Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, February 19 2019 @ 07:16 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

execryptor unpacking problem
Goto page 1, 2  Next
 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Mon Dec 11, 2006 8:35 pm    Post subject: execryptor unpacking problem Reply with quote

Hi
I have problem with one packed exe with execryptor 2.2.x. Application stop on registration window with name, hwid and serial. This is execryptor window. is it possible to unpack this?

Best Regards
Back to top
View user's profile Send private message
revenger
New to the board
New to the board


Joined: 12 Dec 2006
Posts: 5

PostPosted: Tue Dec 19, 2006 8:04 am    Post subject: Reply with quote

Hi
I have problem with one packed exe with execryptor 2.2.x. Application stop on registration window with name, hwid and serial. This is execryptor window. is it possible to unpack this?

Best Regards

It is possible unpacking without registration key , if the program compiled with
known compiler
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Tue Dec 19, 2006 8:07 pm    Post subject: Reply with quote

If app just shows registration dialog, but allows some evaluation period - then you can unpack it.

If app doesn't start without correct key - then you have to break keycheck which is almost impossible. Ei. in that case you cannot unpack it.
Back to top
View user's profile Send private message
revenger
New to the board
New to the board


Joined: 12 Dec 2006
Posts: 5

PostPosted: Wed Dec 20, 2006 5:32 am    Post subject: Reply with quote

"If app just shows registration dialog, but allows some evaluation period - then you can unpack it.

If app doesn't start without correct key - then you have to break keycheck which is almost impossible. Ei. in that case you cannot unpack it."

It's wrong.
If we have known application compiler (Delphi for example) - we can unpack it without correct key and without start the application.
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Wed Dec 20, 2006 1:02 pm    Post subject: Reply with quote

Usually this kind of protection works in such way that code section is encrypted with hash from that key. You want to say that ExeCryptor doesn't work like that? It's really hard to believe that they were that dumb. I didn't check such applications, but all protectors have that kind of DEMO protection (aspr, armadillo,pelock, acp, etc...).

Unless if we talk about time trial that ended.
Back to top
View user's profile Send private message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Wed Dec 20, 2006 11:17 pm    Post subject: Reply with quote

no time trial to run. So its must be dumb Smile
I think its possible, in olly when I run app and dialog with serial etc. appear I go for example to 401000 and I see correct code(jmps to iat at the begin, app written in borland delphi) also strings etc. like proper code. The problem is how to recovery full iat, and stolen bytes at oep :/
Back to top
View user's profile Send private message
revenger
New to the board
New to the board


Joined: 12 Dec 2006
Posts: 5

PostPosted: Thu Dec 21, 2006 5:56 am    Post subject: Reply with quote

Quite right .
So it's dumb .
It's very big error of Execrytor's programmer.
The similar mistake is in protector SVKP.

"The problem is how to recovery full iat, and stolen bytes at oep"

Delphi compiled programs have standard OEP.
To recovery full IAT apply IDA and Delphi signatures.
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Thu Dec 21, 2006 10:06 pm    Post subject: Reply with quote

Check that my ExeCryptor tutorials. You should be able to find all imports with my script (I tested it on every 2.x target and it worked great). You will also find how I fixed oep in Delphi file.

http://www.reversing.be/search.php?query=&datestart=&dateend=&topic=0&type=all&author=63&mode=search
Back to top
View user's profile Send private message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Fri Dec 22, 2006 1:59 am    Post subject: Reply with quote

yes I was read Your tutorials and everything is on good way, I recovered oep, and try Your script for iat recovery. This works almost good but crush when recovered about 60% of iat. But when I try to fix only these 60% of iat with imprec and load it to olly iat is the same like before :/
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Fri Dec 22, 2006 11:19 pm    Post subject: Reply with quote

What is your target? If it's small, I could try to check why script doesn't finishes job.
Back to top
View user's profile Send private message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Tue Dec 26, 2006 7:27 pm    Post subject: Reply with quote

haggar I sent You app to on pm(attached). its small.

I found on what call script crashed, noped that call(ff25...) and script keep on, but for few second and still crashing

ok I unpacked and manually resolved some iat jmp`s. Now I wonder how to correct TLS info?
Back to top
View user's profile Send private message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Fri Jan 05, 2007 1:24 pm    Post subject: Reply with quote

no body?
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Fri Jan 05, 2007 6:29 pm    Post subject: Reply with quote

I got your email. I'll check it.


