tonyblair Posted April 16, 2009 Share Posted April 16, 2009 Hi can someone help me?I need a tutorial on how to debug a dll in a standalone modewith IDA Pro.1-The dll is packed or encrypted2-I want to avoid loading the calling programTanks in advance for the gurus who could helps.ps: @ Moderators you can delete this thread if it is in conflict with the rules. Link to comment Share on other sites More sharing options...
Rock Lee Posted April 17, 2009 Share Posted April 17, 2009 Well I found this, dunno if it is exactly what you're looking for. I will keep looking just incase :dance2:► Rock Lee Link to comment Share on other sites More sharing options...
tonyblair Posted April 17, 2009 Author Share Posted April 17, 2009 @Rock LeeI found an interresting tip in your link :load two or more files into the same single IDA Pro database. for example, we have CLTLMH.EXE and want to load an additional file: cltLMSx.dll to see how they interact with each other. As IDA debugger do no launch a dll but only an exe (a dll is called by an exe, it is not a standalone program).the library cltLMSx.dll is encryptedConsumer_Licensing_Technologies_r9.5I will try what was recommended in the link you provide, and see if I move forward.My aim is to decrypt the dllThanks for your help, I appreciate. :dance2: Link to comment Share on other sites More sharing options...
Rock Lee Posted April 17, 2009 Share Posted April 17, 2009 No problem, I've been on the look out for more. Havent seen too many.This one is another tutorial but in .pdf form which means you'll need adobe reader (if youdont already have it). I didnt get a chance to look it over but it may be able to help you.*Note to view it, click the download arrow at the end of the decription Link to comment Share on other sites More sharing options...
tonyblair Posted April 18, 2009 Author Share Posted April 18, 2009 @Rock LeeYes I have adobe, Thanks again for the document and for the site also, it seems to be a golden mine.This a flavor of what I am seeing under the "microscope": (for fun and curiosity).data:6C3535B4 dd offset aTrialmaxdays ; "TrialMaxDays".data:6C3535B8 dd offset aTrialremaini_0 ; "TrialRemainingDays".data:6C3535BC dd offset aActivationkey ; "ActivationKey".data:6C3535C0 dd offset aActivationdate ; "ActivationDate".data:6C3535C4 dd offset aEnddate ; "EndDate".data:6C3535C8 dd offset aCustomerid ; "CustomerID".data:6C3535CC dd offset aProductserialn ; "ProductSerialNumber".data:6C3535D0 dd offset aEndpointid ; "EndPointID".data:6C3535D4 dd offset aSeatcount ; "SeatCount".data:6C3535D8 dd offset aComputername ; "ComputerName".data:6C3535DC dd offset aSymskucurrent ; "SymSKUCurrent".data:6C3535E0 dd offset aSymskufamily ; "SymSKUFamily".data:6C3535E4 dd offset aSymskumedia ; "SymSKUMedia".data:6C3535E8 dd offset aProductid ; "ProductID".data:6C3535EC dd offset aSymantecvendor ; "SymantecVendorId".data:6C3535F0 dd offset aSku ; "SKU".data:6C3535F4 dd offset aEarlyrenewmaxd ; "EarlyRenewMaxDays".data:6C3535F8 dd offset aEarlyremaining ; "EarlyRemainingDays".data:6C3535FC dd offset aSubscriptionma ; "SubscriptionMaxDays".data:6C353600 dd offset aSubscription_0 ; "SubscriptionRemainingDays".data:6C353604 dd offset aSubscriptionwa ; "SubscriptionWarningDays".data:6C353608 dd offset aRemainingdays ; "RemainingDays"Or this :But all this is a misleading Fake statements (all in plain text in non encrypted libraries).The true ones are hidden in the encrypted dll's in a segment like this :We know the meaning of these segments:.txt.rdata.dataBut my question is : who knows the meaning of this .asdfas segment? is it a well knownencryptor, packer or whatever? :lmao: Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.