Log in

View Full Version : looking for program


book
November 19th, 2005, 02:29
I am trying to crack a program but have got a little stuck. Its a packed executable, and I have managed to trace through the code to the original entry point. So now i just need to dump this and create a new exectuable. How do I do this? I have tried to create my own executable file from the memory I dumped, but it always tells me my file is not a valid executable . so I must have done something wrong.

My question is this: Where can I find a program that will tell me what is wrong with my re-created file? I mean, tell me what doesn't add up properly in the header.

LLXX
November 19th, 2005, 03:26
Use LordPE to dump and then apply "rebuild PE" option...

book
November 19th, 2005, 06:11
the program I am debugging doesnt seem to show up in the list of processes in lordpe.

naides
November 19th, 2005, 08:35
book:

Questions: What debugger are you using? and how did you dump the process memory contents?
It is curious that LordPE does not list the process, can you find it in the windows task manager? or Process Explorer (SysInternals)?

Can you debug the program with ollydbg? could you use one of its dumping Plug-Ins??

Without having much info about your program and your situation I think the problem boils down to deep knowledge on the foundations of the PE structure, so that you can manually rebuild the exe file and would not have rely on automatic rebuilders (LordPE) which work well in most cases except the one they don't, by Murphy's law, that is the one you need!

book
November 19th, 2005, 22:08
ok ok for some unknown reason i can now see the process in the list for lordpe today - I am SURE it wasnt there yesterday. But still, dumping the file and applying rebuild PE doesn't work - Causes an error "The procedure entry point could not be located in the dynamic link library fmod.dll". Which leads me back to re-building the file manually. Which I still can't do because I always make a mistake in the header. Btw i am using ollydbg, and haven't had any success with the dump plugin - The result always comes up with an error " failed to initalize propertly(0xc0000005)....."

SiGiNT
November 20th, 2005, 01:34
Use google, to find a replacement plug-in - a lot of usefull olly stuff can be found at http://tuts4you.com .

Good luck.

SiGiNT

book
November 20th, 2005, 02:14
Thanks for the help signit, naides and LLX. i went to tuts4you and found an updated dump plugin, which worked and revelead more protection code, so its back to work for me.

naides
November 20th, 2005, 09:21
One concept to explore is "anti-dump protection". Somehow I smell that this may be what is at work here. The packer may sabotage the structure of the PE in memory so the dump-ed file does not work.
I have not seen many tuts on this trick, but some books on reversing, available in the 'wilderness' as E-Books mention some illustrative examples.