|
|
|
|
#1
05-03-2004, 06:24
|
|||
|
|||
Unpacking G6FTP 3.0
Hello,
i'm not new here, but i'm currently starting first posts  I've downloaded G6FTP 3.0 from hxxp://www.g6ftpserver.com/The patch from core doesn't run well. so i started to look at it myself. I was unpacking the service of it with stripper. after unpacking the service doesn't run anymore. It will crash with an memory error. So i think the OEP isn't correct after unpacking with stripper. I'm new to Ollydbg and i haven't got anything right with it till now. Can somebody help me with unpacking the service of G6FTP? Thanks, neogen  PS: Don't blame me if its the false forum... Thanks 
Last edited by neogen; 05-03-2004 at 06:26. 
|
|
#2
05-03-2004, 06:37
|
|||
|
|||
|
I don't know stripper, sorry.
Did stripper automatically fix the imports? If not you have to do this with ImpRec for example and its possible that you have to set the new oep with a pe-editor. Edited: Just downloaded stripper Ok, it fixes the imports, but it will not repair stolen bytes. So you have to do this by hand. Better search for a few tutorials which explain this better. Last edited by bLACK oUT; 05-03-2004 at 06:55.
|
|
#3
05-03-2004, 15:55
|
|||
|
|||
|
Here's OEP and stolen bytes for ya. Hope it helps.
00573E64 55 PUSH EBP 00573E65 8BEC MOV EBP,ESP 00573E67 83EC 10 SUB ESP,10 00573E6A 53 PUSH EBX 00573E6B B8 A8405700 MOV EAX,G6FTPAdm.005740A8 Edit: This is for the Remote Admin .exe btw.
|
|
#4
05-03-2004, 16:19
|
||||
|
||||
|
Interesting thread, i'd been looking at this target myself, but the CORE crack seems to be working fine here. Also i've been looking at how CORE crack works, and i like the way they have used dll injection to change a jmp in the service and also write out a 02 byte to set from trial to standard mode.
What i couldn't figure was the memory address that this 02 byte is written to didn't seem to be read by service? (at least my bpm 0xadress rw in softice didn't seem to be hit) I assume this is some kind of aspr variable that main program access. Also stripper worked fine on remote admin exe for me, but like OP said it didn't work on service (but as black_out says it only fails on stolen bytes), so it was enough for dissasembly... -- bedrock
|
|
#5
05-03-2004, 20:34
|
|||
|
|||
|
Hi bedrock,
the core patch ruined SSL, first you need to create an SSL certificate and then a new domain. When you add a new domain then there comes an error message. You will not be able to add domain until all SSL certificates are deleted. Thats the problem... So i would like to fix this problem when i use an other approach to patch it. Also remote Admin runs fine here unpacked... The problem is the service...Cheers, neogen 
|
|
#6
05-03-2004, 21:16
|
||||
|
||||
|
Hi neogen,
I already have a domain with implicit SSL enabled and it's running fine here, but i tried what you said and create new domains, but they also created ok. I'm not sure how core patch would break ssl, as they only added a new section to the original ssl dll, with one additional import in it, which loads import from lic.key (which is really a PE file) and runs the patch code to change one jmp @ 0x490776 and write 0x02 to 0x4bd4f8, now i understand jmp from dissasembly of service. Maybe a different value from 0x02 will make a pro version instead of just standard version, but i have tried a few different values, and it not seem to workout -- bedrock Last edited by bedrock; 05-03-2004 at 21:19.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
