So we set a trap on the OEP ;D, now let's clear all breakpoints : BC *
Again set a breakpoint on BPINT 3 , and leave sICE
Load calcc.exe, sICE breaks, type: E EIP edit the CC->6A and press <enter>
Now leave sICE again (without clearing the breakpoints)..calcc.exe runs like a baby
Well what's the point of it??
The point is that u wont get a error message when loading calcc.exe (without bpint3,cc->6a)
That way i can dump it in prucdump while the program is loaded and dont crashing Prucdump
When trying to DUMP it.
Now let's open procdump again...now in the TASK window, scroll down and look for
The Directory u have the encrypted file, mine is:
D:\Dont Tuch\notepade.exe
If not there, right click on mouse...press REFRESH LIST...ohh here it is :=)
Now select the file, right click with mouse and choose: DUMP (FULL)..if PrucDump still Crash Then i recommend to dump the file using PARTIAL, DUMP (PARTIAL) <= click ok all the time.
Save the new dump anywhere u like, choose a name of course ;D (i prefer the name DUMP.EXE ;D) Now again right click on it again and choose: KILL TASK (press ok after u get a message) Now, The dump we made does not run yet, we need to modify it to make it run...duh! ;D
So click "PE Editor" and choose the new dump file we made.
Now the entry point is still 00017000, so change it to the real OEP: 119E0
It will be like this now:
Entry Point: 000119E0
Now on the "Apply Changes Method:" choose "To PE File" <= so we can kick the encryption Code.
After choosing "To PE File", click "SECTIONS" button.
Now right click on the last section with mouse and choose: "Kill Section"
This will ensure that the encryption code wont be on the dump.exe anymore ;D
Now we will change the Size of Image of the dump:
Size of Image = Last Virtual Offset + Last Virtual Size (last section)
So because we killed the last section, we will use the last section, To fix this take NOW the
Offset = 00014000
Virtual Size = 00002618
Size of Image = 00014000 + 00002618 = 00016618
Click "CANCEL" button and we back to the Header Info screen,
We see that the "Size Of Image" = 00018000 <= which is not correct! (at least here it is) :-)
Change "Size Of Image" = 00018000 -> 00016618
Press OK to rebuild the structure of dump.exe ;D
Exit procdump.
Try running the file (dump.exe)...what's going on, it's not working...why! >:/
Well it won't work because it runs in a loop that provides form the program from working!
Remember: 558B -> EBFE?
So open hex editor again and go to the OEP we found (119E0).
Change back EBFE -> 558B
Save the file...
Run Dump.exe...IT CRASH AGAIN!!!!!!!!... >:|
Wtf...why :( ?
well the main reasone is because the EP v0.2 encryption routine, it basiclly F*CKING UP THE
IMPORT TABLE...
To know more about IT i suggest to read some tuts about it!
2.==============================The Hunt For Original IT=======================================
Ok, open up sICE, Set a BPINT 3 breakpoint, exit sICE, load the encrypted file (not the dump)
SICE pop..just E EIP to bring back the original value so we can trace with sICE..
E EIP
CC 00
To:
6A 00
<enter> or Alt+D
Now we can tracing...it wont take a while..try find it your self
Didn't find??
So notice this adresses:
EAX=01017020 EBX=00520000 ECX=00000000 EDX=7461644F ESI=01012020 <= Original IT
EDI=00000000 EBP=01000000 ESP=0056FE18 EIP=01017170 o d I s z a p c
1. Load the encrypted file (not dump) using the CC->6A trick in sICE (wich in the case wont Crash the program) and that will make it active to use in importREC.
2. In the "attach to an active proccess" choose our program -> d:\dont tuch\calcc.exe
3.Enter the correct OEP+IT at "IAT INFOS"
OEP = 000119E0
RVA = 00012020
SIZE = 00001000
4. Press the "IAT AutoSearch" button , and u will get the message "Found something!" and some RVA and OEP informations Click OK!
5. Click the "Get Import" button
6. Click the "Fix Dump" button, and choose the dump.exe we made
* Note, sometimes u will get an errorMessage but you can ignore it ;) otherWise it works fine.
7. Exit ImportREC
Ok so we fixed the dump.exe with good IT..it's time to check the program.
You will see a new file is created dump_.exe ;) click it!!