EDIT

Ok, I checked that app. First, app cannot run because obdii.dll is missing. ExeCryptor is not recognized by PEiD because my sig collection has many small and false signatures, but after removing false UPX, it gives ExeCryptor 2.1.17 version (which is not correct, but at least my sigs still can recognize protector Smile OEP should be here and it has stolen code:

005156DC .-E9 9F620800 JMP mcprog48.0059B980

Script restores ALL imports, but as mentioned in tut, you need to change find pattern

find addr,#ff25????5200#

Script crushes after all imports are restored because some bug in script while setting EIP value. I didn't find bug (no time now), but when script reach error, dump import section with LordPE. Then restart, find OEP and binary paste bytes to import section. Here is my ImpREC tree so you can check it:

Code:
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag   RVA   ModuleName   Ordinal   Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
;                            it to zero if you edit it).
;                          - Ordinal is not considered but you should let '0000' as value.
;                          - ModuleName is not considered but you should let '?' as value.
;
;        1 = valid: yes -> All next parameters on the line will be considered.
;                          Function imported by ordinal must have no name (the 4th TAB must
;                                                                          be there though).
;
;        2 = Equivalent to 0 but it is for the loader.
;
;        3 = Equivalent to 1 but it is for the loader.
;
;        4 = Equivalent to 0 with (R) tag.
;
;        5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)

Target: C:\mcprog48can_notime.exe
OEP: 00001000   IATRVA: 001251C8   IATSize: 00000728

FThunk: 001251CC   NbFunc: 00000024
1   001251CC   kernel32.dll   0080   DeleteCriticalSection
1   001251D0   kernel32.dll   0241   LeaveCriticalSection
1   001251D4   kernel32.dll   0097   EnterCriticalSection
1   001251D8   kernel32.dll   0216   InitializeCriticalSection
1   001251DC   kernel32.dll   036E   VirtualFree
1   001251E0   kernel32.dll   036B   VirtualAlloc
1   001251E4   kernel32.dll   024C   LocalFree
1   001251E8   kernel32.dll   0248   LocalAlloc
1   001251EC   kernel32.dll   01DB   GetVersion
1   001251F0   kernel32.dll   013F   GetCurrentThreadId
1   001251F4   kernel32.dll   021A   InterlockedDecrement
1   001251F8   kernel32.dll   021E   InterlockedIncrement
1   001251FC   kernel32.dll   0373   VirtualQuery
1   00125200   kernel32.dll   037F   WideCharToMultiByte
1   00125204   kernel32.dll   0265   MultiByteToWideChar
1   00125208   kernel32.dll   03B3   lstrlen
1   0012520C   kernel32.dll   03B0   lstrcpyn
1   00125210   kernel32.dll   0243   LoadLibraryExA
1   00125214   kernel32.dll   01CD   GetThreadLocale
1   00125218   kernel32.dll   01AD   GetStartupInfoA
1   0012521C   kernel32.dll   0198   GetProcAddress
1   00125220   kernel32.dll   0176   GetModuleHandleA
1   00125224   kernel32.dll   0174   GetModuleFileNameA
1   00125228   kernel32.dll   016C   GetLocaleInfoA
1   0012522C   kernel32.dll   010A   GetCommandLineA
1   00125230   kernel32.dll   00F1   FreeLibrary
1   00125234   kernel32.dll   00D1   FindFirstFileA
1   00125238   kernel32.dll   00CD   FindClose
1   0012523C   kernel32.dll   00B7   ExitProcess
1   00125240   kernel32.dll   00B8   ExitThread
1   00125244   kernel32.dll   006D   CreateThread
1   00125248   kernel32.dll   038C   WriteFile
1   0012524C   kernel32.dll   0358   UnhandledExceptionFilter
1   00125250   kernel32.dll   02C5   RtlUnwind
1   00125254   kernel32.dll   0297   RaiseException
1   00125258   kernel32.dll   01AF   GetStdHandle

FThunk: 00125260   NbFunc: 00000004
1   00125260   user32.dll   0128   GetKeyboardType
1   00125264   user32.dll   01C9   LoadStringA
1   00125268   user32.dll   01DD   MessageBoxA
1   0012526C   user32.dll   002B   CharNextA

FThunk: 00125274   NbFunc: 00000003
1   00125274   advapi32.dll   01EE   RegQueryValueExA
1   00125278   advapi32.dll   01E4   RegOpenKeyExA
1   0012527C   advapi32.dll   01CB   RegCloseKey

FThunk: 00125284   NbFunc: 00000003
1   00125284   oleaut32.dll   0006   SysFreeString
1   00125288   oleaut32.dll   0005   SysReAllocStringLen
1   0012528C   oleaut32.dll   0004   SysAllocStringLen

