Quote:
|
Originally Posted by Hero
1- Dump running program while browser is showing with LordPE.
|
Probably the problem is here, dump the program when it reaches the second layer EP (use Olly to set an hardware bp) and use that address as the EP of the dump.
Quote:
|
Originally Posted by Hero
Now this dump should work and show something(I heard that I should see something
about error in activemark),...
|
Exactly, I've done it and I obtain a msgbox saying: "Unable to start ActiveMark client engine due to an internal error."
I will try to attach my dump.
@imagin:
The image I tried to attach in my last post contained the following dump, it's my old target and here you can see after TdnAVpF@ the dword 001F9903 which is the rva of the second layer EP (so add 400000 for the address in Olly).
Code:
0014D370 58 23 55 00 00 00 00 00 2E 3F 41 56 5F 63 6F 6D X#U......?AV_com
0014D380 5F 65 72 72 6F 72 40 40 00 00 00 00 00 00 00 00 _error@@........
0014D390 54 64 6E 41 56 70 46 40 03 99 1F 00 71 A5 06 00 TdnAVpF@.™..q¥..
0014D3A0 E0 DE 0B 00 4C 06 00 00 63 31 36 38 34 35 39 64 ��Þ..L...c168459d
0014D3B0 33 38 65 35 31 62 32 33 63 38 37 63 38 64 63 65 38e51b23c87c8dce
0014D3C0 35 34 37 31 37 66 34 35 00 00 00 00 00 00 00 00 54717f45........
You can see that the pattern is a bit different from the previous version of the packer, i.e.:
Code:
001636D0 74 77 61 72 65 5C 00 00 54 64 6E 41 43 42 B9 3F tware\..TdnACB¹?
001636E0 AE 4F 26 00 64 0B 0C 00 00 65 0F 00 00 03 00 00 ®O&.d....e......
001636F0 34 37 32 36 36 62 34 66 35 63 64 62 39 65 33 35 47266b4f5cdb9e35
00163700 61 35 30 63 37 65 37 63 34 36 38 66 63 37 30 31 a50c7e7c468fc701
Remember that important parts are "TdnA" and the long hex number that follows. Hope this help,
Bye