PDA

View Full Version : still trouble. me stupid.


NchantA
November 10th, 2000, 06:52
hello again owl and tsehp+ (and g-rom )

ive RTFM on icedump, and have figured out the /tracex command, tsehp i have posted the routine above for reading, if u would like the target url, feel free to email me.

this is what i have tried:
use sice loader to load the normal.exe, after which the vbox screen pops up,
- set bpx on getprocaddress
I reasoned that since the .dll wouldnt be unpacked until after you press 'try', i would trace from there:
- set a /tracex imagebase imagebase+size
- a jmp eip
- f5, and dump file with peeditor(procdump seems to crash when dumping dll's attatched to active threads on my sytem )

needless to say this didnt work...any idea why? im going to try and figure out how to call/use hydra soon ;P

NchantA

thanx all

The Owl
November 10th, 2000, 16:35
Quote:

this is what i have tried:
use sice loader to load the normal.exe, after which the vbox screen pops up,
- set bpx on getprocaddress
I reasoned that since the .dll wouldnt be unpacked until after you press 'try', i would trace from there:
- set a /tracex imagebase imagebase+size
- a jmp eip
- f5, and dump file with peeditor(procdump seems to crash when dumping dll's attatched to active threads on my sytem )


oh-oh, now that would have surprised me if this had worked indeed ;-).

from my recollection on vbox 4.30, the nag/dialog is done from another process other than the target one, so tracing that would not make much sense (i think i told on the other thread that for vbox child process tracing was not needed, now you know why).

also, starting the tracer on a 'jmp eip' won't get you too far either ;-), unless you meant to patch in that 'jmp eip' after the tracer had winice pop up (fyi, it is not needed for /pedump, for external dumpers it is).

next, to have winice break in the correct thread (ie. the one that runs in your target process) you would want to use iceload as loader32 doesn't handle DLLs. also (based on my memory again) vbox plays with the section flags and makes softice unable to break on the (exe or dll) entry point but that should have been taken care of when you have icedump loaded.

so what you do is 'iceload -n target.dll' (to 'n'otify winice about the dll) and then start up your app, click the vbox nag, and next winice should pop up as the target.dll's DllMain gets called the first time. you then use /tracex, etc...

NchantA
November 12th, 2000, 06:35
the_owl u are a genious. so are ur leet tools, i got that vboxed dll unpacked and it works perfectly, thanx alot u guys...

btw if u want a small tutor for tsehp.cjb.net or something so u dont have to keep telling idiots like me how to unpack a .dll file just say so

NchantA

hz
November 12th, 2000, 06:48
hi,
I think this would be a useful/interesting tutorial.
regards
hz