FThunk: 00125294   NbFunc: 00000004
1   00125294   kernel32.dll   034F   TlsSetValue
1   00125298   kernel32.dll   034E   TlsGetValue
1   0012529C   kernel32.dll   0248   LocalAlloc
1   001252A0   kernel32.dll   0176   GetModuleHandleA

FThunk: 001252A8   NbFunc: 0000000A
1   001252A8   advapi32.dll   01FB   RegSetValueExA
1   001252AC   advapi32.dll   01EE   RegQueryValueExA
1   001252B0   advapi32.dll   01E4   RegOpenKeyExA
1   001252B4   advapi32.dll   01E3   RegOpenKeyA
1   001252B8   advapi32.dll   01DD   RegFlushKey
1   001252BC   advapi32.dll   01D8   RegEnumKeyExA
1   001252C0   advapi32.dll   01CF   RegCreateKeyExA
1   001252C4   advapi32.dll   01CB   RegCloseKey
1   001252C8   advapi32.dll   013D   IsValidAcl
1   001252CC   advapi32.dll   0132   InitializeAcl

FThunk: 001252D4   NbFunc: 0000005C
1   001252D4   kernel32.dll   03AD   lstrcpy
1   001252D8   kernel32.dll   038C   WriteFile
1   001252DC   kernel32.dll   037B   WaitForSingleObject
1   001252E0   kernel32.dll   0374   VirtualQueryEx
1   001252E4   kernel32.dll   0373   VirtualQuery
1   001252E8   kernel32.dll   0371   VirtualProtect
1   001252EC   kernel32.dll   036B   VirtualAlloc
1   001252F0   kernel32.dll   033F   Sleep
1   001252F4   kernel32.dll   033E   SizeofResource
1   001252F8   kernel32.dll   032E   SetThreadPriority
1   001252FC   kernel32.dll   032D   SetThreadLocale
1   00125300   kernel32.dll   031E   SetProcessAffinityMask
1   00125304   kernel32.dll   0307   SetFilePointer
1   00125308   kernel32.dll   0302   SetEvent
1   0012530C   kernel32.dll   0301   SetErrorMode
1   00125310   kernel32.dll   02FE   SetEndOfFile
1   00125314   kernel32.dll   02C0   ResumeThread
1   00125318   kernel32.dll   02BD   ResetEvent
1   0012531C   kernel32.dll   02A4   ReadFile
1   00125320   kernel32.dll   0293   QueryPerformanceFrequency
1   00125324   kernel32.dll   0292   QueryPerformanceCounter
1   00125328   kernel32.dll   0275   OpenProcess
1   0012532C   kernel32.dll   0265   MultiByteToWideChar
1   00125330   kernel32.dll   0264   MulDiv
1   00125334   kernel32.dll   0255   LockResource
1   00125338   kernel32.dll   0247   LoadResource
1   0012533C   kernel32.dll   0242   LoadLibraryA
1   00125340   kernel32.dll   0241   LeaveCriticalSection
1   00125344   kernel32.dll   0216   InitializeCriticalSection
1   00125348   kernel32.dll   01FD   GlobalUnlock
1   0012534C   kernel32.dll   01FA   GlobalSize
1   00125350   kernel32.dll   01F9   GlobalReAlloc
1   00125354   kernel32.dll   01F5   GlobalHandle
1   00125358   kernel32.dll   01F6   GlobalLock
1   0012535C   kernel32.dll   01F2   GlobalFree
1   00125360   kernel32.dll   01EE   GlobalFindAtomA
1   00125364   kernel32.dll   01ED   GlobalDeleteAtom
1   00125368   kernel32.dll   01EB   GlobalAlloc
1   0012536C   kernel32.dll   01E9   GlobalAddAtomA
1   00125370   kernel32.dll   01E6   GetWindowsDirectoryA
1   00125374   kernel32.dll   01DE   GetVolumeInformationA
1   00125378   kernel32.dll   01DC   GetVersionExA
1   0012537C   kernel32.dll   01DB   GetVersion
1   00125380   kernel32.dll   01D2   GetTickCount
1   00125384   kernel32.dll   01CD   GetThreadLocale
1   00125388   kernel32.dll   01C9   GetTempPathA
1   0012538C   kernel32.dll   01B9   GetSystemInfo
1   00125390   kernel32.dll   01B7   GetSystemDirectoryA
1   00125394   kernel32.dll   01B1   GetStringTypeExA
1   00125398   kernel32.dll   01AF   GetStdHandle
1   0012539C   kernel32.dll   0198   GetProcAddress
1   001253A0   kernel32.dll   0194   GetPrivateProfileStringA
1   001253A4   kernel32.dll   0176   GetModuleHandleA
1   001253A8   kernel32.dll   0174   GetModuleFileNameA
1   001253AC   kernel32.dll   016C   GetLocaleInfoA
1   001253B0   kernel32.dll   016B   GetLocalTime
1   001253B4   kernel32.dll   0169   GetLastError
1   001253B8   kernel32.dll   0162   GetFullPathNameA
1   001253BC   kernel32.dll   0154   GetExitCodeThread
1   001253C0   kernel32.dll   014C   GetDriveTypeA
1   001253C4   kernel32.dll   0146   GetDiskFreeSpaceA
1   001253C8   kernel32.dll   0140   GetDateFormatA
1   001253CC   kernel32.dll   013F   GetCurrentThreadId
1   001253D0   kernel32.dll   013D   GetCurrentProcessId
1   001253D4   kernel32.dll   013C   GetCurrentProcess
1   001253D8   kernel32.dll   010E   GetComputerNameA
1   001253DC   kernel32.dll   00FE   GetCPInfo
1   001253E0   kernel32.dll   00F7   GetACP
1   001253E4   kernel32.dll   00F3   FreeResource
1   001253E8   kernel32.dll   021E   InterlockedIncrement
1   001253EC   kernel32.dll   021B   InterlockedExchange
1   001253F0   kernel32.dll   021A   InterlockedDecrement
1   001253F4   kernel32.dll   00F1   FreeLibrary
1   001253F8   kernel32.dll   00EC   FormatMessageA
1   001253FC   kernel32.dll   00E0   FindResourceA
1   00125400   kernel32.dll   00DA   FindNextFileA
1   00125404   kernel32.dll   00D1   FindFirstFileA
1   00125408   kernel32.dll   00CD   FindClose
1   0012540C   kernel32.dll   00C3   FileTimeToLocalFileTime
1   00125410   kernel32.dll   00C2   FileTimeToDosDateTime
1   00125414   kernel32.dll   0098   EnumCalendarInfoA
1   00125418   kernel32.dll   0097   EnterCriticalSection
1   0012541C   kernel32.dll   0082   DeleteFileA
1   00125420   kernel32.dll   0080   DeleteCriticalSection
1   00125424   kernel32.dll   0077   DebugBreak
1   00125428   kernel32.dll   006D   CreateThread
1   0012542C   kernel32.dll   0062   CreatePipe
1   00125430   kernel32.dll   0050   CreateFileA
1   00125434   kernel32.dll   004C   CreateEventA
1   00125438   kernel32.dll   0038   CompareStringA
1   0012543C   kernel32.dll   0032   CloseHandle
1   00125440   kernel32.dll   001D   Beep

FThunk: 00125448   NbFunc: 00000003
1   00125448   version.dll   000B   VerQueryValueA
1   0012544C   version.dll   0002   GetFileVersionInfoSizeA
1   00125450   version.dll   0001   GetFileVersionInfoA

FThunk: 00125458   NbFunc: 0000004B
1   00125458   gdi32.dll   0253   UnrealizeObject
1   0012545C   gdi32.dll   024A   StretchBlt
1   00125460   gdi32.dll   0244   SetWindowOrgEx
1   00125464   gdi32.dll   0242   SetWinMetaFileBits
1   00125468   gdi32.dll   0240   SetViewportOrgEx
1   0012546C   gdi32.dll   023D   SetTextColor
1   00125470   gdi32.dll   0239   SetStretchBltMode
1   00125474   gdi32.dll   0236   SetROP2
1   00125478   gdi32.dll   0232   SetPixel
1   0012547C   gdi32.dll   0223   SetEnhMetaFileBits
1   00125480   gdi32.dll   021F   SetDIBColorTable
1   00125484   gdi32.dll   021A   SetBrushOrgEx
1   00125488   gdi32.dll   0217   SetBkMode
1   0012548C   gdi32.dll   0216   SetBkColor
1   00125490   gdi32.dll   0210   SelectPalette
1   00125494   gdi32.dll   020F   SelectObject
1   00125498   gdi32.dll   020D   SelectClipRgn
1   0012549C   gdi32.dll   0208   SaveDC
1   001254A0   gdi32.dll   0202   RoundRect
1   001254A4   gdi32.dll   0201   RestoreDC
1   001254A8   gdi32.dll   01F7   Rectangle
1   001254AC   gdi32.dll   01F6   RectVisible
1   001254B0   gdi32.dll   01F4   RealizePalette
1   001254B4   gdi32.dll   01EF   Polyline
1   001254B8   gdi32.dll   01E1   PlayEnhMetaFile
1   001254BC   gdi32.dll   01E0   Pie
1   001254C0   gdi32.dll   01DE   PatBlt
1   001254C4   gdi32.dll   01D2   MoveToEx
1   001254C8   gdi32.dll   01CF   MaskBlt
1   001254CC   gdi32.dll   01CE   LineTo
1   001254D0   gdi32.dll   01C8   IntersectClipRect
1   001254D4   gdi32.dll   01C4   GetWindowOrgEx
1   001254D8   gdi32.dll   01C2   GetWinMetaFileBits
1   001254DC   gdi32.dll   01BD   GetTextMetricsA
1   001254E0   gdi32.dll   01B7   GetTextExtentPointA
1   001254E4   gdi32.dll   01B5   GetTextExtentPoint32A
1   001254E8   gdi32.dll   01B1   GetTextExtentExPointA
1   001254EC   gdi32.dll   01AA   GetSystemPaletteEntries
1   001254F0   gdi32.dll   01A6   GetStockObject
1   001254F4   gdi32.dll   019D   GetPixel
1   001254F8   gdi32.dll   019B   GetPaletteEntries
1   001254FC   gdi32.dll   0197   GetObjectType
1   00125500   gdi32.dll   0196   GetObjectA
1   00125504   gdi32.dll   0195   GetNearestPaletteIndex
1   00125508   gdi32.dll   0176   GetEnhMetaFilePaletteEntries
1   0012550C   gdi32.dll   0175   GetEnhMetaFileHeader
1   00125510   gdi32.dll   0172   GetEnhMetaFileBits
1   00125514   gdi32.dll   016C   GetDeviceCaps
1   00125518   gdi32.dll   016B   GetDIBits
1   0012551C   gdi32.dll   016A   GetDIBColorTable
1   00125520   gdi32.dll   0168   GetDCOrgEx
1   00125524   gdi32.dll   0166   GetCurrentPositionEx
1   00125528   gdi32.dll   0161   GetClipBox
1   0012552C   gdi32.dll   0151   GetBrushOrgEx
1   00125530   gdi32.dll   014B   GetBitmapBits
1   00125534   gdi32.dll   011C   GdiFlush
1   00125538   gdi32.dll   00DE   ExtTextOutA
1   0012553C   gdi32.dll   00D8   ExcludeClipRect
1   00125540   gdi32.dll   0095   Ellipse
1   00125544   gdi32.dll   0090   DeleteObject
1   00125548   gdi32.dll   008E   DeleteEnhMetaFile
1   0012554C   gdi32.dll   008D   DeleteDC
1   00125550   gdi32.dll   0051   CreateSolidBrush
1   00125554   gdi32.dll   0049   CreatePenIndirect
1   00125558   gdi32.dll   0046   CreatePalette
1   0012555C   gdi32.dll   0040   CreateHalftonePalette
1   00125560   gdi32.dll   003B   CreateFontIndirectA
1   00125564   gdi32.dll   0034   CreateDIBitmap
1   00125568   gdi32.dll   0033   CreateDIBSection
1   0012556C   gdi32.dll   002E   CreateCompatibleDC
1   00125570   gdi32.dll   002D   CreateCompatibleBitmap
1   00125574   gdi32.dll   002A   CreateBrushIndirect
1   00125578   gdi32.dll   0028   CreateBitmap
1   0012557C   gdi32.dll   0024   CopyEnhMetaFileA
1   00125580   gdi32.dll   0013   BitBlt

