Log in

View Full Version : Win32 PE File - GUI

whoda
May 22nd, 2003, 16:22
I was trying to change the jump points in WaveStation 3.0. I always thought that if I could see the strings in dasm that there wasn't a packer on it. I used PEiDentifier v0.8 (is this the best?) and it said it was Win32 PE File - GUI.

I tried to change the jump points, but when I run it I get an error "unable to initialize audio device". It doesn't matter what jump point I change I'll get this message. So I'm guessing it's the packer? How would I go about unpacking it? As I tired a few utilities and none of them worked and gave me an error about opening the file.
Manko
May 22nd, 2003, 16:35
Hi!

I doubt very much it is packed. It sounds more like the program is checksummed (crc) so if you change ANYTHING it will complain. :P

The message you get is a trick. Or a trick causes it... hrm...

(btw, PeID doesn't show all packers... not that I think it matters here...)

/Manko
whoda
May 22nd, 2003, 19:31
thanks for the help. Is there a better utility other than PeID?

Also is the trigger going because I'm changing the wrong jump point or if I change anything? I've tried about 8 or more different locations and I keep getting the same results.

Also I tried to run the program with ollydbg and it would never come up when pressing F9. That's why I thought it could be a packer

thanks again
mythical
May 25th, 2003, 00:52
It may not run in Olly if id .debuggerpresent is in the api
Manko
May 25th, 2003, 09:57
Hi, whoda!

Better util? Nah, dunno. It's probably more a matter of them complementing each other... Or something like that...

If it's a checksum, it'll go off no matter what you change. You need to find and disable it, before you can patch other stuff.

You might set memory-breakpoints on the stuff you tried to patch, and when they break, you will have found part of the checksum, if we are lucky... You need to do some work with IDA to map out the checksumming...

As said, olly could be detected... Doesn't have to be packed for that...

btw, olly normally tells you if the file is packed... Dunno if it uses some statistical analysis or whatever... hmm... I'm guessing it didn't say it was packed?

/Manko
dELTA
May 25th, 2003, 16:57
According to some own experiments, Olly's "packed file" detection seems to be very simple. If the entrypoint is not in the first code section, it assumes it is packed (and tells you this in a box), otherwise (i.e. if the entrypoint is in the first code section) it assumes that the file is non-packed. So don't depend on it too much.


dELTA