View Full Version : Problem after removing HASP envelope
nasty
July 24th, 2005, 18:54
Hi to all,
i have a problem.
I have removed an hasp's envelope from an app ..
Works all good .. but if i try to examine with some PE softwares (like PE Explorer) i have a warning like: Import section follows the Resource section.
Why this problem?
I have tried many rebuild tools but without any result.
Can anyone help with this?
Please let me know
See you soon.
NaSTy
orchid88
July 25th, 2005, 09:10
There is nothing wrong that Import section follows the Resource section.The normal PE files always have resource section follows the Import section.You must have used something like ImportRecstruct to fix the app's import table after you have unpack the app.So,ImportRecstruct added a new section to rebuild the import table and the new import section had to be left behind the resource section.So,you can ignore the warning.
nasty
July 25th, 2005, 12:25
Hi,
thanks Orchid88 for your reply.
And this is the problem ..
i NO have used any Import rebuilder (like Imprec) after i remove the envelope!
I tell about this problem why if i try to use, after the remove of envelope, any compressor (like Armadillo, Xtreme Protector, ..) the .exe crash!!
I think why any compressor rewrite the sections (after the packing process) and why originally these sections are BAD, for this reason .. the app crashs.
What you think about? How can i resolve this?
THX
NaSTy
Polaris
July 25th, 2005, 12:54
Let me see if I understood: you are saying that, after removing the HASP envelope and NOT fixing the import table, you are trying to re-pack the executable and the resulting exe crashes.
Silly question, did you try the dumped exe BEFORE re-packing it? Are you sure that imports are correct? I do not know HASP's details, but import protection is fairly standard stuff in nowadays protections.
Also, maybe posting/uploading a sample file could help...
nasty
July 25th, 2005, 17:39
Hi Polaris,
yes is strange ..
i have removed the HASP shell from this app in this way:
Find OEP, stop at OEP then Dump ..
After the dumped works! without Imprec ..
If i try to Imprec the just dumped at OEP the app crash (but i think have good sections).
This is the problem .. the Dumped at OEP works instead the Dumped at OEP and after Imprec crash.
So having the only dumped, if i try to repack with any packer .. i have a resulting app that crash.
what you think about?
THX
NaSTy
nikolatesla20
July 25th, 2005, 20:20
It works because the import table of your dumped app is filled in with the correct API addresses. This is usually going to be the case with a dumped app. It will usually work fine but
on your system only. If you took the same app to a different computer it would crash. Why? Because now the import table contains address to actual DLL functions, instead of addresses to Import Table Descriptors (which are what you would find in a normal PE file).
If you study up on Import tables and PE file format you'll see what I mean. At runtime the Windows loader overwrites the Import Descriptor address (the Import Descriptor points to a DLL name and a function name to import from that DLL) - it gets overwritten by the actual address of that function in memory, once the DLL is loaded into the app's address space. These addresses are called
first thunks.
Then, when you dump the app from memory, the first thunks are already correct so the program works fine. But on another computer which may have different versions of DLL's, the functions in the DLL have different addresses, and the dumped program, which now contains NO DLL names or function names (at least they are no longer referred to correctly) will crash.
Packers of course need to utilize this First Thunk table to know which routines to pack and how to protect the imports. Since the table doesn't exist (all you have is DLL addresses now, not DLL names and imports function names) they can't do their job.
You shouldn't run ImpREC on the dumped program. Run ImpREC
on the still protected program, but give it the correct OEP. It will then find the API's needed and build a table. Then you have it paste this table unto your unpacked dumped exe. (I always use "add new section, etc."
-nt20
nasty
July 27th, 2005, 16:51
Hi NIko,
sorry for late reply, but i got some internet problem.
However, before i post this thread i try many way to resolve but .. nothing!
For this reason i put this new thread.
However it's no my 1st unpack .. i made other unpack with success (all imports, sections, ..) but in this case i have problem.
However i found the OEP "manually" and then dump .. after i execute the ORIGINAL exe's and then Imprec.
So i give to Imprec the just finded OEP then IAT Autosearch and Get imports.
I have then 2 invalid imports.
So i try 2 way ..
1) fixing directly the dump without correct the 2 imports;
2) fixing the dump correcting the 2 imports entrance (disassempling and find the right entrance)
NOTHING the 2 resulting fixed dumps crashs both.
.. and i have tried after these other different technics.
See you soon
NaSTy
s0cpy
July 29th, 2005, 03:17
Hi, Nasty. Two unresolved imports - "ExitProcess" and "GetProcAddress". Stop your program on OEP, run ImpRec, give OEP to ImpRec -> IAT Autosearch and Get imports. Then push "ShowInvalid", highlite one of unresolved functions, click right mouse button and choose "Disassemble/HexView". If you see "push `some address`" - it is "GetProcAddress", and if you see `xchg esi,ebx` - it is "ExitProcess". This trick works only on Hasp Envelop versions till v.11...
Sorry about my poor english.
nasty
July 29th, 2005, 04:47
Hi s0cpy,
thanks for reply ..
as i tell in my previous email i just tried this method that you explain
where i talk about the 2 way ..
"2) fixing the dump correcting the 2 imports entrance (disassembling and find the right entrance)"
where i tell "disassembling and find the right entrance" it's, in other words, the method that you explain .. where you tell: "Disassemble/HexView". If you see "push `some address`" - it is "GetProcAddress", and if you see `xchg esi,ebx` - it is "ExitProcess"
In conclusion i just tried also this manual corrections of the entrance of the invalid (or unresolved) functions without any results.
THX
NaSTy
saber
March 3rd, 2006, 23:16
Hi scopy,
I have come a long way trying to crack my hasp software. I have found the OEP also i have also found the three unresolved adress two are of same address so it must be getproc and other must be exitprocess. But i dont know what to do next ?? I am new to unpacking. Please guide me through these final steps.
Thank you for all the help
Quote:
[Originally Posted by s0cpy]Hi, Nasty. Two unresolved imports - "ExitProcess" and "GetProcAddress". Stop your program on OEP, run ImpRec, give OEP to ImpRec -> IAT Autosearch and Get imports. Then push "ShowInvalid", highlite one of unresolved functions, click right mouse button and choose "Disassemble/HexView". If you see "push `some address`" - it is "GetProcAddress", and if you see `xchg esi,ebx` - it is "ExitProcess". This trick works only on Hasp Envelop versions till v.11...
Sorry about my poor english. |
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.