View Full Version : Anti Dump
SpeKKeL
October 16th, 2002, 11:50
Hajo,
For a change no aspr bla bla...
Had this morning a go with pelock from some polish bart..
After lot of garbage code, idt attempts, and so on i safely landed on the oep !
Now i struggled with dumping (yes the author told he had implented an anti dump (lordepe/procdump ) feature.
Some closer look to the header didn't reveal anything to me.
Question: Which ways are there besides the ff ff, to prevent dumping ?
Ciao,
SpeKK
evaluator
October 16th, 2002, 12:27
Hi!
I have NOT any prob for dumping "PELock" by Bartosz with LP_deluxe..
What is wrong for you?
SpeKKeL
October 16th, 2002, 12:42
I wonder,
From where did you dump ??
oep 401beb
Spekk
_Servil_
October 16th, 2002, 18:00
hi spekk,
virtualprotectex?
did you had problems dumping under win2k/nt/xp?
dumping within win9x works sometimes for me when the xps fail,
some memory protecting schemes used don't take effect on win9x, saw some thread about this (...shrinker... ? i think)
however not too sure about it.
evaluator
October 16th, 2002, 18:17
yep, seems new version you try.
Ok, I will look.
evaluator
October 16th, 2002, 18:37
Hey!
just checked v1.04 on W98se & XP.
Step1: "Correct image size"
Step2: "Dump partial"
& I have DUMP.
Nothing was wrong.
BTW:
I had unpacked PELock1.01 & 1.02.
It uses runtime decr-encryption for code peaces.
SO simple dump SHOULD be useless..
SpeKKeL
October 17th, 2002, 15:45
Hee, thanks eval,
Correct image size did the trick >> dumped, and now writing a little code to trace the imports ...push ret push ret and so on...
After that i'll try to rebuild all,
(you did rebuild the prog. ???)
CiaO,
Spekk.
evaluator
October 17th, 2002, 18:45
Eh, Spekk!
I can't imagine, you missed so easy fact as "correct image size".
Tsss! WoodMann can put you in "Hall of Shame" ~:0
& can't understand your maniakal hobbie- writing plugins for tracing redirectors.
For example, you can in debugger patch PELocks resolver code,
so it will directly put true Import addres in IAT, not redirected!
For code decryprting:
You need analise dump for crypted sectors, write start address for eachs decryptor call,
then on OEP jump to each of them & decrypt. Lot of workz.
SpeKKeL
October 17th, 2002, 21:05
hahahahaha ....Yep you're right eval,
But on the other sight, i don't shame to ask questions.............
Never to old to learn something !
Writing plugins..hehe it just give me some satisfaction and it
improves my home brewed coding.
Happy unpacking eval,
see you,
Spekk
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.