Log in

View Full Version : Trying to figure this program out.


cool_tester
November 16th, 2004, 05:36
Hello all,
I'm new to this world, and i would like to learn how this little application work.? Attached you will find the .exe if you can help start learning, i would appreciate it.
basically here is what i think the program does.

1. after the exe is launched it loads a packaged file that is attached to the exe itself, then extracts some dll's to the temp folder.
2. (This is the one i can't understand) it loads it's own .swf from memory and then loads the second swf file from memory as well, without extracting them to the temp folder..

Now how do i trap and get the first swf file from memory and dump it to disk...?

also i think the exe is packed by PE Packer and i can't unpack it..?

thanks guys.,

Silver
November 16th, 2004, 05:57
It seems to me you have 2 options:

1. Unpack the exe, analyze what it does and extract the SWF you want (which will probably be a resource in the exe)

2. Locate the mechanism that loads the SWF file through a debugger (Olly, sice), which I assume will reference the address of the first byte of the SWF. Research how to locate the end/size of an SWF file, and then use this information to dump address of first byte + size of SWF from mem direct to disk.

I haven't looked at your zip, I have no reversing tools on this laptop. If it's commercial software, you need to remove it from your post immediately or JMI will make good use of Mallet's Mallet.

cool_tester
November 16th, 2004, 06:13
Thanks for the reply,
The program is an exe that is generated with a commercial application but it is registered and therefore allowed to generate .exe, so i don't think there is a problem here... as you can see the file does nothing but load the swf from memory, so nothing real here, just trying to figure out how it all works and look at the Main swf source code for learning purposes.

Now i looked into it further and found out that the swfs are encrypted... bummer now I'm stuck.. i even tried to hook into the exe using a dll i developed that hooks the url loading rootine to get the file right before it is loaded into the acticvex but failed... i think it is because one of the dlls extracted is responsible for loading the resource file. and not the exe itself. which makes it hard to hook them, I'll keep digging.