Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / LiuTaoTao / crhwinfo.txt < prev next >

Wrap

Text File | 2000-05-25 | 2KB | 54 lines

Software name: HWiNFO Version 4.2.2 Oct-20-1997 The file 'hwinfo.exe' begin with: V V V V 0000: 4D 5A 50 01 65 01 00 00 02 00 F3 4B FF FF 00 00 MZP.e......K.... 0010: 30 00 00 00 40 00 00 00 1C 00 48 57 69 4E 46 4F 0...@.....HWiNFO This means it needs 150h*200h + 4bf30h = 75f30h bytes memory to run ! But we only have 0-9ffff, DOS will use some, TR will use 120K, How can I trace it in TR ? Does it really need so much memory ? Lets have a test: (1) Change 'hwinfo.exe' offset 0ah from 'f3 4b' to 'f3 0b'. -------------------------------------------------------- Run new hwinfo.exe, OK! (2) Now lets unpack it: TR hwinfo.exe ;modified getknl MKEXE This will create file MEM.EXE. It runs OK! (3) File mem.exe still has a shell. I have tried to unpack it: copy mem.exe mem1.exe TR mem1.exe ;please pay attention to SS. ;if SS>a000, you should optimize your memory first exe1 reload goreg cs ax=0 ;wait a moment wexe1 ;wait exe2 reload goreg cs ax=0 wexe2 q MKEXE This make new MEM.exe, but it doesnt work ! I donot know why the second mem.exe doesnt work, but I think it must concern to its large size. I have tried UPC(v1.06.3) and TEU(v1.73e), they all find the file is compiled by Borland C v3, but they all can not get a usable new EXE file. TR can successfully unpack the first shell of hwinfo. And TR can unpack the second shell, but still has some problem to solve. This is what I can do today.