Mephisto I am working on an activemark game as well. And I am pretty much at the same area you are.
Here's what I've done so far:
-Set HW BP on OEP (found OEP using PEID and verified by dumping the file and searching for for "TdnA" and counting 13 bytes, including TdnA)
-Run program till we hit OEP.
(you have to hit play free trial)
-Analyze program
-you will be here:
Code:
20003BC4 /. 55 PUSH EBP
20003BC5 |. 8BEC MOV EBP,ESP
20003BC7 |. 6A FF PUSH -1
20003BC9 |. 68 F0810020 PUSH XXXX.200081F0
20003BCE |. 68 204E0020 PUSH XXXX.20004E20 ; SE handler installation
20003BD3 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
20003BD9 |. 50 PUSH EAX
20003BDA |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
20003BE1 |. 83EC 58 SUB ESP,58
20003BE4 |. 53 PUSH EBX
20003BE5 |. 56 PUSH ESI
20003BE6 |. 57 PUSH EDI
20003BE7 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
20003BEA |. FF15 24F21720 CALL NEAR DWORD PTR DS:[2017F224]; kernel32.GetVersion
20003BF0 |. 33D2 XOR EDX,EDX
20003BF2 |. 8AD4 MOV DL,AH
20003BF4 |. 8915 2CCE0020 MOV DWORD PTR DS:[2000CE2C],EDX
20003BFA |. 8BC8 MOV ECX,EAX
20003BFC |. 81E1 FF000000 AND ECX,0FF
20003C02 |. 890D 28CE0020 MOV DWORD PTR DS:[2000CE28],ECX
20003C08 |. C1E1 08 SHL ECX,8
20003C0B |. 03CA ADD ECX,EDX
-Now dumping and fixing the imports did not work for me so I set a BP on the first .bss section. and continued running
- I then broke here:
Code:
2009A3BE B8 D99D0920 MOV EAX,XXXX.20099DD9
2009A3C3 E8 B0110C00 CALL XXXX.2015B578 ****STEP OVER***
2009A3C8 83EC 20 SUB ESP,20
2009A3CB E9 CB0B0000 JMP XXXX.2009AF9B
2009A3D0 E8 BDD50800 CALL XXXX.20127992 ***STEP INTO***
2009A3D5 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
2009A3D8 E9 5C0B0000 JMP XXXX.2009AF39
2009A3DD AF SCAS DWORD PTR ES:[EDI]
2009A3DE A9 0F8238FC TEST EAX,FC38820F
-Step into the second call and you are here:
Code:
20127992 B8 88EB1620 MOV EAX,XXXX.2016EB88
20127997 E8 DC3B0300 CALL XXXX.2015B578 ***STEP INTO***
2012799C 81EC 74010000 SUB ESP,174
201279A2 53 PUSH EBX
201279A3 56 PUSH ESI
-Step into that call and you are here:
Code:
2015B578 6A FF PUSH -1
2015B57A 50 PUSH EAX
2015B57B 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
2015B581 50 PUSH EAX
2015B582 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
2015B586 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
2015B58D 896C24 0C MOV DWORD PTR SS:[ESP+C],EBP
2015B591 8D6C24 0C LEA EBP,DWORD PTR SS:[ESP+C]
2015B595 50 PUSH EAX
2015B596 C3 RETN
Scroll down and we see the beginning of something:
Code:
2015B597 55 PUSH EBP
2015B598 8BEC MOV EBP,ESP
2015B59A 6A FF PUSH -1
2015B59C 68 E80B0820 PUSH XXXX.20080BE8
2015B5A1 68 70191620 PUSH XXXX.20161970
2015B5A6 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
2015B5AC 50 PUSH EAX
2015B5AD 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
2015B5B4 83EC 58 SUB ESP,58
2015B5B7 53 PUSH EBX
2015B5B8 56 PUSH ESI
2015B5B9 57 PUSH EDI
2015B5BA 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
2015B5BD FF15 24F21720 CALL NEAR DWORD PTR DS:[2017F224]; kernel32.GetVersion
2015B5C3 33D2 XOR EDX,EDX
2015B5C5 8AD4 MOV DL,AH
2015B5C7 8915 7C9D1720 MOV DWORD PTR DS:[20179D7C],EDX
2015B5CD 8BC8 MOV ECX,EAX
2015B5CF 81E1 FF000000 AND ECX,0FF
2015B5D5 890D 789D1720 MOV DWORD PTR DS:[20179D78],ECX
2015B5DB C1E1 08 SHL ECX,8
2015B5DE 03CA ADD ECX,EDX
2015B5E0 890D 749D1720 MOV DWORD PTR DS:[20179D74],ECX
2015B5E6 C1E8 10 SHR EAX,10
-So this is around where you are as well.
-I set a hardware BP on 2015B597 and then restarted the program. I ran until we reached it. I then dumped fixed the imports using this as my OEP
- Running the program brings about immediate exitprocess, however if you look at the call stack in Olly you can trace it back to the same code you posted:
Code:
200827F8 51 PUSH ECX
200827F9 83EC 18 SUB ESP,18
200827FC 53 PUSH EBX
200827FD 56 PUSH ESI
200827FE 57 PUSH EDI
200827FF 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
20082802 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
20082806 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
2008280A FF75 08 PUSH DWORD PTR SS:[EBP+8]
2008280D FF75 10 PUSH DWORD PTR SS:[EBP+10]
20082810 E8 2B820000 CALL XXXX.2008AA40 ****SETS UP BROWSER WINDOW, CHECKS LICENSE ETC***
20082815 59 POP ECX
20082816 59 POP ECX
20082817 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
2008281A 837D D8 00 CMP DWORD PTR SS:[EBP-28],0
2008281E 74 49 JE SHORT XXXX.20082869 ***IF BROWSER, LICENSE ETC IS OKAY THEN CONTINUE ELSE ExitProcess***
20082820 813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454
2008282A 75 2F JNZ SHORT XXXX.2008285B
2008282C 6A 00 PUSH 0 ***CONTINUE EXECUTION***
2008282E FF15 CCF11720 CALL NEAR DWORD PTR DS:[2017F1CC] ; kernel32.GetModuleHandleA
20082834 8B0D CC900720 MOV ECX,DWORD PTR DS:[200790CC]
2008283A 03C8 ADD ECX,EAX
2008283C 890D E8680120 MOV DWORD PTR DS:[200168E8],ECX ***MOVES OUR OEP INTO 200168E0***
20082842 8B25 E0680120 MOV ESP,DWORD PTR DS:[200168E0]
20082848 A1 E4680120 MOV EAX,DWORD PTR DS:[200168E4]
2008284D 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
20082853 66:61 POPAW
20082855 -FF25 E8680120 JMP NEAR DWORD PTR DS:[200168E8] ;***WILL JUMP TO OUR OEP***
2008285B 6A 00 PUSH 0
2008285D 68 486A0120 PUSH XXXX.20016A48 ; ASCII "Everything OK!"
20082862 E8 F78C0000 CALL XXXX.2008B55E
20082867 59 POP ECX
20082868 59 POP ECX
20082869 EB 6E JMP SHORT XXXX.200828D9
2008286B 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
2008286F B8 D9280820 MOV EAX,XXXX.200828D9
20082874 C3 RETN
- This jump here:
Code:
20082855 -FF25 E8680120 JMP NEAR DWORD PTR DS:[200168E8] ;***WILL JUMP TO OUR OEP***
will jump to the OEP we found with PEID
-Basically it seems that the program goes into CALL XXXX.2008AA40.
-This call sets up browser etc, and sets stuff up depending on if you choose "Continue Trial" or just close the browser box. If you continue the trial the rest of the program is initialized. Otherwise nothing is init. My trial has run out so I have to close the window.
-I tried reversing this jump in my dumped file:
Code:
2008281E 74 49 JE SHORT XXXX.20082869 ***REVERSED THIS JUMP SO IT WOULD ALWAYS CONTINUE***
20082820 813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454
2008282A 75 2F JNZ SHORT XXXX.2008285B
- HOWEVER, You get this error when running:
"Unable to load Movie Playlist. Does the INI file exist? It must contain a section [Movies] with an entry..."
- So I tried on my real executable. I cannot run the game part so I have to choose close on the browser window. That JE SHORT XXXX.20082869 is never reached instead we go straight to ExitProcess. Setting a BP on Exit Process I found that it was called by this section of code:
Code:
200828D9 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
200828DD E8 D5810000 CALL XXXX.2008AAB7
200828E2 FF75 EC PUSH DWORD PTR SS:[EBP-14]
200828E5 FF15 28F11720 CALL NEAR DWORD PTR DS:[2017F128] ; kernel32.ExitProcess
200828EB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
200828EE 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
200828F5 5F POP EDI
200828F6 5E POP ESI
200828F7 5B POP EBX
200828F8 C9 LEAVE
-So I set a HW BP on the beginning of that little section. When I broke, I tried changing my origin to:
Code:
2008282C 6A 00 PUSH 0 ***CONTINUE EXECUTION***
2008282E FF15 CCF11720 CALL NEAR DWORD PTR DS:[2017F1CC] ; kernel32.GetModuleHandleA
20082834 8B0D CC900720 MOV ECX,DWORD PTR DS:[200790CC]
2008283A 03C8 ADD ECX,EAX
2008283C 890D E8680120 MOV DWORD PTR DS:[200168E8],ECX
20082842 8B25 E0680120 MOV ESP,DWORD PTR DS:[200168E0]
20082848 A1 E4680120 MOV EAX,DWORD PTR DS:[200168E4]
2008284D 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
20082853 66:61 POPAW
20082855 FF25 E8680120 JMP NEAR DWORD PTR DS:[200168E8] ; XXXX.2015B597
-This brought about the same error I recieved when running the dumped file. So somewhere in that program is determined if we chose continue trial or just closed the window. And depending on what we pick it will initilize the rest of the program. At least that is what happens in my target; Activemark version 5.31.1140
-So at this point I am stuck; but at least I know that I am in the right area.