FThunk: 00125588   NbFunc: 000000A6
1   00125588   user32.dll   0061   CreateWindowExA
1   0012558C   user32.dll   02D6   WindowFromPoint
1   00125590   user32.dll   02D3   WinHelpA
1   00125594   user32.dll   02D1   WaitMessage
1   00125598   user32.dll   02BC   UpdateWindow
1   0012559C   user32.dll   02B4   UnregisterClassA
1   001255A0   user32.dll   02AF   UnhookWindowsHookEx
1   001255A4   user32.dll   02AB   TranslateMessage
1   001255A8   user32.dll   02AA   TranslateMDISysAccel
1   001255AC   user32.dll   02A5   TrackPopupMenu
1   001255B0   user32.dll   029A   SystemParametersInfoA
1   001255B4   user32.dll   0293   ShowWindow
1   001255B8   user32.dll   0291   ShowScrollBar
1   001255BC   user32.dll   0290   ShowOwnedPopups
1   001255C0   user32.dll   028F   ShowCursor
1   001255C4   user32.dll   028B   SetWindowsHookExA
1   001255C8   user32.dll   0287   SetWindowTextA
1   001255CC   user32.dll   0284   SetWindowPos
1   001255D0   user32.dll   0283   SetWindowPlacement
1   001255D4   user32.dll   0281   SetWindowLongA
1   001255D8   user32.dll   027B   SetTimer
1   001255DC   user32.dll   0271   SetScrollRange
1   001255E0   user32.dll   0270   SetScrollPos
1   001255E4   user32.dll   026F   SetScrollInfo
1   001255E8   user32.dll   026D   SetRect
1   001255EC   user32.dll   026B   SetPropA
1   001255F0   user32.dll   0267   SetParent
1   001255F4   user32.dll   0263   SetMenuItemInfoA
1   001255F8   user32.dll   025E   SetMenu
1   001255FC   user32.dll   0258   SetForegroundWindow
1   00125600   user32.dll   0257   SetFocus
1   00125604   user32.dll   024E   SetCursor
1   00125608   user32.dll   024B   SetClipboardData
1   0012560C   user32.dll   0248   SetClassLongA
1   00125610   user32.dll   0245   SetCapture
1   00125614   user32.dll   0244   SetActiveWindow
1   00125618   user32.dll   023C   SendMessageA
1   0012561C   user32.dll   0235   ScrollWindow
1   00125620   user32.dll   0232   ScreenToClient
1   00125624   user32.dll   022D   RemovePropA
1   00125628   user32.dll   022C   RemoveMenu
1   0012562C   user32.dll   022B   ReleaseDC
1   00125630   user32.dll   022A   ReleaseCapture
1   00125634   user32.dll   021B   RegisterClipboardFormatA
1   00125638   user32.dll   021B   RegisterClipboardFormatA
1   0012563C   user32.dll   0217   RegisterClassA
1   00125640   user32.dll   0216   RedrawWindow
1   00125644   user32.dll   020C   PtInRect
1   00125648   user32.dll   0202   PostQuitMessage
1   0012564C   user32.dll   0200   PostMessageA
1   00125650   user32.dll   01FE   PeekMessageA
1   00125654   user32.dll   01F4   OpenClipboard
1   00125658   user32.dll   01F3   OffsetRect
1   0012565C   user32.dll   01EF   OemToCharA
1   00125660   user32.dll   01EB   MsgWaitForMultipleObjects
1   00125664   user32.dll   01DD   MessageBoxA
1   00125668   user32.dll   01DC   MessageBeep
1   0012566C   user32.dll   01D8   MapWindowPoints
1   00125670   user32.dll   01D4   MapVirtualKeyA
1   00125674   user32.dll   01C9   LoadStringA
1   00125678   user32.dll   01C0   LoadKeyboardLayoutA
1   0012567C   user32.dll   01BC   LoadIconA
1   00125680   user32.dll   01B8   LoadCursorA
1   00125684   user32.dll   01B6   LoadBitmapA
1   00125688   user32.dll   01B3   KillTimer
1   0012568C   user32.dll   01B1   IsZoomed
1   00125690   user32.dll   01B0   IsWindowVisible
1   00125694   user32.dll   01AD   IsWindowEnabled
1   00125698   user32.dll   01AC   IsWindow
1   0012569C   user32.dll   01A9   IsRectEmpty
1   001256A0   user32.dll   01A7   IsIconic
1   001256A4   user32.dll   01A1   IsDialogMessage
1   001256A8   user32.dll   019F   IsChild
1   001256AC   user32.dll   0194   InvalidateRect
1   001256B0   user32.dll   0193   IntersectRect
1   001256B4   user32.dll   018F   InsertMenuItemA
1   001256B8   user32.dll   018E   InsertMenuA
1   001256BC   user32.dll   018B   InflateRect
1   001256C0   user32.dll   017C   GetWindowThreadProcessId
1   001256C4   user32.dll   0178   GetWindowTextA
1   001256C8   user32.dll   0175   GetWindowRect
1   001256CC   user32.dll   0174   GetWindowPlacement
1   001256D0   user32.dll   016F   GetWindowLongA
1   001256D4   user32.dll   016D   GetWindowDC
1   001256D8   user32.dll   0164   GetTopWindow
1   001256DC   user32.dll   015E   GetSystemMetrics
1   001256E0   user32.dll   015D   GetSystemMenu
1   001256E4   user32.dll   015C   GetSysColorBrush
1   001256E8   user32.dll   015B   GetSysColor
1   001256EC   user32.dll   015A   GetSubMenu
1   001256F0   user32.dll   0158   GetScrollRange
1   001256F4   user32.dll   0157   GetScrollPos
1   001256F8   user32.dll   0156   GetScrollInfo
1   001256FC   user32.dll   014B   GetPropA
1   00125700   user32.dll   0146   GetParent
1   00125704   user32.dll   016B   GetWindow
1   00125708   user32.dll   0139   GetMenuStringA
1   0012570C   user32.dll   0138   GetMenuState
1   00125710   user32.dll   0135   GetMenuItemInfoA
1   00125714   user32.dll   0134   GetMenuItemID
1   00125718   user32.dll   0133   GetMenuItemCount
1   0012571C   user32.dll   012D   GetMenu
1   00125720   user32.dll   0129   GetLastActivePopup
1   00125724   user32.dll   0127   GetKeyboardState
1   00125728   user32.dll   0124   GetKeyboardLayoutList
1   0012572C   user32.dll   0123   GetKeyboardLayout
1   00125730   user32.dll   0122   GetKeyState
1   00125734   user32.dll   0120   GetKeyNameTextA
1   00125738   user32.dll   011B   GetIconInfo
1   0012573C   user32.dll   0118   GetForegroundWindow
1   00125740   user32.dll   0117   GetFocus
1   00125744   user32.dll   0112   GetDlgItem
1   00125748   user32.dll   010F   GetDesktopWindow
1   0012574C   user32.dll   010E   GetDCEx
1   00125750   user32.dll   010D   GetDC
1   00125754   user32.dll   010C   GetCursorPos
1   00125758   user32.dll   0109   GetCursor
1   0012575C   user32.dll   0102   GetClipboardData
1   00125760   user32.dll   0100   GetClientRect
1   00125764   user32.dll   00FD   GetClassNameA
1   00125768   user32.dll   00F7   GetClassInfoA
1   0012576C   user32.dll   00F4   GetCapture
1   00125770   user32.dll   00EC   GetActiveWindow
1   00125774   user32.dll   00EA   FrameRect
1   00125778   user32.dll   00E4   FindWindowA
1   0012577C   user32.dll   00E3   FillRect
1   00125780   user32.dll   00E0   EqualRect
1   00125784   user32.dll   00DF   EnumWindows
1   00125788   user32.dll   00DC   EnumThreadWindows
1   0012578C   user32.dll   00C9   EndPaint
1   00125790   user32.dll   00C5   EnableWindow
1   00125794   user32.dll   00C4   EnableScrollBar
1   00125798   user32.dll   00C3   EnableMenuItem
1   0012579C   user32.dll   00C2   EmptyClipboard
1   001257A0   user32.dll   00BD   DrawTextA
1   001257A4   user32.dll   00B9   DrawMenuBar
1   001257A8   user32.dll   00B8   DrawIconEx
1   001257AC   user32.dll   00B7   DrawIcon
1   001257B0   user32.dll   00B6   DrawFrameControl
1   001257B4   user32.dll   00B4   DrawFocusRect
1   001257B8   user32.dll   00B3   DrawEdge
1   001257BC   user32.dll   00A2   DispatchMessageA
1   001257C0   user32.dll   009A   DestroyWindow
1   001257C4   user32.dll   0098   DestroyMenu
1   001257C8   user32.dll   0096   DestroyCursor
1   001257CC   user32.dll   0096   DestroyCursor
1   001257D0   user32.dll   0092   DeleteMenu
1   001257D4   user32.dll   008F   DefWindowProcA
1   001257D8   user32.dll   008C   DefMDIChildProcA
1   001257DC   user32.dll   008A   DefFrameProcA
1   001257E0   user32.dll   005F   CreatePopupMenu
1   001257E4   user32.dll   005E   CreateMenu
1   001257E8   user32.dll   0058   CreateIcon
1   001257EC   user32.dll   0043   CloseClipboard
1   001257F0   user32.dll   0041   ClientToScreen
1   001257F4   user32.dll   003A   CheckMenuItem
1   001257F8   user32.dll   001C   CallWindowProcA
1   001257FC   user32.dll   001B   CallNextHookEx
1   00125800   user32.dll   000E   BeginPaint
1   00125804   user32.dll   002B   CharNextA
1   00125808   user32.dll   0028   CharLowerBuffA
1   0012580C   user32.dll   0027   CharLowerA
1   00125810   user32.dll   0036   CharUpperBuffA
1   00125814   user32.dll   0031   CharToOemA
1   00125818   user32.dll   0003   AdjustWindowRectEx
1   0012581C   user32.dll   0001   ActivateKeyboardLayout

