PDA

View Full Version : Packed / dumped apps and IDA


Rage
November 4th, 2001, 11:36
1) Whith non-packed apps everything is ok and IDA uses correct flirt signatures , but if the app (eg ASProtect) is packed - I unpack it, dump it and load it with IDA, wait till the analysys finishes and then I load FLIRT signatures, but nothing happens - the analasys (L1 - first pass of FLIRT) lasts only a few seconds and there are no functions found. Is there solution to this problem??

2) Is there a way to unpack pieces of code created with ASProtect macros REG_CRYPT_BEGIN and REG_CRYPT_END. Can caspr do it (or any other unpacker?), can it be done manualy?

tsehp
November 5th, 2001, 05:21
concerning your second question, and imho :
the crypted parts are made with elliptic curve scheme and a external key is used to decrypt them if you buy the program. So consider them just like they were missing from the code, you've got no way to decrypt this.

Dr.Golova
November 5th, 2001, 08:39
1) Just correct sections attributes for code section (must be executable).
2) For decrypting you need valid license key If you have it, use it, run "hidden" feature, and crypted code wall be decrypted by ASProtect kernel. Now just dump code section and paste it to dump. May be little patch needed after this operation - program must be sure thet hi is registered for running encrypted part.

Rage
November 5th, 2001, 15:36
Thanks