From Collaborative RCE Tool Library

Jump to: navigation, search

AMDUMPV66 V1.0

Tool name: AMDUMPV66 V1.0
Rating: 0.0 (0 votes)
Author: CondZero                        
Website: http://www.accessroot.com/arteam/site/news.php
Current version: v 1.0
Last updated: January 18, 2011
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.230
License type: Freeware
Description: Amdumpv66 v1.0 - CondZero [ARTeam]
(see history below for details)

Note: This is a complete replacement for former AMDUMPV6.2!!

Tested under winxp sp3
Should work under w2k, wxp, Vista, Win 7 32 bit

Info:
* new noninvasive loader engine to run & dump activemark v6.2x - 6.6x
Targets.
* Drag & drop capability
* run program from its own folder, no need to copy
Amdumpv66 to target folder to run.
* amdumpv66 will dump activemark v6.2x - v6.6x executables for targets
with both delayed and non delayed imports. For targets with non delayed imports,
the built-in ARTeam ARImpRec (Import Rebuilder) will automatically fix any imports in the dumped file and append a '_' suffix to the end of the dumped file (i.e. dumped.exe >> dumped_.exe).

This program expects this suffix when appending the overlay data automatically for targets that don't use delayed imports. If using a different IAT rebuilding tool, it may be necessary to rename the resultant fixed dump file as described above, or the overlay data will not be appended automatically and you will be required to do this step manually.
* sometimes it may be necessary to view the sections in a pe editor
Program (i.e. lordpe or similar) because the dumper is
Dependent on finding:
(4) .text/.text/.code/.code/etc sections in the executable for delayed import targets and,
(3) .text/.text/.code/.code/etc sections for non delayed import targets.
If (3/4) sections are not found, then the executable may not
Be an Activemark v6.2x - 6.6x application!!

Limitations:
* in order to insure the stability of your dumped.exe, it may
be necessary to manually hexedit the dumped file and insert
an instruction which moves hi-values to a dword hi-value variable
used by the GetTickCount api within the 3rd layer (2nd .text)
in the executable. Please refer to the tutorial on dumping
and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

Disclaimer:
Not responsible for any damages that result from using this Tool!!

History:
--------------------------------------------
Amdumpv66 - version 1.0 (November 2010)
1. Updated ARTeam import rebuilder v1.7.5 (Nacho_dj) for targets
that don't use the delayed imports option
2. More elaborate search and replace scheme used for allocated and referenced
VM DWORDS used in the target process
3. Drag & drop AM protected executable file to application
4. Log file is saved to your target folder
Related URLs: No related URLs have been submitted for this tool yet


Screenshot:
Screenshot of AMDUMPV66 V1.0


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!



If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)


Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Dump Fixers  (5)
   IAT Restore Tools  (6)
   .NET MSIL Dumpers  (2)
   Process Dumpers  (12)
   OEP Finders  (6)
   Needs New Category  (3)