Results 1 to 15 of 39

Thread: DVDXcopy 3.1 Removing "Features"

Threaded View

  1. #31
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002

    First we want to get the program's OEP. But of course first it has to run! So the first task was to get the program to run, which I finally did *durr to me*.

    Then we want to get OEP. Notice that the program is MFC program (imports mfc42.dll). All MFC programs start with __set_app_type after the OEP. So we can put a breakpoint on that routine and run the program. After the license manager runs and jumps to the real program, we will land on our breakpoint.

    Now we are about 6 lines down from the OEP (by the way, write down the OEP for later use), no major code has taken place. In other words, there haven't been any variables initialized, etc. So we can dump right from here. In SoftICE we can assemble the current instruction so it loops on itself ("a eip <enter> jmp eip <enter>"). Now the program is frozen in an infinite loop. Make sure you write down what the 2 bytes are at EIP's location first, so you can restore them later, after dumping. (do a "db eip" and write down the first two bytes you see).

    Exit SoftICE and fire up LordPE and select the DVDXCopy process. When you do so, notice one small "error". DVDXCopy reports its image size as 1000. That's wrong. It's a trick. Right click and select "correct ImageSize". LordPE will fix it. Now do a full dump. Remember that infinite loop you made? You have to go in with a Hex Editor later and restore those bytes you overwrote. (2 bytes)

    Now we have to fix 2 things about the dump. Notice it does not have an icon. This is because the last section is incorrect. Open up the dumped.exe in LordPE or PEditor and go to the section editor. The last section shows 00000000 as the RawSize and VirtualSize. This is wrong. Fix it (ImageSize says 7D000, last section's size should be 1A000 for both Raw and Virtual). Hey, your icon is back now

    Now you get to restore the imports.

    How do we know where they are in the program when in memory? Easy. Disasm the dumped.exe you have now. Go to the entry point. Remember, about 6 - 10 lines down is the __set_app_type call. This is an import, so you will see the call dword ptr [xxxxxxxx]. The xxxxxxxx is where the first thunk is, which can never change. Which means in memory the IAT is in this area!

    Run the program again and go into SoftICE and go to the IAT area. Scroll up and down both and get the IAT start and what you think the length is. Write it down.

    Fire up ImpREC and select the process, type in the OEP, the IAT start, and IAT length and "Get Imports", and then "Autotrace". ImpREC gets almost everything in one pass, just like 14 or so not done yet. YOu can do these manually in SoftICE by going to the memory area the ImpREC says the import is at and "u <import address>" to see what the code says. I found most of them were simple "mov eax, GetDlgItemInt ; push eax, ret". So there you have your import. Depending on how good your guess was at the IAT length, you might end up with junk thunks on the end of the tree. You can cut these off. You'll know if they are junk if they don't reference a higher memory area like the other unresolved calls do.

    Leave "add a section" checked and press "Fix Dump" and wallah you are done.

    Last edited by nikolatesla20; January 28th, 2003 at 13:32.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Removing the Call Home "feature" in vBulletin 3.0?
    By Cumulous in forum The Newbie Forum
    Replies: 10
    Last Post: March 24th, 2004, 20:23


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts