Thread: Help with cracing Trymedia Activemark app
View Single Post
  #13  
Old 05-25-2005, 22:03
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Clearing some points...
You are right imagin, unpacking is not the main problem, but the nop + call rebuilding.

Ok, as far as I know, till 5.31.1140 AM release, you can find the "nop + call" equivalence to the good call in the AM equivalences table, as I call it.

¿Where? When you have unpacked the AM protected program, opening an hex editor, search for one of these strings:
'PEStub', 'machine.', 'reason='.

If one of then is followed by some ceros, then you can find behind the equivalences table, as I have mentioned in ActiveM*** Thread.

This table has elements that consist of two fields.

If you are lucky you will find this:
- First field: a word, that is a pointer to a name of function of DLL; for instance: ExitProcess.
- Second field: a word, that is the value that the call invoques, this that is preceeded by a nop; for instance, value = 537562, that would be then 'nop call 00537562'.

This is cyclic till all the equivalences pointer-value are covered. Behind last couple of values, you can find pointers to the dll names.

But sometimes, you only find the first field, and the second is cero, during all the equivalences table. No values for calls here.


You need only a program for every release with the equivalences complete (first and second field not equal to cero) to build a generic AM unpacker/rebuilder.

What procedure do you have to follow? This simple one:
Take the second field of one element in the table (f.i. : 537562), subtract to it the image (f.i.: 400000), then subtract to it the offset of the AM section, i.e., the section where the information of the AM release is located (f.i.: B0000).
Then, in the example I have chosen, you'll get the following value: 537562 - 400000 - B0000 = 87562 = AM equivalence for ExitProcess

Take this value, and put it in a table. Every time you are rebuilding a new program in that AM release (it has to be the same release exactly), do the same but inversely:

Am equivalence + Image + Offset AM section = value that is invoqued in a 'nop call value', then replace this nop + call for a call to the ExitProcess.

The same for all the values found in AM redirections (nop + call).

And that's all, you have recovered the original call's of the program.


This I have done in my rebuilder and is working for every program that belongs to the same release.


Of course, you need to rebuild the import table too, because it is affected for several changes leaving it in bad state, another AM change. This you can do with an import rebuilder, but ImpRec is not working well in several situations where ordinals and no functions names are used, so I have built a procedure in my 'still in developping status' program that correct this.


OEP is not a problem, is a field always n x 16 positions behind the '_com_err' string, with 'n' a little integer value.


I do not know how the AM packer works, but how to rebuild the AM calls.


Tell me if this is working for you...


Cheers!


Nacho_dj
Reply With Quote