PDA

View Full Version : Revirgin stops responding on tELock(FlashFXP 1.4)


Solomon
September 21st, 2001, 03:03
FlashFXP v1.4:
http://bigskysoft.tucows.com/files2/ffxp14.zip

OEP = 0052B8B0

Fill this into Revirgin(1.2 beta 3) then press "Fetch IAT", it causes 100% CPU utilization.
OS: Win2K server build 2195

Do I need to change NumberOfSections from FFFF to 9 in the memory?

tsehp
September 22nd, 2001, 01:56
Yes I located the problem, it comes from the way rv calculates the process size, I fixed this.

You can download again the new file, the build num is unchanged.

regards,

tsehp

Solomon
September 22nd, 2001, 08:57
bug disappeared. thx

tsehp
September 24th, 2001, 07:27
u welcome, never hesitate to signal some more while in beta test.

Nitrus
September 24th, 2001, 15:00
Just curious if you could send me a brief tutorial on unpacking flashfxp when you are done. Thanks in advance, Nitrus.

Latig0
September 28th, 2001, 09:51
Nitrus!!
My old pal!!!!!
hehe
Long long time no see buddy
How's everything?
Hope you're allrighty..
Hugs..


Latigo

Solomon
September 29th, 2001, 00:12
hi Nitrus,

Please read the post by +SplAj:
h**p://www.woodmann.net/forum/showthread.php?s=&threadid=1810

for FlashFXP 1.4,
OEP = 0052B8B0
IT = 00533000

Set a "BPX VirtualProtectEx", F12, then press F10 to trace a while, you will see the "JMP [ESP-30]". OEP = dword ptr [esp-30]. Suspend it with a "JMP EIP", then use the RAM Editor of WinHex to change the NumberOfSections from FFFF to 9. Make a full dump with LordPE & kill the process.

Set a "BPX LoadLibraryA do "db *(esp+4)", re-run FlashFXP. When you see "oleaut32.dll", press F12, then scroll up a few lines, you will see the following code:

001B:00576C14 JMP 00576B9E
001B:00576C16 MOV EDX,[EBP+0040AFBE]
001B:00576C1C MOV ESI,[EBP+0040AFAE]
001B:00576C22 TEST ESI,ESI
001B:00576C24 JZ 00576FC7
001B:00576C2A ADD ESI,EDX
001B:00576C2C AND DWORD PTR [EBP+0040B0AA],00
001B:00576C33 MOV EAX,[ESI+0C]
001B:00576C36 AND DWORD PTR [ESI+0C],00 <---------------Clear the Import Table
001B:00576C3A TEST EAX,EAX
001B:00576C3C JZ 00576FC7
001B:00576C42 ADD EAX,EDX
001B:00576C44 MOV EBX,EAX
001B:00576C46 PUSH EAX
001B:00576C47 CALL [EBP+0040AF18]
001B:00576C4D TEST EAX,EAX
001B:00576C4F JNZ 00576CE1
001B:00576C55 PUSH EBX
001B:00576C56 CALL [EBP+0040AF1C] <--------------Here is LoadLibraryA( )
001B:00576C5C TEST EAX,EAX
001B:00576C5E JNZ 00576CE1

Clear all breakpoints, set a "BPM 576C36 X", then re-start FlashFXP. When SoftICE pops up again at CS:576C36, just type "dd esi", you will see the good import table Dump the IT & IAT.(esi = 533000h, IT length = 1CCh, dump length = 3000h).

Paste the IT & IAT(total 3000h bytes) to the dumped exe at file offset 133000h, fix the EntryPoint & Data Directory. All is OK.

Hope this helps.

Seems that both RV & ImportREC can't rebuild the IT without manual modification of the FlashFXP's code.

Bengaly
September 29th, 2001, 05:13
Heya...

about flashFXP u should try talking to Nchanta, he already
unpacked flashFXP - pGC
send him a prvt msg and have fun =)
cya
.........................:::Bengaly:::..........................................................

Nitrus
September 29th, 2001, 05:58
Thanks everyone. I had already successfully built a new exe before i received your messages. Also, hi Latigo. LTNS, how are things.

nchanta
October 1st, 2001, 01:07
hola latigo, nitrus bengaly thanks for the reference ;D

splaj+'s essay explains it all, however if someone wants a more "in-depth" tutor especially concerning the IAT rebuilding, then email me nchanta@optusnet.com.au and ill whip one up...

Unregistered
October 10th, 2001, 10:23
Quote:
Originally posted by Solomon
hi Nitrus,

Please read the post by +SplAj:
h**p://www.woodmann.net/forum/showthread.php?s=&threadid=1810

......

Set a "BPX LoadLibraryA do "db *(esp+4)", re-run FlashFXP. When you see "oleaut32.dll", press F12, then scroll up a few lines, you will see the following code:

001B:00576C14 JMP 00576B9E
001B:00576C16 MOV EDX,[EBP+0040AFBE]
001B:00576C1C MOV ESI,[EBP+0040AFAE]
001B:00576C22 TEST ESI,ESI
001B:00576C24 JZ 00576FC7
001B:00576C2A ADD ESI,EDX
001B:00576C2C AND DWORD PTR [EBP+0040B0AA],00
001B:00576C33 MOV EAX,[ESI+0C]
001B:00576C36 AND DWORD PTR [ESI+0C],00 <---------------Clear the Import Table
001B:00576C3A TEST EAX,EAX

... ...


Seems that both RV & ImportREC can't rebuild the IT without manual modification of the FlashFXP's code.



hi, ya

just notice here, excuse my english:

001B:00576C1C MOV ESI,[EBP+0040AFAE]
001B:00576C22 TEST ESI,ESI

the MOV and TEST are used to check if IAT are wraped, ESI gets the RAV of IAT. so at the line 001B:00576C22, type:
r esi 0
go the OEP, dumped it, u get a unwraped IAT, isnt it?

regards.

Unregistered
October 10th, 2001, 20:59
Have you tried that? You will not get a good IT in such way coz a GPF will appear
The following instructions which destroy the IT/IAT are in a loop(loop for each imported DLL). That means they will be executed many times. Suspend it before the whole loop begins, then dump the IT/IAT. I prefer the following way to suspend a process, coz it will cause no CPU utilization, while "JMP EIP" causes 100% CPU utilization:
push 7FFFFFFF
call kernel32!Sleep

Quote:
Originally posted by Unregistered


001B:00576C1C MOV ESI,[EBP+0040AFAE]
001B:00576C22 TEST ESI,ESI

the MOV and TEST are used to check if IAT are wraped, ESI gets the RAV of IAT. so at the line 001B:00576C22, type:
r esi 0
go the OEP, dumped it, u get a unwraped IAT, isnt it?

ThrawN
October 10th, 2001, 21:09
Quote:
Originally posted by nchanta
hola latigo, nitrus bengaly thanks for the reference ;D

splaj+'s essay explains it all, however if someone wants a more "in-depth" tutor especially concerning the IAT rebuilding, then email me nchanta@optusnet.com.au and ill whip one up...


optusnet.com.au )) oo another australian cracker
Gday mate :P


ThrawN