Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > General Forum
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 06-09-2010, 10:25 AM
{Guess7Who} {Guess7Who} is offline
Junior Member
Join Date: Jun 2010
Posts: 3
Default Self Modifiable Codes

Hello Experts,
I am stuck with a problem during seed hunting on a flexlm target daemon 11.3. When i load it in IDA it shows code section 4000000 to 4001000 are hidden. IAT at non standard location. While manual loading all segments and putting breakpoints at right places, it never breaks and exits.
In Olly the same thing, also the breakpoints get corrupted and changes from CC to either C7 or 83 or FF. So is it a type of self modifiable code. And how to deal with daemon to get correct seeds recovery?

Hi Guys,
Nobody interested. Perhaps all the experts are on vacation, busy in enjoying beach resorts.
Anyway, i tried digging inside the code, and after a lot of stepping, i found that the flexlm checking is called after the command SYSENTER and then it gives up. So nowhere it goes through standard procedure of l_sg and all. So what kind of daemon it is. What is going on, can somebody help?

OK. It seems some form of packing is involved in it. There are few information found on net regarding this, to dump it after setting correct OIP and then analyze the dumped file. But is it correct for all types of packers, i don't know which one is mine. Also please help me, how to set correct OIP ?

Last edited by {Guess7Who} : 06-14-2010 at 12:08 PM. Reason: New Information
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.