Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   IT Elimination (https://forum.exetools.com/showthread.php?t=3631)

Kyrios 03-13-2004 05:42
IT Elimination
 
Hi, i can't unpack armadilled when IT Elimination is used. It's new feature since v3.60 beta1.
Like, Strategic Code Splicing (i can deal with it), i've added a new section from dumped region.
This target only using standard protection + IT Elimination.
i've changed the long JNE to long Jmp in IT rebuilding,
but there's still problem in Indirect Jump.

The Indirect Call is OK (of my dumped file).

Code:
004E8140  PUSH EBX
004E8141  PUSH ESI
004E8142  PUSH EDI
004E8143  MOV DWORD PTR SS:[EBP-18],ESP
004E8146  CALL DWORD PTR DS:[D885B4] ; kernel32.GetVersion
004E814C  XOR EDX,EDX
As you can see, the indirect CALL is OK.
But there's problem in Indirect Jump (my dumped file)

Code:
00548F50  JMP DWORD PTR DS:[D88904]
00548F56  JMP DWORD PTR DS:[D888FC]
00548F5C  JMP DWORD PTR DS:[D888F8]
And the value of [D888F8] is 77C0167D, but there's no such memory of that address (77C0167D).
And i could not go there.


But in protected file, the code is like this:

Code:
00548F50  JMP DWORD PTR DS:[D88904]  ; VERSION.VerQueryValueA
00548F56  JMP DWORD PTR DS:[D888FC]  ; VERSION.GetFileVersionInfoA
00548F5C  JMP DWORD PTR DS:[D888F8]  ; VERSION.GetFileVersionInfoSizeA
And the value of [D888F8] is 77C0167D (wich is same with mine). But i can go there.

==================================================================================

Weird, There's no module VERSION.dll in my dumped file. Anyone know how to deal with this new feature?
Sorry for poor english


Hypersnap-DX 5.50.01
Kyrios


All times are GMT +8. The time now is 14:38.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX