Unpacking G6FTP 3.0

#1 05-03-2004, 06:24

Hello,

i'm not new here, but i'm currently starting first posts

I've downloaded G6FTP 3.0 from hxxp://www.g6ftpserver.com/

The patch from core doesn't run well. so i started to look at it myself.
I was unpacking the service of it with stripper. after unpacking the service doesn't run anymore. It will crash with an memory error. So i think the OEP isn't correct after unpacking with stripper. I'm new to Ollydbg and i haven't got anything right with it till now.

Can somebody help me with unpacking the service of G6FTP?

Thanks, neogen

PS: Don't blame me if its the false forum... Thanks

#2 05-03-2004, 06:37

I don't know stripper, sorry.
Did stripper automatically fix the imports?

If not you have to do this with ImpRec for example and its possible that you have to set the new oep with a pe-editor.

Edited:

Just downloaded stripper

Ok, it fixes the imports, but it will not repair stolen bytes. So you have to do this by hand. Better search for a few tutorials which explain this better.

#3 05-03-2004, 15:55

Here's OEP and stolen bytes for ya. Hope it helps.

00573E64 55 PUSH EBP
00573E65 8BEC MOV EBP,ESP
00573E67 83EC 10 SUB ESP,10
00573E6A 53 PUSH EBX
00573E6B B8 A8405700 MOV EAX,G6FTPAdm.005740A8

Edit: This is for the Remote Admin .exe btw.

bedrock · #4 05-03-2004, 16:19

Interesting thread, i'd been looking at this target myself, but the CORE crack seems to be working fine here. Also i've been looking at how CORE crack works, and i like the way they have used dll injection to change a jmp in the service and also write out a 02 byte to set from trial to standard mode.

What i couldn't figure was the memory address that this 02 byte is written to didn't seem to be read by service? (at least my bpm 0xadress rw in softice didn't seem to be hit) I assume this is some kind of aspr variable that main program access.

Also stripper worked fine on remote admin exe for me, but like OP said it didn't work on service (but as black_out says it only fails on stolen bytes), so it was enough for dissasembly...

--
bedrock

#5 05-03-2004, 20:34

Hi bedrock,

the core patch ruined SSL, first you need to create an SSL certificate and then a new domain. When you add a new domain then there comes an error message. You will not be able to add domain until all SSL certificates are deleted. Thats the problem... So i would like to fix this problem when i use an other approach to patch it.

Also remote Admin runs fine here unpacked...

The problem is the service...

Cheers, neogen

bedrock · #6 05-03-2004, 21:16

Hi neogen,

I already have a domain with implicit SSL enabled and it's running fine here, but i tried what you said and create new domains, but they also created ok.

I'm not sure how core patch would break ssl, as they only added a new section to the original ssl dll, with one additional import in it, which loads import from lic.key (which is really a PE file) and runs the patch code to change one jmp @ 0x490776 and write 0x02 to 0x4bd4f8, now i understand jmp from dissasembly of service. Maybe a different value from 0x02 will make a pro version instead of just standard version, but i have tried a few different values, and it not seem to workout
--
bedrock

#7 05-04-2004, 02:40

Hi bedrock,

ich got no domain running and all things are plain installed. Then the error comes on my machine here. Its a Windows XP Pro english with SP1. I don't know if the error comes on all machines, but i have some friends which also tried it and they can reproduce the error with plain empty settings. So i will try to make another patch which changes the service and not the SSL dll. Its only for fun. I will try to use the shareware for adding first domain and then try the patched out.

Thanks for the help, but who can help me with unpacking the service exe, without killing the service itself? I will try the lesson with ollydbg and imprec next hours when i'm back at home.

Cheers and thanks for the fish, neogen

#8 05-04-2004, 02:46

AsprDbgr_build_101.exe makes good dumped of it... just make sure to kill the server and open it with the debugger.. when you see the finish message with ? then you'll able to dump with Lordpe find/set OEP and fix Imports with Imprec. and all done ...by the way i saw today TSRh team released a CRACKED exe for this one without using any dll to crack it... try that one...

IWarez · #9 05-04-2004, 05:05

There is indeed something not working.

Steps to reproduce error:
1. Start empty
2. Create a certificate
3. Try to create a domain, you'll see an error

Also, when I tried to create a domain and make it create a certificate it works but then I couldn't access my domain properties.

I wonder by myself wheter core was too lazy to unpack the .exe or that they discovered too many traps in the packed .exe that they decided this would be easier. Anyway, back to the drawingboard core

#10 05-04-2004, 08:45

Quote:

Originally Posted by Crk

AsprDbgr_build_101.exe makes good dumped of it... just make sure to kill the server and open it with the debugger.. when you see the finish message with ? then you'll able to dump with Lordpe find/set OEP and fix Imports with Imprec. and all done ...by the way i saw today TSRh team released a CRACKED exe for this one without using any dll to crack it... try that one...

The TRSH Release works fine, i've seen it. But i will also try unpacking that thing for learning process

Where can i get the AsprDbgr?

Cheers, neogen

#11 05-04-2004, 09:50

Yup same thing happened on my machine here, so defenetly not just you!

Where can i get the AsprDbgr?
Try the search button as usual, I believe it was posted in Software Releases.

Quote:

Originally Posted by IWarez

There is indeed something not working.

Steps to reproduce error:
1. Start empty
2. Create a certificate
3. Try to create a domain, you'll see an error

Also, when I tried to create a domain and make it create a certificate it works but then I couldn't access my domain properties.

I wonder by myself wheter core was too lazy to unpack the .exe or that they discovered too many traps in the packed .exe that they decided this would be easier. Anyway, back to the drawingboard core

#12 05-04-2004, 10:11

this exe has many crc checks after detecting aspr. is not longer present , also some invalid stuff left by aspr. after unpacking , stolen bytes etc.. best idea is inline patching it to ensure you'll have a full working exe however if you're too newbie i wouldn't recomend you to start with this target...

Regards

#13 05-04-2004, 16:46

Hmm, NOD32 displays a virus warning when trying to access that cracked .exe by TSRh. Did anyone else run into this problem?

bedrock · #14 05-04-2004, 16:55

@Crk,

I downloaded AsprDbgr_build_106, but i dont know how to make a good dump of it... It asks loads of questions about dips, i have been reading about ASPR and dips, but i dont know what i need to do with these dips. Which ever point i dump, and after fixing import it always crashes with a delphi 216 runtim error?

more reading is needed...

--
bedrock

#15 05-04-2004, 19:10

Quote:

Originally Posted by SvensK

Hmm, NOD32 displays a virus warning when trying to access that cracked .exe by TSRh. Did anyone else run into this problem?

Yeah i have here also a warning. This should be a virus, some others have the same problem... Kill it.

We should do it on our own

Cheers, neogen