Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-05-2008, 10:42 AM
zedamota zedamota is offline
Member
 
Join Date: Jul 2008
Posts: 6
Default CodeVeil Dump

Hi,

I have been trying to unpack an assembly packed with codeveil, i have followed all Tuts but the problem is the memory dump is not consistent, some times i run it on BigMouse fixer and all goes well sometimes it doesnt. The dumps vary on content and size. I tried to understand the best time to dump (during loading, after loading, after messing with it) with no luck.
Did anyone had similar issues, does anyone as the solution for this??

Thanks.
Reply With Quote
  #2  
Old 07-05-2008, 12:40 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

Maybe if you post the target here we can have a look.

good luck
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #3  
Old 07-05-2008, 01:58 PM
zedamota zedamota is offline
Member
 
Join Date: Jul 2008
Posts: 6
Default

The reason i didnt post the target is that its a comercial one
Its a frontend for a carpc called Ce~ntrafuse. Its available as a demo and its about 150mB.
I can post the exe but used alone it just crashes.
Thanks!
Reply With Quote
  #4  
Old 07-05-2008, 02:34 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

I think UFO-PU55Y can show you the right unpacking method using Olly, this needs some extra plugins If I remember well, You can dump the assembly right after it's decoded by the native stub but I forgot the code location for this process !!
I hope he reads this soon and replies.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #5  
Old 07-05-2008, 10:41 PM
zedamota zedamota is offline
Member
 
Join Date: Jul 2008
Posts: 6
Default

Thank you very much for your quick answer. I hope that UFO-PU55Y reads this soon also
Reply With Quote
  #6  
Old 07-06-2008, 10:58 AM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Default

Quote:
Originally Posted by zedamota View Post
The dumps vary on content and size. I tried to understand the best time to dump (during loading, after loading, after messing with it) with no luck.
Not when.. how did u dump ?

Cheerio
Reply With Quote
  #7  
Old 07-06-2008, 12:29 PM
zedamota zedamota is offline
Member
 
Join Date: Jul 2008
Posts: 6
Default

Hi,

I dumped from memory the only way i know how, run the app then went to WinHex (Tools-Open Ram) dumped the main process and File-SaveAs. It works from time to time, to obtain a "good dump" i must try it about 20 times, closing the app and doing all again.

Thanks

P.S.-Sorry for any spelling mistake, i'm Portuguese.
Reply With Quote
  #8  
Old 07-06-2008, 12:46 PM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Default

Ok, I thought you already tried with Olly.
http://www.tuts4you.com/download.php?view.2004
If it's a never CodeVeil, you need the Olly-Plugin
called 'phant0m'. U'll also find it on that site..
Reply With Quote
  #9  
Old 07-06-2008, 01:08 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

I knew you still remember how to do that old man !!

well done.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #10  
Old 07-06-2008, 07:47 PM
zedamota zedamota is offline
Member
 
Join Date: Jul 2008
Posts: 6
Default

Just tried it. Couldn't find pattern '0x660F280F' or any command involving mmx registers like in the tut.
Please confirm that I should be looking for this in the app main thread after olly stops in EP (i think).

Thanks for your help!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.