{Guess7Who}
06-09-2010, 10:25 AM
Hello Experts,
I am stuck with a problem during seed hunting on a flexlm target daemon 11.3. When i load it in IDA it shows code section 4000000 to 4001000 are hidden. IAT at non standard location. While manual loading all segments and putting breakpoints at right places, it never breaks and exits.
In Olly the same thing, also the breakpoints get corrupted and changes from CC to either C7 or 83 or FF. So is it a type of self modifiable code. And how to deal with daemon to get correct seeds recovery?
***********************************************
Hi Guys,
Nobody interested. Perhaps all the experts are on vacation, busy in enjoying beach resorts.
Anyway, i tried digging inside the code, and after a lot of stepping, i found that the flexlm checking is called after the command SYSENTER and then it gives up. So nowhere it goes through standard procedure of l_sg and all. So what kind of daemon it is. What is going on, can somebody help?
***********************************************
OK. It seems some form of packing is involved in it. There are few information found on net regarding this, to dump it after setting correct OIP and then analyze the dumped file. But is it correct for all types of packers, i don't know which one is mine. Also please help me, how to set correct OIP ?
I am stuck with a problem during seed hunting on a flexlm target daemon 11.3. When i load it in IDA it shows code section 4000000 to 4001000 are hidden. IAT at non standard location. While manual loading all segments and putting breakpoints at right places, it never breaks and exits.
In Olly the same thing, also the breakpoints get corrupted and changes from CC to either C7 or 83 or FF. So is it a type of self modifiable code. And how to deal with daemon to get correct seeds recovery?
***********************************************
Hi Guys,
Nobody interested. Perhaps all the experts are on vacation, busy in enjoying beach resorts.
Anyway, i tried digging inside the code, and after a lot of stepping, i found that the flexlm checking is called after the command SYSENTER and then it gives up. So nowhere it goes through standard procedure of l_sg and all. So what kind of daemon it is. What is going on, can somebody help?
***********************************************
OK. It seems some form of packing is involved in it. There are few information found on net regarding this, to dump it after setting correct OIP and then analyze the dumped file. But is it correct for all types of packers, i don't know which one is mine. Also please help me, how to set correct OIP ?