Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page SVKP 1.32 import problems
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #4  
Old 05-14-2004, 07:30
nikola nikola is offline
Friend
  
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
Hi,
I'm having trouble with imports too :/
I've been trying to unpack certain app for whole day now. I got dump, eop, i think stolen bytes are good but program crashes. Tracing through exe that crashes i noticed that i didnt resolve one (for now) import correctly. Now i attempt to resolve it correctly by debugging packed app. I run packed app, break on place where this function is called and trace into it. It was very weird. Seems that whole function is in packer code. It never jumps/calls real dll. Btw this is kernel32 function. When function is executed only eax changes and before function executes eax is address inside code section (something like 4xxxxx). BUT result doesnt seem to be parameter dependent. Here is some code (this is some really obfuscated shit):

Code:
00C69B75   9C               PUSHFD
00C69B76   55               PUSH EBP
00C69B77   E8 00000000      CALL 00C69B7C
00C69B7C   5D               POP EBP
00C69B7D   81ED 7C9B0100    SUB EBP,19B7C
00C69B83   50               PUSH EAX
00C69B84   60               PUSHAD
00C69B85   8BEC             MOV EBP,ESP
00C69B87   55               PUSH EBP
00C69B88   29F6             SUB ESI,ESI
00C69B8A   0FBDF6           BSR ESI,ESI
00C69B8D   B9 6E990020      MOV ECX,2000996E
00C69B92   31D2             XOR EDX,EDX
00C69B94   D1C1             ROL ECX,1
00C69B96   29DB             SUB EBX,EBX
00C69B98   D1CE             ROR ESI,1
00C69B9A   29C0             SUB EAX,EAX
00C69B9C   29C3             SUB EBX,EAX
00C69B9E   81EB 9942F43E    SUB EBX,3EF44299
00C69BA4   C1C3 03          ROL EBX,3
.
.
.
and goes on like that.... and then:
Code:
00C69BF3   89E1             MOV ECX,ESP
00C69BF5   81F0 FFFFA262    XOR EAX,62A2FFFF
00C69BFB   01C8             ADD EAX,ECX
00C69BFD   39F3             CMP EBX,ESI
00C69BFF   7E 01            JLE SHORT 00C69C02
00C69C01   F7DB             NEG EBX
00C69C03   FFD0             CALL EAX
where EAX is address in other part of packer code :/ This is all that happens there:
Code:
0012FEC4   8BE5             MOV ESP,EBP
0012FEC6   61               POPAD
0012FEC7   58               POP EAX
0012FEC8   8B85 87AB0100    MOV EAX,DWORD PTR SS:[EBP+1AB87]
0012FECE   5D               POP EBP
0012FECF   9D               POPFD
0012FED0   C3               RETN
So eax gets value of [EBP+1AB87]. What API could this be? It's really annoying :/
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
svkp infern0 General Discussion 3 06-05-2011 18:34
Import Rebuilding Without Import Table Kerlingen General Discussion 11 01-13-2005 10:24
The new svkp 143 britedream General Discussion 3 09-19-2004 22:22


All times are GMT +8. The time now is 07:14.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )