Results 1 to 3 of 3

Thread: C-dilla iat-call fixes

  1. #1
    AndreaGeddon
    Guest

    C-dilla iat-call fixes

    Hi, i'm reversing the game Carmageddon TDR2000 (safedisc). I have decrypted the .text and .data, decrypted import name functions, rebuilded OriginalFirstThunk, now the game is almost ready but... there are several call to the same iat value, for example
    call [xxxxxxxx]
    wich in my case always call the same function, but this makes the process crash. I examined the original program, and by calling the same iat value the DPALYER makes it call the right function.
    Example:
    call [005AF148]
    the first time i meet this line it calls GetVersion, the next time it calls HeapAlloc, so i had to fix the opcode to point to the right iat value. My question is: have i to fix ALL the calls manually (arggggg)????
    Is there a fixer, or can you tell me how to write one????
    Thanx a lot
    Bye
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    risc
    Guest
    get unSafedisc v1.5.5 http://csir.cjb.net

    :-)

    or get 1.5.3 and look at fix_calls.asm ..

    or code a proc to scan code section for all call dword ptr [wrapped_api] .. call them all, patch dplayerx to return to your proc, store call VA & [wrapped_api] & returned api address in an array ..

    step through array looking for [wrapped_api] addresses which resolve to more than one api .. then fix the revelvant call's ..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    AndreaGeddon
    Guest
    >get unSafedisc v1.5.5 http://csir.cjb.net
    of course I know you and your beautiful tools and site, but i was trying to decrypt it by myself :-)

    >or get 1.5.3 and look at fix_calls.asm ..
    this is really good! Maybe i'll stole it :-P

    The idea of sniffing addresses from Dplayer sounds good, i'll try.
    Thank you very much man!
    Bye
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. FFmpeg and a thousand fixes
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 0
    Last Post: January 10th, 2014, 13:25
  2. SDK for C-dilla SafeCast.
    By Andy in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: January 15th, 2004, 13:11
  3. Stuck with C-dilla Safecast protection
    By dee in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: May 7th, 2003, 18:18
  4. call [eax+xx]
    By The Keeper in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 2nd, 2002, 15:03
  5. how to add a api call ?
    By SpeKKeL in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: October 29th, 2001, 02:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •