Go to footer

Inlining ACProtect v1.32

Articles regarding Reversing and Software Protections.

Re: Inlining ACProtect v1.32

Postby H_T_P » Thu Dec 30, 2010 11:40 pm

You have a point about many of the tutorials out there.

People usually rely on tools, so when you get a tutorial wanting to learn...learn and learn some more you start reading stuff like "use this tool, no run that script..and congrats you made it!", which of course this is not my spirit.

In the end, that's alright if somebody uses a tool, but at least he should explain to the readers what the f*ck is going on.

When I will have the time I will add some stuff, and don't worry about bothering me because people like you, are the reason why I created this forum.
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm


Re: Inlining ACProtect v1.32

Postby ahmedbaker » Fri Dec 16, 2011 2:38 pm

Hi

Thanks for your useful article. I did benefit from it much.

I have one question that is how can I reach the oep of this progii

Pleas help

Regards.

Ahmedbaker
ahmedbaker
 
Posts: 1
Joined: Fri Dec 16, 2011 2:34 pm


Re: Inlining ACProtect v1.32

Postby H_T_P » Fri Dec 16, 2011 9:16 pm

Hi Ahmed, I have written this article long time ago so I do not remember much about this case.

However, if I remember correctly ACProtect had stollen the oep and redirects with several jumps from its own code to the real instructions of the oep before the execution flow goes completely inside the real code of the prog.

My advice would be, if you have any previous experience with manual unpacking, to monitor the section (usually .text) where the code of the app is located, using mem bp on access, in order to get as close to the oep as possible and then check the stack in order to trace back gradually the real oep.

I am not sure if this would also work, but you can also try to reach the part where the packer starts jumping to the instructions of the real oep and set the oep there. If this is not inside a virtual allocated memory area, should work.

You will probably have to deal also with imports redirection. In this case use HW BPs on access on IAT's entries and locate where the redirection occurs. I think, patching one or two jumps was enough to avoid import redirections.

I hope this helped. Thanks for visiting.

H_T_P
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm

Previous

Return to Board index

Return to Reversing - General Articles

Who is online

Users browsing this forum: No registered users and 1 guest