naides
April 22nd, 2004, 00:08
Please be kind to me. I am old in cracking but new (lazy) in unpacking, may be because I have not really needed a packed program that did not have an equivalent software around wich was easier to deal with.
Anyway, the Problem:
This program is packed with Vbox 4.6. The main exe was not a problem, but a critical .dll-like module is also packed. (it is NOT a bonafide dll, but it is a PE format module with a .mod extension) I CANNOT use the classical trick of break&entry with CC and bpint, because the antidebugging routines of Vbox modules and the IceExt int 3 !protect fight to one antother and send the computer into something worse than a BSOD. If I deactivate IceExt Int 3 protection, no low level critical exception happens but the program detects the debugger and refuses to run.
I attempted to place other interrupt instructions like int 02 and int 05 as ways to stop the process at the packed dll module EP but Sice does not break on bpint 2 or 5 for example. Placing an Int 1 instruction is suicidal.
Any suggestions to make the process break at the entry of the dll, or an alternative approach to find the OEP?
Realize that I have no apriori knowledege of the memory address the module gets loaded into, and I know it changes from run to run.
I disassembled otehr modules of the same type that are not Vboxed and found no pattern or signature, or recurent API call near their OEP, or a dllmain kind of typical code.
Anyway, the Problem:
This program is packed with Vbox 4.6. The main exe was not a problem, but a critical .dll-like module is also packed. (it is NOT a bonafide dll, but it is a PE format module with a .mod extension) I CANNOT use the classical trick of break&entry with CC and bpint, because the antidebugging routines of Vbox modules and the IceExt int 3 !protect fight to one antother and send the computer into something worse than a BSOD. If I deactivate IceExt Int 3 protection, no low level critical exception happens but the program detects the debugger and refuses to run.
I attempted to place other interrupt instructions like int 02 and int 05 as ways to stop the process at the packed dll module EP but Sice does not break on bpint 2 or 5 for example. Placing an Int 1 instruction is suicidal.
Any suggestions to make the process break at the entry of the dll, or an alternative approach to find the OEP?
Realize that I have no apriori knowledege of the memory address the module gets loaded into, and I know it changes from run to run.
I disassembled otehr modules of the same type that are not Vboxed and found no pattern or signature, or recurent API call near their OEP, or a dllmain kind of typical code.