Killboy Posted October 16, 2006 Posted October 16, 2006 Lo I recently started investigating Reversing Labs Protector a little. Finding OEP isn't very hard, if you know how to proceed (2 easy ways) The only thing I still miss in order to have a working dump is a valid IAT, that's why i started coding an ImpRec plugin. Actually it's nothing hard so far, it is my second ImpRec plugin tho, so don't expect something special. I only have some problems regarding the code, it just won't work... That's the code: // push XXXXXXX if (to_trace[0] == 0x68) { // Get XXXXXXXX in the push XXXXXXX DWORD address = *((DWORD*)(to_trace+1)); address += *((DWORD*)(to_trace+8)); if (IsBadReadPtr((VOID*)address, 4)) { // Bad pointer! UnmapViewOfFile((LPCVOID)dwPtrOutput); CloseHandle((HANDLE)hFileMap); return (205); } // Get the value in XXXXXX and write it to the mapped file dwPtrOutput = (DWORD*)address; // OK UnmapViewOfFile((LPCVOID)dwPtrOutput); CloseHandle((HANDLE)hFileMap); return (200); } The general appearance is like this: Push Value1 Add [ESP], Value2 Retn When tracing the IAT with my plug ImpRec creates some weird message in Win16 kernel deepest system memory error somewhere at 0x77.... Then it traces as if nothing happened but I only get return messages like -2301367103 and stuff like that... Could anyone please help me with that one ?
Vrane Posted October 16, 2006 Posted October 16, 2006 the plugin is already coded.. by someone.. (i can remember who?? ) but if u want to code your own thats ok />http://rapidshare.de/files/36953893/Reversing_l_0.7.rar.html
Killboy Posted October 17, 2006 Author Posted October 17, 2006 Found the mistake ! It's slightly bigger than the one you posted, but who cares 6kb in size is quite okay for an imprec plugin (written in c++) Was fun doing it and a good exercise in coding ImpRec plugs File attached for anyone who wants to have it, but I'd also take the smaller one if it wasn't my plugin... You always trust things more which are selfmade, huh Here you go: RLP.rar
Killboy Posted October 17, 2006 Author Posted October 17, 2006 (edited) Sorry for double post, just wanted to say that I quickly converted the source to MASM, very easy with the provided example sources shipped with ImpRec If anyone cares, it's half as big and probably 1%faster than the other one. Anyway, it'sattached RLP.rar Edited October 17, 2006 by KillBoy-PowerHead
ap0x Posted October 18, 2006 Posted October 18, 2006 (edited) Good, now look at ACProtector IAT redirection Does it make you laugh Edited October 18, 2006 by ap0x
Killboy Posted October 18, 2006 Author Posted October 18, 2006 Here's the source It's the DLL and both sources in C++ and MASM. I'm not totally sure if the C++ code still works, I threw it away after converting to MASM Now I quickly redid it with the help of the given ImpRec examples and the MASM code... But the MASM sources should work for sure (sorry for the hardcoded paths to the libs and incs, MASM seems to have problems with relative ones, dunno ) @ap0x I have ACProtect installed, I'll take a look at it this afternoon, is it really that simple ? Here you go: RLP.rar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now