PDA

View Full Version : Ram Drive in a Application


i2ib4sunshine
October 13th, 2011, 02:03
hello everyone,

can anyone tell me how access to Ram Drive in a application.

whole story : i am debugging an application that extract and decode/decrypte contents in memory
and i can see in stack parameters like Z:\FromMemory\Cotent.swf

Contents are Swf and with search in memory dump can't find any SWF Signature (CSW=43 57 53)

How Can Access This Drive?

another question : Why i can't See Flash.ocx in Executable Modules ? i can see Flash.ocx String in Stack

Kayaker
October 15th, 2011, 00:09
Ram Drive. Are we talking the same thing as a virtual drive? Does the app extract the .swf file to a temp directory that is mapped to a virtual drive? Or are you saying it's only extracted in memory (in which case I don't understand the Z:/ qualifier)

Probably the first thing to do is to find what API's are being used in and around that area that maps the file and possibly creates a virtual drive. If it's a real virtual drive, how does something like Alcohol create a virtual drive? There are probably several apps which can view virtual drives, IsoBuster comes to mind.

The old DOS command SUBST can be used for creating virtual drives, via DefineDosDevice. If that API is used in the app it should be a dead giveaway.

Kayaker

evlncrn8
October 15th, 2011, 18:41
Run app, check in explorer if the drive z exists..if so, it is probably as kayaker suggests.. If not, it could be hooking file apis (only in the process) and working like that, though hardcoding Z would be bad code i think...

Is the target a casual game? (i remember one that worked like you describe)

i2ib4sunshine
October 19th, 2011, 16:41
Thanx For Reply

No, it isn't game, i try extract "Rosetta Stone Version 3" Contents

it seem, Content's data is in a Folder, a lot of little files without extension, But When i Open them with Hex Editor, I can See, all of them start with "CWS" (SWF Signature) and even have Flash Compiler Version (that come after CWS).

but i can't Play any of them and even flash decompile programs report invalide format.

i guess,maybe the files are encrypt, and decrypt in Memory.

when i trace in ollybg, i can see text like this in stack "Z:\FromMemory\xxxx.swf" (Exactly "FromMemory" text).
but when i search in memory dump, can't find any Swf signature text!

Woodmann
October 19th, 2011, 21:13
Howdy,

I have messed around with that little gem.
I was unsuccessful in trying to load all the data onto the computer
and have it work correctly.

What I believe it is doing is reading data from the disc and then
loading it into a virtual drive for quicker access when the main .exe is running.
Sorry for the lame explanation .

I might give it another try. It just seems like too much work to reconstruct the
flash shit after you extract it.

Perhaps something as simple as a disc copy?

Woodmann