Thread: ActiveM***
View Single Post
  #17  
Old 03-16-2005, 17:11
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Some steps to get the rebuild program
Hello:

I'm testing a fix to the 5.3.1071 AM release. I have got some programs totally recovered, but other not yet, just trying to fix the bugs of my "AM fixer" program. When I get good results for all I will tell you about.

But it is a very good beginning getting the "18 Wheels of Steel - Pedal to the Metal". This is the only one (I have found till today) of the 5.3.1071 AM release that keep in the dumped code the equivalences for the AM calls that you can find inside the dumped code as:

401175 nop
401176 call [AM redirection]

If you search in the dumped code (starting the program and when the "you have 60 min left" or similar displays, you have to dump it, as several people in this thread have said) for the [AM redirection] from above, you'll get this in a table, to the rigth of another pointer, pointing to the Name of the correct function. This does not work for all the others programs I have tested but this one.

All you have to do is replace the "nop call[AM redirection]", stated as 90E8XXXXXXXX by a call to the pointer of the function that I have told before.

Of course, there are another AM redirections, such as:
nop jmp [AM redirection]
not mov edx, [AM redirection]
not mov ebx, [AM redirection]
...

All of them are always preceded by a nop, this a great clue!

OK, I have builded a table of 'AM redirections', taking all of the table of AM equivalences, that you can find in the dumped file searching for:

1. The 'PEStub' string an then six 0 bytes, then the equivalence table begins.
If not try point 2.

2. The 'machine.' string, if fails try point 3.

3. The 'reason=' string, if fails it has to be a different release from 5.3.1071 AM release.

Then, you have to subtract to each 'AM redirection' the value of the beginning of the section that holds this table, and subtract the image too. With this you can build a table that contains the offsets of every AM redirection that works for all the AM programs of this release, only adding the beginning of the section that holds the AM equivalences table and adding the image, try this and you will see.

Well, if this is a little 'dark' I explain a little bit more detailed in another post.

Be lucky with this!

Cheers from Spain!

Nacho_dj
Reply With Quote