Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Help with cracing Trymedia Activemark app
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #16  
Old 05-26-2005, 18:18
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello:

Unfortunately, when the AM equivalences table has the second field to zero, you need, at least once, tracing the nop + call till a call to a function of DLL appears in the obfuscated code. A good way is using always F8 (not to enter the calls in the obfuscated AM code) to get faster the function name that nop + call is replacing to. No more than 1 minute tracing and the function name appears.

Then, you have got the function name and the value of AM redirection. Just do as I have explained before to go filling an equivalences array in your program, that will work for every same AM release program. The found values for every AM call found in your program probably do not cover the entire AM equivalence table, and you have to repeat this procedure of tracing every time you are facing new values for the AM equivalences table. But with several programs (4 or 5) maybe you will have found the main redirections for all programs.


If you try to search the AM equivalences table in old AM releases, such as 2.x.xx or 4.x.xx you will find them with the two fields not equal to zero easily, so providing you all the equivalences for you generic rebuilder.


Another issue talking about Import table is that AM erases some functions of DLL from the import table.

So, when you replace the nop + call for the correct call, guided by the AM equivalences table, you could get an impossible reference due to this fact.

Then, it is necessary adding this 'disappeared function' to the import table. This requires, as you could imagine, rewrite a lot of calls of the program in order to correctly fetch the proper functions.


You see, is a hard task but done carefully you will get a good fix for the program.

This has to be written down in a tutorial, I know. Let me first follow testing the rebuilder for all known AM releases.

jonwil, I am trying to attach the rebuilded target but I cannot, do not know why. Is there another public place where I could hang it? Maybe it is the big size (similar to yours) that is preventing the upload.

Cheers!

Nacho_dj
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Does Trymedia Activemark do encrypted data files? jonwil General Discussion 3 05-26-2005 19:13
Trymedia's ActiveMark Protection?!?! Seventh General Discussion 7 10-25-2004 14:36


All times are GMT +8. The time now is 17:55.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )