Thread: Unpacking G6FTP 3.0
View Single Post
  #22  
Old 05-09-2004, 17:20
bedrock's Avatar
bedrock bedrock is offline
Friend
  
Join Date: May 2002
Posts: 96
Rept. Given: 8
Rept. Rcvd 5 Times in 2 Posts
Thanks Given: 20
Thanks Rcvd at 2 Times in 2 Posts
bedrock Reputation: 5
Ok, i've gone back to looking at this target, but i'm not really sure what is going on. I've dumped and rebuit stolen bytes and iat, and now i've started tracing through the dumped exe, to see differences between the dump and the protected exe.

I get to here in the code:

Code:
00402250   . 8BC3           MOV EAX,EBX
00402252   . 85C0           TEST EAX,EAX
00402254   . 79 03          JNS SHORT dumped_.00402259
00402256   . 83C0 03        ADD EAX,3
00402259   > C1F8 02        SAR EAX,2
0040225C   . 8B15 24C64900  MOV EDX,DWORD PTR DS:[49C624]
00402262   . 8B5482 F4      MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
00402266   . 85D2           TEST EDX,EDX
00402268     74 79          JE SHORT dumped_.004022E3
0040226A   . 8BF2           MOV ESI,EDX
0040226C   . 8BC6           MOV EAX,ESI
0040226E   . 03C3           ADD EAX,EBX
00402270   . 8320 FE        AND DWORD PTR DS:[EAX],FFFFFFFE
00402273   . 8B42 04        MOV EAX,DWORD PTR DS:[EDX+4]
At 40225C, the address in [49C624] is 86FB0, in the dumped exe the memory at this address is EE FE EE FE, but in protected exe it is 00 00 00 00 and this difference cause's access violation.

I have set this block of memory to 00 in olly, and continued, but i eventually get to try access 87000 which doesn't exist in dumped target, but does in asprotected target ??

Can anyone point me in next step?

Thanks,

--
bedrock
Reply With Quote