros. I 've tried to dump each section(worked) but i don't know if i created the exe correct.
I 've taken the header from the original file+all sections(dump) + section with imports(imprec),but the file still doesn't work.
Are there other posibilities?

I (finaly) managed to dump the target with lordpe after seversl tryes. Found the iat address and rebuilded with imprec and with Revirgin (2 of the imports were wrong getmessagea peekmessagea) correct the OEP but program locks after loading allmost all the files.I must say that i've rebuilded the iat at least 3 times but i've had the same success. If anyone knows why please post.
Thanks.

Please describe the following :-


1) Your O/S;
2) The Fireworks MX version (6.0.0.273 ? );
3) The memory address where you are holding and attempting to dump from;
4) The ImportTable VA memory address start and also length you found.

Then we can have an idea wtf is going wrong for U and offer some better assistance .......

I've made a dump in win98 and one in WInXP pro.
I d0nt know the exact version of the proggram(i'm not at home wright now)but i can tell you the va address of the import table was d1a000(image base 400000,oep 7ffa58 iat length C74 ,782 imports) all those in Win98. I think the size of the original exe(not the dumped one) was less then 12 megabytes and the length of the dumped was more then 12 megabytes(C03000???).Found 3 unresolved imports (CreateProcessA,GetMesagea,PeekMessageA). Over winxp foun only 2 (GetMesagea and PeekMessageA).After i correct them i try tu run the program but somewhere it hangs.My guess is that some imports were wrong resolved.Found some imports twice (_hread)look at there addresses in the it and thay were correct.
If there are some wrong imports haw can i detect them without compare each of it manualy.

Bytexus

_______________________________________________
..the import table was d1a000(image base 400000,oep 7ffa58 iat length C74 ,782 imports)..
________________________________________________

Maybe you made a typo ? I.T. CANNOT be at d1a000 !! thats over the end of the image size......I think you should have 91a000.

The rest is ok. I never had a problem so far in 3 months and there is nothing in my notes about anti-dump checks for this target.

? when u attached rebuilt IAT to '.NewSec' offset C03000 is the PE header ok. (sometimes IMprec makes a mess of the auto-fix-iat) Try an older version 1.3. or try RV.

If you can trace the memory location of the crash. Is it an API fault or something else...???