PDA

View Full Version : Iris v3.2


BlackB
June 22nd, 2001, 06:32
Good day ladies 'nd gentlemen ;-)

BlackB finished exams and is back in reversing business :-)
First of all, I 'moved' to Win2k lately and I'm currently writing a small tutorial for newbies on how to install and use their cracking programs on it, 'coz it costed me some time to solve the problems that come with it.

Anyway, first thing I did was checking for a new Iris version, and what did i notice.....v3.2 is wrapped with Asprotect this time, yesyes, hehe. I didn't try much yet except finding de OEiP with SoftICE. Now, I noticed that the NT version of icedump only supports the command pagein d/pagein l but no usefull commands like /tracex or a softice hiding option. Frogsice neither works with Win2k, so I suppose I'd better crack it in Win98 right? The person that can give me some advice on this will get mentioned in my upcoming essay ;-)

Last little thing: what has been happening past month with our lovely little protections like asprotect?

greets goto +Splaj, +Tsehp, Kilby, r!sc, ....my mother, father, sister, grandpa, grandma....i know i'm getting pathetic, but i always wanted to be lame for a second on a msgboard :-P

BlackB

mebe
June 22nd, 2001, 08:32
How about finding a way to get us the real ..exe version of Iris 3.2 to work with, instead of fussing around with a limited evaluation version that can't be made to work fully anyway no matter what you do to it ...peace

madmax
June 22nd, 2001, 16:55
Im not sure how to work with Sice and other tools under NT, never tried...Im sure some other can comment on this...I would advise patching winice itself, its most secure and stable! Anyways, as for Iris 3.2, its not ASPR packed...Thats just telock with the optional "change name" function...telock is easily removed under winme with icedump/importrec/rv...I prefer importrec cause it cuts the thunks easily...Rename "IrisMuteEx" to "MPRMutex" which winME creates upon execution...read the prior thread on iris 3.0 for more info..btw: OEP is 47c70c, IAT is 488000, length is about 1700...be sure to change the # sections ("PE+8" word) from FF FF to 04 00 before dumping!

madmax

+SplAj
June 25th, 2001, 04:28
hi blackB - and greetz madmax

LOL LOL ...Iris.exe has ASPR section ..... LOL LOL :-)

OK NT/2K SI shit...

I have a big advantage in this topic cos I only EVER do my serious cracking/reversing in the office - which has been NT4 and now 2K (cos of Tsehp and RV!) for the last 4 years.
Learned a lot about anti-SI from frogs and EliCZ - He made a quick patcher and dumper for NTice.sys 3.25/4.00 - search for NTICESET / PNTICE, and some macros to hide SI dynamically. That was a few years ago now....

Since we are currently on several flavors of 4.05 build it is best to run Detect.exe (attached for you) and reverse it, then you know what to do

- don't forget the nmtrans.dll or symbol loader won't detect SI either }>

+SplAj

BTW when you have done this please contribute your findings to the FAQ :-)

LaptoniC
June 25th, 2001, 13:07
I thank you guys especially +SplAj for helping me on Iris.Finally I have unpacked this.I found my mistakes and learned a lot from them.I think import recostructor is the tool for telock like madmax said
Thanks again for your help you guys rock.