Mega Desperate
December 30th, 2002, 00:20
I really hate this shit ...
U can help me?¡...
I follow this steps to dump:
Here's what i did :
1. bpx setprocessworkingsetsize, F5
2. SI breaks, F12
3. Press F10 several times until i land at CALL EDI
4. Still at CALL EDI, i did bc * then bpx writeprocessmemory
5. Press F5
6. SI breaks, f12 twice
005E0421 A1 88 9A 45 00 mov eax, ds:block_count
005E0426 83 C0 01 add eax, 1
005E0429 A3 88 9A 45 00 mov ds:block_count, eax
<--------SNIP------------>
005E0470 mov edx, ds:block_count
005E0476 3B 15 70 66 45 00 cmp edx, ds:max_number_of_decrypted_block
005E047C 0F 8E FA 00 00 00 jle ok
7. At 005E047C, i always make it jump. change 0F8E to 90E9
8. then press F12 once, i land 005DF9DC :
005DF92D 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF933 3B 0D 84 9A 45 00 cmp ecx, ds:text_section_size
005DF939 0F 8D C7 00 00 00 jge continue_1
005DF93F 6A 00 push 0
005DF941 8B B5 2C FA FF FF mov esi, [ebp+FFFFFA18]
005DF947 C1 E6 04 shl esi, 4
005DF94A 8B 85 2C FA FF FF mov eax, [ebp+FFFFFA18]
<----------SNIP--------------->
005DF9C1 83 E7 0F and edi, 0Fh
005DF9C4 03 F7 add esi, edi
005DF9C6 8B 15 74 9A 45 00 mov edx, ds:key_address_table
005DF9CC 8D 04 B2 lea eax, [edx+esi*4]
005DF9CF 50 push eax
005DF9D0 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF9D6 51 push ecx
005DF9D7 E8 86 0B 00 00 call Decrypt_codes
005DF9DC 83 C4 0C add esp, 0Ch <== I LAND HERE!
005DF9DF 25 FF 00 00 00 and eax, 0FFh
005DF9E4 85 C0 test eax, eax
005DF9E6 74 0A jz short bad_jump
9. press f10 once, land at 005DF9DF. I type :
a eip (enter)
inc dword ptr [ebp+FFFFFA18] (enter)
jmp 005DF92D (enter)
(enter)
10. still at 005DF9DF, i type
e ebp+FFFFFA18 (then change something to 00000000)
e 005DF939 (change 0F8DC7000000 to 7DFE90909090)
11. bc *, press F5
12. LordPE
Now.. i question this in unpacking forum and they are answer me :
"Two things I did different than you.
1. at the first jump, I dont change to jump always, rather I edit
the ds:[max_decrypt_blocks] to a large value instead
(the max_decrypt_blocks value)
2. After you edit the code, you must STEP THRU your "inc dword
ptr [xxxxxxxx]" instruction BEFORE you change the [xxxxxxxx]
to value zero. If you don't you will actually be incrementing
to 1 before you loop back around, missing an entire page. This
is the mistake I was making in my dumps before. I think that may
be the mistake you are making also. F10 thru you "inc" instruction
first, and THEN set [ebp+xxxxxxxx] to zero, and then exit SI."
Somebody can tell me ..I do this?¡¡ ... I do not have idea since this becomes or that I must put in [ ebp+xxxxxxxx ]. they say me that it presses F10… if I make..but... in where or how?¡
Thank u =) ... and thank u for help me...
U can help me?¡...
I follow this steps to dump:
Here's what i did :
1. bpx setprocessworkingsetsize, F5
2. SI breaks, F12
3. Press F10 several times until i land at CALL EDI
4. Still at CALL EDI, i did bc * then bpx writeprocessmemory
5. Press F5
6. SI breaks, f12 twice
005E0421 A1 88 9A 45 00 mov eax, ds:block_count
005E0426 83 C0 01 add eax, 1
005E0429 A3 88 9A 45 00 mov ds:block_count, eax
<--------SNIP------------>
005E0470 mov edx, ds:block_count
005E0476 3B 15 70 66 45 00 cmp edx, ds:max_number_of_decrypted_block
005E047C 0F 8E FA 00 00 00 jle ok
7. At 005E047C, i always make it jump. change 0F8E to 90E9
8. then press F12 once, i land 005DF9DC :
005DF92D 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF933 3B 0D 84 9A 45 00 cmp ecx, ds:text_section_size
005DF939 0F 8D C7 00 00 00 jge continue_1
005DF93F 6A 00 push 0
005DF941 8B B5 2C FA FF FF mov esi, [ebp+FFFFFA18]
005DF947 C1 E6 04 shl esi, 4
005DF94A 8B 85 2C FA FF FF mov eax, [ebp+FFFFFA18]
<----------SNIP--------------->
005DF9C1 83 E7 0F and edi, 0Fh
005DF9C4 03 F7 add esi, edi
005DF9C6 8B 15 74 9A 45 00 mov edx, ds:key_address_table
005DF9CC 8D 04 B2 lea eax, [edx+esi*4]
005DF9CF 50 push eax
005DF9D0 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF9D6 51 push ecx
005DF9D7 E8 86 0B 00 00 call Decrypt_codes
005DF9DC 83 C4 0C add esp, 0Ch <== I LAND HERE!
005DF9DF 25 FF 00 00 00 and eax, 0FFh
005DF9E4 85 C0 test eax, eax
005DF9E6 74 0A jz short bad_jump
9. press f10 once, land at 005DF9DF. I type :
a eip (enter)
inc dword ptr [ebp+FFFFFA18] (enter)
jmp 005DF92D (enter)
(enter)
10. still at 005DF9DF, i type
e ebp+FFFFFA18 (then change something to 00000000)
e 005DF939 (change 0F8DC7000000 to 7DFE90909090)
11. bc *, press F5
12. LordPE
Now.. i question this in unpacking forum and they are answer me :
"Two things I did different than you.
1. at the first jump, I dont change to jump always, rather I edit
the ds:[max_decrypt_blocks] to a large value instead
(the max_decrypt_blocks value)
2. After you edit the code, you must STEP THRU your "inc dword
ptr [xxxxxxxx]" instruction BEFORE you change the [xxxxxxxx]
to value zero. If you don't you will actually be incrementing
to 1 before you loop back around, missing an entire page. This
is the mistake I was making in my dumps before. I think that may
be the mistake you are making also. F10 thru you "inc" instruction
first, and THEN set [ebp+xxxxxxxx] to zero, and then exit SI."
Somebody can tell me ..I do this?¡¡ ... I do not have idea since this becomes or that I must put in [ ebp+xxxxxxxx ]. they say me that it presses F10… if I make..but... in where or how?¡
Thank u =) ... and thank u for help me...