venom925
August 28th, 2004, 14:45
Ok. ive tried and tried but I cant seem to figure it out. so ill tell you what i did and what errors i got maby you can help me out.first im using olly110 on xp pro. Im trying to unwrap this app , so i found the OEP witch is 4e77d0 - 400000 {image base} = e77d0. and i found the IAT which starts at 115c000 - 400000 {image base} = d5c000 and its AB8 long. after finding all this i dump the app. i run imprec on the app to get the IAT to find its screwed. so i look at the redirected calls and i find they all point to one decrypt call. time to code inject ,heres what i did - its in red {orginal follows}
{orginal}
now inside the call at the top i did this
{orginal}
ok heres what i did i set new orgin at 26c0010, bp at 26c0054 and ran the app like the tut said and heres what i got.
--------------------------------
i know i cant post the name of the app here but if you want to pm me i will be more then happy to tell you. thanks for any help any of you can give me.
Code:
026C0000 E8 1AE69404 CALL vboxtb.0700E61F
026C0005 2803 SUB BYTE PTR DS:[EBX],AL
026C0007 36:0000 ADD BYTE PTR SS:[EAX],AL
026C000A 0000 ADD BYTE PTR DS:[EAX],AL
026C000C 0000 ADD BYTE PTR DS:[EAX],AL
026C000E 0000 ADD BYTE PTR DS:[EAX],AL
026C0010 A1 5A006C02 MOV EAX,DWORD PTR DS:[26C005A]
026C0015 8B18 MOV EBX,DWORD PTR DS:[EAX]
026C0017 81FB 00000001 CMP EBX,1000000
026C001D 7C 1B JL SHORT 026C003A
026C001F 81FB 00000003 CMP EBX,3000000
026C0025 7F 13 JG SHORT 026C003A
026C0027 53 PUSH EBX
026C0028 C3 RETN
026C0029 90 NOP
026C002A 0000 ADD BYTE PTR DS:[EAX],AL
026C002C 0000 ADD BYTE PTR DS:[EAX],AL
026C002E 0000 ADD BYTE PTR DS:[EAX],AL
026C0030 0000 ADD BYTE PTR DS:[EAX],AL
026C0032 0000 ADD BYTE PTR DS:[EAX],AL
026C0034 0000 ADD BYTE PTR DS:[EAX],AL
026C0036 0000 ADD BYTE PTR DS:[EAX],AL
026C0038 0000 ADD BYTE PTR DS:[EAX],AL
026C003A A1 5A006C02 MOV EAX,DWORD PTR DS:[26C005A]
026C003F 83C0 04 ADD EAX,4
026C0042 A3 5A006C02 MOV DWORD PTR DS:[26C005A],EAX
026C0047 3D B8CA1501 CMP EAX,115CAB8
026C004C 7D 06 JGE SHORT 026C0054
026C004E ^ EB C0 JMP SHORT 026C0010
026C0050 90 NOP
026C0051 90 NOP
026C0052 90 NOP
026C0053 90 NOP
026C0054 - EB FE JMP SHORT 026C0054
026C0056 0000 ADD BYTE PTR DS:[EAX],AL
026C0058 0000 ADD BYTE PTR DS:[EAX],AL
026C005A 0010 ADD BYTE PTR DS:[EAX],DL
026C005C 8B00 MOV EAX,DWORD PTR DS:[EAX]
026C005E 0000 ADD BYTE PTR DS:[EAX],AL
026C0060 0000 ADD BYTE PTR DS:[EAX],AL
026C0062 0000 ADD BYTE PTR DS:[EAX],AL
026C0064 0000 ADD BYTE PTR DS:[EAX],AL
026C0066 0000 ADD BYTE PTR DS:[EAX],AL
026C0068 0000 ADD BYTE PTR DS:[EAX],AL
026C006A 0000 ADD BYTE PTR DS:[EAX],AL
026C006C 0000 ADD BYTE PTR DS:[EAX],AL
026C006E 0000 ADD BYTE PTR DS:[EAX],AL
026C0070 8B1D 5A006C02 MOV EBX,DWORD PTR DS:[26C005A] ;
026C0076 8903 MOV DWORD PTR DS:[EBX],EAX
026C0078 68 3A006C02 PUSH 26C003A
026C007D C3 RETN
{orginal}
Code:
026C0000 E8 1AE69404 CALL vboxtb.0700E61F
026C0005 2803 SUB BYTE PTR DS:[EBX],AL
026C0007 36:0000 ADD BYTE PTR SS:[EAX],AL
026C000A 0000 ADD BYTE PTR DS:[EAX],AL
026C000C 0000 ADD BYTE PTR DS:[EAX],AL
026C000E 0000 ADD BYTE PTR DS:[EAX],AL
026C0010 0000 ADD BYTE PTR DS:[EAX],AL
026C0012 0000 ADD BYTE PTR DS:[EAX],AL
026C0014 0000 ADD BYTE PTR DS:[EAX],AL
026C0016 0000 ADD BYTE PTR DS:[EAX],AL
026C0018 0000 ADD BYTE PTR DS:[EAX],AL
026C001A 0000 ADD BYTE PTR DS:[EAX],AL
026C001C 0000 ADD BYTE PTR DS:[EAX],AL
026C001E 0000 ADD BYTE PTR DS:[EAX],AL
026C0020 0000 ADD BYTE PTR DS:[EAX],AL
026C0022 0000 ADD BYTE PTR DS:[EAX],AL
026C0024 0000 ADD BYTE PTR DS:[EAX],AL
026C0026 0000 ADD BYTE PTR DS:[EAX],AL
026C0028 0000 ADD BYTE PTR DS:[EAX],AL
026C002A 0000 ADD BYTE PTR DS:[EAX],AL
026C002C 0000 ADD BYTE PTR DS:[EAX],AL
026C002E 0000 ADD BYTE PTR DS:[EAX],AL
026C0030 0000 ADD BYTE PTR DS:[EAX],AL
026C0032 0000 ADD BYTE PTR DS:[EAX],AL
026C0034 0000 ADD BYTE PTR DS:[EAX],AL
026C0036 0000 ADD BYTE PTR DS:[EAX],AL
026C0038 0000 ADD BYTE PTR DS:[EAX],AL
026C003A 0000 ADD BYTE PTR DS:[EAX],AL
026C003C 0000 ADD BYTE PTR DS:[EAX],AL
026C003E 0000 ADD BYTE PTR DS:[EAX],AL
026C0040 0000 ADD BYTE PTR DS:[EAX],AL
026C0042 0000 ADD BYTE PTR DS:[EAX],AL
026C0044 0000 ADD BYTE PTR DS:[EAX],AL
