Web
: http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com
GoldSprinter
Type : Game - http://www.alawar.com Crack : Some times unexpected things happens.Verifying the IAT
with the IMPRec of this program shows that 2 Thunks have invalid pointers.Trace
Level 1-2-3 can be used on some.But still there are some invalid pointers.
These invalid pointers are nothing but ASProtect CALLS which then CALLS
corresponding APIs.Just fooling us.
I have seen that if we just go inside any EMULATED API call routine by
pressing F8 ... it helps ImpRec to build IAT ...It happend while unpacking
this program. Finding OEP
Protection : ASProtect
Tech : Dumping + IAT Fix
So just trace through CALL at 00439376 code till you enter any API in
system dll.
And now use ImpRec.We can see all APIs get validatded. Why is it behaving
like this ????
Is it like giving a hint to ImpRec ????
IceDump can be used to find OEP.Use /tracex 400000 eip-8.But here it can be found out easily.In SICE BPX GETVERSION.Now run packed program.When we break.Look up to see real entry point ...
015F:004392AD 55 PUSH EBP --->>> OEP
015F:004392AE 8BEC MOV EBP,ESP
015F:004392B0 6AFF PUSH FF
015F:004392B2 6878354500 PUSH 00453578
015F:004392B7 68587B4300 PUSH 00437B58
015F:004392BC 64A100000000 MOV EAX,FS:[00000000]
015F:004392C2 50 PUSH EAX
015F:004392C3 64892500000000 MOV FS:[00000000],ESP
015F:004392CA 83EC58 SUB ESP,58
015F:004392CD 53 PUSH EBX
015F:004392CE 56 PUSH ESI
015F:004392CF 57 PUSH EDI
Dumping can be done even after first api call ...it will work. Use JMP EIP = EB FE trick to dump file.Use WinHex and correct EB FE.Now use PEditor and change EP.
Use WinHex RAM Editor -- Open Primary Memory of program.Just note the address of API GetVersion and go to that address....we can see...
IAT : 00453000 -- 0045323F --> 240 --- Like Packets of address
Use ImpRec
OEP = 392AD
RVA = 53000
SIZE = 240
Click " GetImports" ... "Auto Trace" Fix Dump
Run program ... we get page fault at : 017FC784
----------------------------------------------------------------------
Trace from begining ...
015F:00439375 50 PUSH EAX
015F:00439376 E87589FEFF CALL 00421CF0 -- >>
015F:0043937B 8945A0 MOV [EBP-60],EAX
015F:0043937E 50 PUSH EAX
Inside CALL 00421CF0 ....
015F:00421CF0 8B442404 MOV EAX,[ESP+04]
015F:00421CF4 83EC1C SUB ESP,1C
015F:00421CF7 A370DB4700 MOV [0047DB70],EAX
015F:00421CFC FF1530654600 CALL [00466530] --- Page Fault : NaG Wnd
015F:00421D02 A14C144800 MOV EAX,[0048144C]
015F:00421D07 85C0 TEST EAX,EAX
015F:00421D09 0F8487000000 JZ 00421D96 --- BAD BOY
015F:00421D0F 8B4C242C MOV ECX,[ESP+2C]
015F:00421D13 51 PUSH ECX
015F:00421D14 E887000000 CALL 00421DA0
015F:00421D19 83C404 ADD ESP,04
015F:00421D1C 85C0 TEST EAX,EAX
015F:00421D1E 7576 JNZ 00421D96
015F:00421D20 53 PUSH EBX
015F:00421D21 8B1DF0314500 MOV EBX,[USER32!TranslateMessage]
015F:00421D27 55 PUSH EBP
Compare with
Packed Program : we can see ... CALL 00421C80 ---> NAG Wnd
So [00466530] = 00421C80
Open dumped file with WinHex and go to offset : 66530
we can see : 84 C7 7F 01 = 017FC784 --- PAGE FAULT ADDRESS
Change this to : 80 1C 42 00 = 00421C80
Now our dumped file runs ..... IAT rebuilding trick still remains a mestry
for me how ImpRec found out correct APIs.May be i have used TRACE level
and then restarted the program.May be steping inside one of the API gave
it some hint ... any way this shit is working ..
Now here is a API CALL in ASProtect :
API CALL in ASProtect
015F:00421CF7
A370DB4700 MOV [0047DB70],EAX
015F:00421CFC FF1530654600 CALL [00466530] ---> JMP TO 017FC784
015F:017FC784 833DA835800100 CMP DWORD PTR [018035A8],00
015F:017FC78B 7406 JZ 017FC793
015F:017FC78D FF15A8358001 CALL [018035A8] ---> JMP TO 00421C80
015F:017FC793 C3 RET
015F:00421C80
A144144800 MOV EAX,[00481444]
015F:00421C85 50 PUSH EAX
015F:00421C86 FF1580304500 CALL [00453080] --> JMP TO 01812E90
015F:01812E90 E9B1317BBE JMP BFFC6046 (JUMP)
015F:BFFC6041 E92D13FBFF JMP KERNEL32!lstrcat