nick_name
April 25th, 2005, 03:51
armadillo app settings
===================================================
Project setting : msgbox
protection options : standard protection only
no import table elimination
no strategic code splicing
no mem.patching protection
softice detection : standard softice detection
interceptions options intercept selected dll
===================================================
now, i loaded it with olly, put a break point on
Memory map, item 16
Address=00401000 ** F2 = break on access
Size=00001000 (4096.)
Owner=msgbox 00400000
Section=CODE
Type=Imag 01001002
Access=R
Initial access=RWE
the program broke accordingly, and show me the following neat codes ....
00401000 > 6A 00 PUSH 0
00401002 6A 00 PUSH 0
00401004 68 00204000 PUSH msgbox.00402000 ; ASCII "Hello"
00401009 6A 00 PUSH 0
0040100B E8 0D000000 CALL msgbox.0040101D
00401010 6A 00 PUSH 0
00401012 E8 00000000 CALL msgbox.00401017
00401017 - FF25 4C304000 JMP DWORD PTR DS:[40304C] **
0040101D - FF25 54304000 JMP DWORD PTR DS:[403054] **
from the last 2 jumps i found the IMPORTS ,
kernel32->Exitprocess[304C]
user32->MessageBoxA[3054]
now the problems are 2folds :
1. i cant dump the process with lordpe when it break on 401000
2. i used dumper of PEditor by yoda, it dumps the file , but if i try to fix it with ImpRec,
imprec says, cant add any more sections
3. i even tried with olly plugin :
olly debug PE dump by FKMA (v3.01)
olly dumper by gigapede (v.3.00.110)
so, guys, could anyone tell me where i'm going wrong ??
is there any trick that i must play with olly ??
===================================================
Project setting : msgbox
protection options : standard protection only
no import table elimination
no strategic code splicing
no mem.patching protection
softice detection : standard softice detection
interceptions options intercept selected dll
===================================================
now, i loaded it with olly, put a break point on
Memory map, item 16
Address=00401000 ** F2 = break on access
Size=00001000 (4096.)
Owner=msgbox 00400000
Section=CODE
Type=Imag 01001002
Access=R
Initial access=RWE
the program broke accordingly, and show me the following neat codes ....
00401000 > 6A 00 PUSH 0
00401002 6A 00 PUSH 0
00401004 68 00204000 PUSH msgbox.00402000 ; ASCII "Hello"
00401009 6A 00 PUSH 0
0040100B E8 0D000000 CALL msgbox.0040101D
00401010 6A 00 PUSH 0
00401012 E8 00000000 CALL msgbox.00401017
00401017 - FF25 4C304000 JMP DWORD PTR DS:[40304C] **
0040101D - FF25 54304000 JMP DWORD PTR DS:[403054] **
from the last 2 jumps i found the IMPORTS ,
kernel32->Exitprocess[304C]
user32->MessageBoxA[3054]
now the problems are 2folds :
1. i cant dump the process with lordpe when it break on 401000
2. i used dumper of PEditor by yoda, it dumps the file , but if i try to fix it with ImpRec,
imprec says, cant add any more sections
3. i even tried with olly plugin :
olly debug PE dump by FKMA (v3.01)
olly dumper by gigapede (v.3.00.110)
so, guys, could anyone tell me where i'm going wrong ??
is there any trick that i must play with olly ??