026C0046 0000 ADD BYTE PTR DS:[EAX],AL
026C0048 0000 ADD BYTE PTR DS:[EAX],AL
026C004A 0000 ADD BYTE PTR DS:[EAX],AL
026C004C 0000 ADD BYTE PTR DS:[EAX],AL
026C004E 0000 ADD BYTE PTR DS:[EAX],AL
026C0050 0000 ADD BYTE PTR DS:[EAX],AL
026C0052 0000 ADD BYTE PTR DS:[EAX],AL
026C0054 0000 ADD BYTE PTR DS:[EAX],AL
026C0056 0000 ADD BYTE PTR DS:[EAX],AL
026C0058 0000 ADD BYTE PTR DS:[EAX],AL
026C005A 0000 ADD BYTE PTR DS:[EAX],AL
026C005C 0000 ADD BYTE PTR DS:[EAX],AL
026C005E 0000 ADD BYTE PTR DS:[EAX],AL
026C0060 0000 ADD BYTE PTR DS:[EAX],AL
026C0062 0000 ADD BYTE PTR DS:[EAX],AL
026C0064 0000 ADD BYTE PTR DS:[EAX],AL
026C0066 0000 ADD BYTE PTR DS:[EAX],AL
026C0068 0000 ADD BYTE PTR DS:[EAX],AL
026C006A 0000 ADD BYTE PTR DS:[EAX],AL
026C006C 0000 ADD BYTE PTR DS:[EAX],AL
026C006E 0000 ADD BYTE PTR DS:[EAX],AL
026C0070 0000 ADD BYTE PTR DS:[EAX],AL
026C0072 0000 ADD BYTE PTR DS:[EAX],AL
026C0074 0000 ADD BYTE PTR DS:[EAX],AL
026C0076 0000 ADD BYTE PTR DS:[EAX],AL
026C0078 0000 ADD BYTE PTR DS:[EAX],AL
026C007A 0000 ADD BYTE PTR DS:[EAX],AL
026C007C 0000 ADD BYTE PTR DS:[EAX],AL
now inside the call at the top i did this
Code:
0700E61F 55 PUSH EBP
0700E620 8BEC MOV EBP,ESP
0700E622 83EC 10 SUB ESP,10
0700E625 53 PUSH EBX
0700E626 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0700E629 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
0700E62C 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0700E62F 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX
0700E632 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0700E635 50 PUSH EAX
0700E636 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0700E639 50 PUSH EAX
0700E63A 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0700E63D 50 PUSH EAX
0700E63E 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0700E641 50 PUSH EAX
0700E642 E8 12000000 CALL vboxtb.0700E659
0700E647 83C4 10 ADD ESP,10
0700E64A 5B POP EBX
0700E64B C9 LEAVE
0700E64C 68 70007002 PUSH 2700070
0700E651 C3 RETN
0700E652 F4 HLT ; Privileged command
0700E653 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0700E656 5B POP EBX
0700E657 C9 LEAVE
0700E658 C3 RETN
{orginal}
Code:
0700E61F 55 PUSH EBP
0700E620 8BEC MOV EBP,ESP
0700E622 83EC 10 SUB ESP,10
0700E625 53 PUSH EBX
0700E626 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0700E629 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
0700E62C 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0700E62F 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX
0700E632 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0700E635 50 PUSH EAX
0700E636 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0700E639 50 PUSH EAX
0700E63A 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0700E63D 50 PUSH EAX
0700E63E 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0700E641 50 PUSH EAX
0700E642 E8 12000000 CALL vboxtb.0700E659
0700E647 83C4 10 ADD ESP,10
0700E64A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0700E64D 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
0700E650 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0700E653 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0700E656 5B POP EBX
0700E657 C9 LEAVE
0700E658 C3 RETN
ok heres what i did i set new orgin at 26c0010, bp at 26c0054 and ran the app like the tut said and heres what i got.
Code:
02700070 Access violation when writing to [77D47668]
02700070 Access violation when writing to [77E775F1]
............lots of these...............
02700070 Access violation when writing to [77E775F1]
Debugged program was unable to process exception
Thread 00000094 terminated, exit code 80 (128.)
Thread 0000031C terminated, exit code 80 (128.)
Thread 000003BC terminated, exit code 80 (128.)
Thread 00000768 terminated, exit code 80 (128.)
Thread 00000584 terminated, exit code 80 (128.)
Thread 00000578 terminated, exit code 80 (128.)
77E802F4 New thread with ID 000003E4 created
Process terminated, exit code 80 (128.)
--------------------------------
i know i cant post the name of the app here but if you want to pm me i will be more then happy to tell you. thanks for any help any of you can give me.