Thread: ActiveM***
View Single Post
  #10  
Old 03-05-2005, 04:50
imagin
 
Posts: n/a
OK - same progress like HERO (other target) - same problem - why?

Code:
006C7593 >  55              PUSH    EBP                          <<<<-------------- OEP by PEiD
006C7594    8BEC            MOV     EBP, ESP
006C7596    6A FF           PUSH    -1
006C7598    68 C8CB5E00     PUSH    dumped_.005ECBC8
006C759D    68 70D96C00     PUSH    dumped_.006CD970
006C75A2    64:A1 00000000  MOV     EAX, DWORD PTR FS:[0]
006C75A8    50              PUSH    EAX
006C75A9    64:8925 0000000>MOV     DWORD PTR FS:[0], ESP
006C75B0    83EC 58         SUB     ESP, 58

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

006C7619    FF15 60B16E00   CALL    NEAR DWORD PTR DS:[6EB160]       ; kernel32.GetCommandLineA
006C761F    A3 44766E00     MOV     DWORD PTR DS:[6E7644], EAX
006C7624    E8 7E5E0000     CALL    dumped_.006CD4A7
006C7629    A3 A85E6E00     MOV     DWORD PTR DS:[6E5EA8], EAX
006C762E    E8 275C0000     CALL    dumped_.006CD25A
006C7633    E8 695B0000     CALL    dumped_.006CD1A1
006C7638    E8 A2390000     CALL    dumped_.006CAFDF                  ------------ ?????CALL ------'
006C763D    8975 D0         MOV     DWORD PTR SS:[EBP-30], ESI                                     ' 
006C7640    8D45 A4         LEA     EAX, DWORD PTR SS:[EBP-5C]                                     ' 
006C7643    50              PUSH    EAX                                                            '      
006C7644    FF15 F8B16E00   CALL    NEAR DWORD PTR DS:[6EB1F8]       ; kernel32.GetStartupInfoA    '
                                                                                                   '
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX                             '
                                                                                                   '
005F3FFE    8B46 04         MOV     EAX, DWORD PTR DS:[ESI+4]  <<<<-------------- ACCESS VIOLATION-
005F4001    FF70 04         PUSH    DWORD PTR DS:[EAX+4]
005F4004    E8 D4000000     CALL    dumped_.005F40DD
005F4009    EB 35           JMP     SHORT dumped_.005F4040
005F400B    8379 20 00      CMP     DWORD PTR DS:[ECX+20], 0
005F400F  ^ 74 AD           JE      SHORT dumped_.005F3FBE
005F4011    3B30            CMP     ESI, DWORD PTR DS:[EAX]
005F4013    75 0A           JNZ     SHORT dumped_.005F401F
005F4015    8BF0            MOV     ESI, EAX
005F4017    8BCB            MOV     ECX, EBX
005F4019    56              PUSH    ESI
005F401A    E8 BE000000     CALL    dumped_.005F40DD
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
005E5028  FD 83 8F AF 06 94 7D 11 E4 2D DE 9F CE D2 C8 04  &#253;ƒŹŻ.��}.&#228;-Ţź&#206;ŇČ.
005E5038  DD A6 D8 0A 00 00 00 00 C0 CB 5E 00 00 00 00 00  &#221;&#166;Ř.....Ŕ&#203;^.....
005E5048  2E 3F 41 56 5F 63 6F 6D 5F 65 72 72 6F 72 40 40  .?AV_com_error@@ <<<-----magic string????
005E5058  00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00  ................
005E5068  30 FF 5E 00 23 FF 5E 00 1D FF 5E 00 C4 FE 5E 00  0.^.#.^...^.&#196;ţ^.
EDIT:
Here I found sign. for ActiveMark - to the PEID (without detection version)

[ActiveMark -> Trymedia]
signature = 79117fab9a4a83b5c96b1a48f927b425
ep_only = True
Last edited by imagin; 03-07-2005 at 06:07.
Reply With Quote