Quote:
Originally Posted by Cowsheep
I have written it in bad way, rtlgetlastwin32error is imported from ntdll.dll, but securom uses the result in order to check if it is a dump or not ("RtlGetLastWin32Error: here again we need to return 1, in case there are errors we tell there aren’t any", like getcurrentprocessid. (or is complete owning here wrong ,too?)
|
its wrong... and you'd see that if you actually traced it..
ntdll.RtlGetLastWin32Error
Code:
64A118000000 mov eax,fs:[000000018]
8B4034 mov eax,[eax][034]
kernel32.GetLastError
Code:
64A118000000 mov eax,fs:[000000018]
8B4034 mov eax,[eax][034]
notice something? yes THEY ARE BOTH THE SAME
securom is calling GetLastError - making it return 1 is
(a) fucking stupid
(b) really fucking stupid
(c) i think i've made the point... yes?
error code 1 translation..
[System Translation] -> Incorrect function.
Quote:
Automating fixing the jmp bridges is a must, there are simple too many for doing it manually.
|
wrong.. you're using the wrong method.. haven't you realised that?
Quote:
Respect to you for coding own tools, i cant do that, must use public tools and plugins.
Thats the difference between a script kiddie like me and the oldschool leet you belong to
|
well, im not after respect..
honest advice..
ditch the scripts, ditch the 3rd party tools, learn to code, learn asm (pretty much a must), spend some time, make lots of notes, trace, figure out how each module in the protection works, then figure out how to 'fix' it...
otherwise you're really just wasting your own time, and will get nowhere.