Results 1 to 2 of 2

Thread: Executable being rebased like a dll?

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6

    Executable being rebased like a dll?

    I was reviewing solutions submitted to crackmes.de and one that got rejected caught my attention.
    The patch made by the user didn't work on any Vista versions.
    I usually don't do this but I looked deeper into it.

    The patched crackme under IDA is being rebased to a random ImageBase.
    As a side-effect, IDA can't follow the code and everything disappears from the project database.
    IDA can force it to remain at its normal ImageBase but this is the first time that I've seen an executable behave that way.


    http://img158.imageshack.us/my.php?image=rebasetg9.png

    It looks a lot like a Vista-specific anti-debugging trick but wasn't intended that way by the author of the patch.
    I'm pretty sure that it is closely related to Vista and ASLR.

    I assume that the loader detects a "faulty" patch and triggers some sort of special panic mode.
    I have not found a more plausible explanation but maybe somebody has a better one.

    Here is the crackme, patch and solution:
    http://rapidshare.com/files/110731226/cm2.rar.html

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    IDA 5.1.0.899 has no problems with the exe.

Similar Threads

  1. Yoda's Cryptor v 1.2 + UPX Packed Executable
    By DeXTeR.OrBiT in forum The Newbie Forum
    Replies: 2
    Last Post: July 14th, 2012, 14:05
  2. Packed Executable but with Missing DLLs
    By live_dont_exist in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: November 16th, 2011, 10:27
  3. Pointers in unpacked file don't get rebased
    By Darkelf in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: October 5th, 2011, 05:27
  4. Very nice Portable Executable (PE) tutorial
    By dELTA in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: October 27th, 2005, 07:34
  5. CPU disassembler Code vs Executable
    By Tom Smith in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 11th, 2004, 05:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •