Zilot
April 9th, 2003, 05:25
Part |
I've read tutorial about unpacking Bit-Art, and that what is said there is OK but
is enough just for main screen appearing. After that each button causes some
crash. It is because there are some more calls inserted into code to prevent
using unpacked version.
Every call decrypts itself and after that it encrypts itself again. And the best
method to see what code suppose to execute instead inserted call is to watch
what's going on with stack
and after restoring registers and flags there is "health code" 5 bytes long.
And after that there is again pushing registers and call encryption.
calls table starts at 4e30f5 and eds at 4e4ec1 and I put breakpoint at the
beginning on each, and then took somea actions, so I knew which of calls is
invoked. After that was easy. And there is one call that is not in this table and
is responsible for IAT erasing, he can be found by breaking on IAT writting.
So additional in tutorial about patching is next:
I've read tutorial about unpacking Bit-Art, and that what is said there is OK but
is enough just for main screen appearing. After that each button causes some
crash. It is because there are some more calls inserted into code to prevent
using unpacked version.
Every call decrypts itself and after that it encrypts itself again. And the best
method to see what code suppose to execute instead inserted call is to watch
what's going on with stack
and after restoring registers and flags there is "health code" 5 bytes long.
And after that there is again pushing registers and call encryption.
calls table starts at 4e30f5 and eds at 4e4ec1 and I put breakpoint at the
beginning on each, and then took somea actions, so I knew which of calls is
invoked. After that was easy. And there is one call that is not in this table and
is responsible for IAT erasing, he can be found by breaking on IAT writting.
So additional in tutorial about patching is next: