Page 1 of 5 1234 ... LastLast
Results 1 to 10 of 49

Thread: Unpacking Kazaa 2.6

  1. #1
    Anyone found a way to unpack Kazaa 2.6? I've been trying, and all i got was a file with around 3.7 MB (the original is 2.4 MB). I thought it was unpacked, but it don't disassemble, and all sections seems to be still encrypted (when i've checked with resource hacker) . Not enough, the damn IAT is messed, and ImpREC couldn't resolve it...

    I've done a search, and seems that no one have found a way to unpack ActiveMark?

    By the way: Is it really packed with ActiveMark? I've run a game witch was packed with ActiveMark, and it bitched because SoftICE, but Kazaa don't detect it...

    Edit:
    http://www.zerosecurity.de/modules.php?op=...order=0&thold=0

  2. File Sharing   -   #2

  3. File Sharing   -   #3
    Im trying to play with proc dump but somehow kazaa is hiding itself from the listing - any ideas?

  4. File Sharing   -   #4
    To sharedholder:
    I have been there before, not much help, since i've lots of tools. Thanks.

    To Agent-Smith:
    No, it don't hide itself. Right-click on the list and choose refresh. When i tried to unpack, procdump crashed.

    To anyone interested:
    I've been able to unpack this file (kazaa available at kazaa.com) and so far here is a summary:
    The dumped code sections seems to match.
    It includes a splashscreen of Kazaa Plus and a dialog saying: You appear to be trying to use Kazaa Plus in a PC that isn't licensed.
    But there's no direct reference to this dialog, what makes me think that the programmers just commented-out some parts to make Kazaa Plus.
    All resource sections (besides strings reference) are ok.
    The string references are working well on the disassembly listing.
    The IAT is mangled. But it uses the FF15 trick, where it calls an address, and this address jumps to the API. I've found the table where this data is located.
    Anyone's interested?

    Just one thing is pissing me off: when I start, it complais that the adware files have been removed, and it will be shut down. Until now, i couldn't bypass this dialog.

    If you have any tips...

  5. File Sharing   -   #5
    How'd you get it to unpack? I messed about with it for a few hours and got frustrated.

  6. File Sharing   -   #6
    Poster
    Join Date
    Feb 2003
    Location
    Bombay, India
    Posts
    85
    Maybe you could upload an unpacked copy somewhere, so people more proficient at cracking can get to work. Good work with unpacking.

  7. File Sharing   -   #7
    @Ferasso
    Great work so far! I have problems to make KaZuperNodes and KaNAT work with KMD since version 2.5, as it doesn't allow me to modify values in its memory space (OpenProcess fails). I'm very interested in this unpacked version!
    <span style='color:blue'>K-Lite v2.7
    KaZuperNodes/KaNAT

  8. File Sharing   -   #8
    he you done great work so far with unpacking, nice to see there&#39;s so initiative .. so you can come in the resource sections huh? so are there many differents in strings and stuff in comparing with kmd2.02? cause if not, i think we could get k++ and kl extentions to work with a few little changes and that would be very good news..
    btw indeed host the unpacked version somewhere so more devs can look at it. in this way there can be a solution more quick to your problems

  9. File Sharing   -   #9
    hey man just wondering..what program did you use to get this result?

    (hmm i should have edited my above post.. damn i&#39;m just too lazy so sorry for double post)

  10. File Sharing   -   #10
    First, sorry for taking so long, my pc broke after i&#39;ve kicked it, so now, i&#39;ve borrowed a machine from a friend.
    I can&#39;t host the file, since this computer don&#39;t have the file, not softice, nothing. But as a good cracker, i have everything on paper, so, i&#39;ll tell you how to unpack kazaa yourself.
    Tools: SoftIce, LordPE, Hex editor

    Open kazaa.exe in hex editor, go to offset 12FACC, there you will find a byte BB, and change it to CC. Save and to into SICE and:
    bpint 03
    Run the file, Sice breaks.
    e eip bb
    bc*
    bpmb 576E71 x
    F5

    Wait... sice breaks
    a eip
    jmp eip
    nop
    enter
    F5

    Go into lord PE, fully dump kazaa, then kill task.
    Open it in PE editor, set the entry point to 176E71
    Save. Open it in hex editor, find EBFE90 and replace with 558BEC. Done.
    If you want to disassemble in w32dasm, set the section characteristics to E0000..
    instead of C00...
    I&#39;ll get back WHEN i can, and IF i can... sorry.

    Edit:
    OH MY GOD&#33; I&#39;VE FINALLY POSTED&#33; THE DAMN COMPUTER CRASHED TWICE WHILE I WAS POSTING BEFORE....

    The IAT will be corrupted, but you can do bpx on it and watch the stack, (dd esp), the first address, it&#39;s where it came from, do a unassemble in that address and you will see something like

    jmp address
    jmp address
    jmp address
    jmp API_CALL
    jmp API_CALL
    jmp API_CALL
    jmp API_CALL
    jmp API_CALL
    jmp API_CALL
    and so on....

    in my computer look: A00014 and you will see.
    Good luck. And if anyone wants to buy me a new pc...

Page 1 of 5 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •