|
|
|
|
#1
03-03-2005, 01:11
|
|||
|
|||
|
ActiveM***
Hi,
there has been some detailed tutorial on security Activ*Mark?Read I everything from of this board - from RCE board,and from Woodmann - but always me it doesn't go - programme all the time crash ,though repare import OK . Progress from LunarDust too I know a. Something on version 5.3 and higher - thanks. 
|
|
#2
03-03-2005, 01:42
|
|||
|
|||
|
It's good you read tutorials but you have to know that many times you have to put some effort on your part and use the debugger to guess where and why an unpacked application is crashing.
If you give here your steps that you have taken to unpack that application, I'm sure that some "ActiveMark unpacker people" here can direct you  Cheers
|
|
#3
03-03-2005, 07:57
|
|||
|
|||
|
1) start progg.and dump with PETools(or LordPe)
2) find OEP in dumped.exe (PEiD - detect) 2) launch ImpRec on running progg. 3) find IAT 3) Fix dump Dumped.exe -> Dumped_.exe EDIT: OEP second layer?????,, Each write his search otherwise - by TRW and Softice - I I have Xp so that TRW no-use - examine it in Olly - but I don't know how find OEP for the second layer Last edited by imagin; 03-03-2005 at 19:48.
|
|
#4
03-03-2005, 18:33
|
|||
|
|||
|
Unpacking ActiveMark following the steps you said, requires to dump the prog and set the EP of the dump, to the packer second layer's EP.
Are you sure you did it?
|
|
#5
03-03-2005, 22:05
|
|||
|
|||
|
I trying to learn how to unpack ActiveMArk myself.For finding OEP,I using PEid
Generic OEP finder,Is there anybody who know this OEP is for layer 2 or not? In addition:I you want to test your algorithm,you can use downloaded yahoo games, For example Cubic2 is uses activemark and its only 8-9 MB. sincerely yours
__________________
I should look out my posts,or JMI gets mad on me!
|
|
#6
03-03-2005, 23:17
|
|||
|
|||
|
It's very long time since I played with ActiveMark and I don't remember exactly which is the EP found by PEiD. However if I remember well you can find the 2 EPs opening the UNPACKED file with an hexeditor and searching one of this strings: "?AV_com_error@@" or "TdnA" without quotes (they must be near each other) and right after them there must be 2 recognizable addresses (DWORD).
The first is the second layer EP and the second is the OEP. You need the first, compare it with the one from PEiD. Hope this helps. Last edited by SystemeD; 03-04-2005 at 19:02. Reason: it's the unpacked file and not the packed one, sorry
|
|
#7
03-15-2005, 21:30
|
|||
|
|||
|
I have another question about AM.
Old game (2 years or so) named Codename: Silver has crypted resource files. This files are handled by AM and decrypted in memory. So only PACKED .exe work correctly. I can dump and fix .exe, but I really don't know how to unpack that damn resources :-( Maybe someone know how to deal with this AM trick...
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