FThunk: 00125824   NbFunc: 00000001
1   00125824   kernel32.dll   033F   Sleep

FThunk: 0012582C   NbFunc: 00000008
1   0012582C   oleaut32.dll   0094   SafeArrayPtrOfIndex
1   00125830   oleaut32.dll   0013   SafeArrayGetUBound
1   00125834   oleaut32.dll   0014   SafeArrayGetLBound
1   00125838   oleaut32.dll   000F   SafeArrayCreate
1   0012583C   oleaut32.dll   000C   VariantChangeType
1   00125840   oleaut32.dll   000A   VariantCopy
1   00125844   oleaut32.dll   0009   VariantClear
1   00125848   oleaut32.dll   0008   VariantInit

FThunk: 00125850   NbFunc: 00000004
1   00125850   ole32.dll   0115   OleUninitialize
1   00125854   ole32.dll   00FE   OleInitialize
1   00125858   ole32.dll   006A   CoUninitialize
1   0012585C   ole32.dll   003C   CoInitialize

FThunk: 00125864   NbFunc: 00000002
1   00125864   oleaut32.dll   00C8   GetErrorInfo
1   00125868   oleaut32.dll   0006   SysFreeString

FThunk: 00125870   NbFunc: 00000018
1   00125870   comctl32.dll   004F   ImageList_SetIconSize
1   00125874   comctl32.dll   003B   ImageList_GetIconSize
1   00125878   comctl32.dll   0052   ImageList_Write
1   0012587C   comctl32.dll   0043   ImageList_Read
1   00125880   comctl32.dll   0038   ImageList_GetDragImage
1   00125884   comctl32.dll   0031   ImageList_DragShowNolock
1   00125888   comctl32.dll   004C   ImageList_SetDragCursorImage
1   0012588C   comctl32.dll   0030   ImageList_DragMove
1   00125890   comctl32.dll   002F   ImageList_DragLeave
1   00125894   comctl32.dll   002E   ImageList_DragEnter
1   00125898   comctl32.dll   0036   ImageList_EndDrag
1   0012589C   comctl32.dll   002A   ImageList_BeginDrag
1   001258A0   comctl32.dll   0044   ImageList_Remove
1   001258A4   comctl32.dll   0033   ImageList_DrawEx
1   001258A8   comctl32.dll   0045   ImageList_Replace
1   001258AC   comctl32.dll   0032   ImageList_Draw
1   001258B0   comctl32.dll   0037   ImageList_GetBkColor
1   001258B4   comctl32.dll   004B   ImageList_SetBkColor
1   001258B8   comctl32.dll   0046   ImageList_ReplaceIcon
1   001258BC   comctl32.dll   0027   ImageList_Add
1   001258C0   comctl32.dll   003C   ImageList_GetImageCount
1   001258C4   comctl32.dll   002D   ImageList_Destroy
1   001258C8   comctl32.dll   002C   ImageList_Create
1   001258CC   comctl32.dll   0011   InitCommonControls

FThunk: 001258D4   NbFunc: 00000003
1   001258D4   shell32.dll   0167   ShellExecuteA
1   001258D8   shell32.dll   008C   DragQueryFile
1   001258DC   shell32.dll   008A   DragAcceptFiles

FThunk: 001258E4   NbFunc: 00000002
1   001258E4   comdlg32.dll   0070   GetSaveFileNameA
1   001258E8   comdlg32.dll   006E   GetOpenFileNameA




I don't know will you make to get working dump , there is many things that can be reson of crushing. From bad dump, to some self check, threads that will be executed within EC code and that code you cannot remove, etc..

Good luck.
Back to top
View user's profile Send private message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Sat Jan 13, 2007 1:56 pm    Post subject: Reply with quote

Thanks haggar, I corrected dump and wokring on other machines Smile
I found where is bug, when I changed the line:
cmp pointer,10000000 //Check is import placed in thunk, or redirection.
to:
cmp pointer,C50000 //Check is import placed in thunk, or redirection.

Script works good. Smile
Script crashes becuase some import are below than 10000000.
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Sat Jan 13, 2007 7:51 pm    Post subject: Reply with quote

Great to hear Cool
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2019 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.24 seconds