Jump to content
Tuts 4 You

Rlp Imprec Plugin - Need Help :/


Killboy

Recommended Posts

Lo :D

I recently started investigating Reversing Labs Protector a little.

Finding OEP isn't very hard, if you know how to proceed (2 easy ways)

The only thing I still miss in order to have a working dump is a valid IAT, that's why i started coding an ImpRec plugin.

Actually it's nothing hard so far, it is my second ImpRec plugin tho, so don't expect something special.

I only have some problems regarding the code, it just won't work...

That's the code:

	// push XXXXXXX
if (to_trace[0] == 0x68)
{
// Get XXXXXXXX in the push XXXXXXX
DWORD address = *((DWORD*)(to_trace+1));
address += *((DWORD*)(to_trace+8)); if (IsBadReadPtr((VOID*)address, 4))
{
// Bad pointer!
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (205);
} // Get the value in XXXXXX and write it to the mapped file dwPtrOutput = (DWORD*)address;
// OK
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (200);
}

The general appearance is like this:

Push Value1

Add [ESP], Value2

Retn

When tracing the IAT with my plug ImpRec creates some weird message in Win16 kernel deepest system memory error somewhere at 0x77....

Then it traces as if nothing happened but I only get return messages like -2301367103 and stuff like that...

Could anyone please help me with that one ?

Link to comment

the plugin is already coded.. :) by someone.. (i can remember who?? ) :dunno:

but if u want to code your own thats ok :)


/>http://rapidshare.de/files/36953893/Reversing_l_0.7.rar.html

Link to comment

Found the mistake !

It's slightly bigger than the one you posted, but who cares :P

6kb in size is quite okay for an imprec plugin (written in c++)

Was fun doing it and a good exercise in coding ImpRec plugs :)

File attached for anyone who wants to have it, but I'd also take the smaller one if it wasn't my plugin...

You always trust things more which are selfmade, huh ;)

Here you go:

RLP.rar

Link to comment

Sorry for double post, just wanted to say that I quickly converted the source to MASM, very easy with the provided example sources shipped with ImpRec :)

If anyone cares, it's half as big and probably 1%faster than the other one.

Anyway, it'sattached :P

RLP.rar

Edited by KillBoy-PowerHead
Link to comment

Here's the source :)

It's the DLL and both sources in C++ and MASM.

I'm not totally sure if the C++ code still works, I threw it away after converting to MASM :o

Now I quickly redid it with the help of the given ImpRec examples and the MASM code...

But the MASM sources should work for sure (sorry for the hardcoded paths to the libs and incs, MASM seems to have problems with relative ones, dunno )

@ap0x

I have ACProtect installed, I'll take a look at it this afternoon, is it really that simple ?

Here you go:

RLP.rar

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...