Page 2 of 2 FirstFirst 12
Results 16 to 18 of 18

Thread: Unusual UnPackMe

  1. #16
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Hi 90h,

    I tried padding my dumped (TRW PEDUMP) file up to 70080h with zeroes, then adding a new section of size 85029 which contained the bitmap and other resource info. That's how I got the Apply Memory Changes and About buttons to show, but it's crap, not a good solution and the file is over 900k in size.

    The Splash screen is a separate class in itself (Afx:400000) which uses a SetTimer value of EA60 (60000 msec) to destroy itself if you don't click on it. It's created within a CreateDialogIndirectParamA call which also creates the rest of the controls. Beforehand it's control class is registered with GetClassInfoA and RegisterClassA.

    This all falls apart in the dumped file, GetClassInfoA on the Splash screen class fails and of course it's never created. I'm trying to figure out where in memory the program is looking for certain information. I don't know if the answer lies just with adding and correcting the pointers to that 'resource' dump, or whether there's a problem in the .crypt section as well.

    Cya,

  2. #17
    90h
    Guest
    My dump(size 760k) has a Splash screen(timer works too) and Apply Memory Changes and Quit buttons....(like it was win it was pack). But i have .crypt section.(and i can not delete/0 that section)

    PS
    size 85F80 was only a test my new one is 85029(and work find too)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    90h
    Guest
    2 more thing the Import Table may b bad(program may only run on the pc it was unpack on...) in IDA(v4.14) i have 2 _crypt_ section the 1st _crypt_ has a list of dll/api. In Procdump i have 1 .crypt section.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Unusual crackme by ksydfius
    By My Infected Computer in forum Blogs Forum
    Replies: 0
    Last Post: June 16th, 2013, 17:49
  2. An Unusual Crash
    By Suteki in forum The Newbie Forum
    Replies: 4
    Last Post: November 5th, 2007, 12:19
  3. Unusual UPX activity
    By SiGiNT in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: December 15th, 2005, 11:33
  4. Unusual tests for DRx registers
    By evaluator in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 3rd, 2004, 13:08
  5. Unusual setup program
    By john whitt in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: March 1st, 2002, 02:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •