Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   x32dbg and debugging special question (https://forum.exetools.com/showthread.php?t=20116)

squareD 03-18-2022 00:40

x32dbg and debugging special question
Well I'm coming from ollydbg and I'm learning this debugger...

My actual target is a filemanager, don't want to say which, protected by a soft called eleckey, made from a company called sciensoft

I'm testing to find out, how to generate a key from ID and an activation from key and I'm not a professionell who studied IT

My problem at least is the systemcall "sysenter" with eax==E5
After this call the change from goodboy to badboy has been done...
Can't debug furthermore to see how and where the calculation has gone

eax==E5 means NtQueryInformationAtom and I don't know how to get on
Can't break, can't see what is happening, it's just frustrating!!! :eek:

May be someone, may be mr.exodia himself, can give me a hint to go on?

pp2 03-20-2022 00:43

You cannot debug or step into kernel calls, like syscall's using just x32dbg, x64dbg or any other pure userspace debugger. Use windbg in live (kernel) mode instead, if you need to see what's happening in this syscall. But even with windbg you cannot step into syscall, but just set conditional breakpoint on syscall handler (can be obtained by reading MSRs) with EAX==0xE5.

squareD 03-26-2022 23:26

I'm out of work with ring 0 debugger...
Syser Debugger v1.99 doesn't want to work with VM Workstation, because of some graphic problems?
And Windbg is always disabled and want me to do a bcdedit -debug on
After this my win 7 in VM Workstation isn't able to boot and breaks
So there's no way beside of VM to debug and that doesn't work
New PC, new harddisk to make it, I don't think I do so
Sorry for stealing your time, ring 0 debugging isn't possible for me at this time

And saddly new Syser is only a ring 3 debugger!

sh3dow 03-27-2022 06:54

Why your VM unable to boot itself? that strange. did you configure the VM and windbg correctly? you need to check again. also in case you didn't know, you need to configure the Debuggee (win7), windbg and the VM software (from Vmware setting) not only the Debuggee and windbg.

Also in case you have secure boot enabled on your win7 VM it need to be disabled.

fqjp 04-22-2022 17:57

It may be that the program is anti-debugging.
How you got E5 corresponds to NtQueryInformationAtom?
I got the index number of SSDT of NtQueryInformationAtom is 114 on WIN7 64 system.

squareD 04-22-2022 20:31

In meanwhile I gave up analyzing this calculation of sciensoft
The target uses online activation with probably modified algo and so I'm unsure if working on will give me a solution
Instead I analyzed the protection algo, made a bruteforcer for patching bytes in this programs and maybe I'm on the way to crack it
I kow it's only the second best way and I never ever will do it again, but solved is solved ;):cool:

wassim_ 04-23-2022 01:33

Is the main exe packed?
Are you trying to reverse elecckey's dll?
I can have a look if you'd like a helping hand.
Please share target via pm.
Edit: it seems I can't send or receive PMs anymore.
Please post here if you still need assistance.

squareD 04-25-2022 23:46

Not only main, but all EXE are packed/protected

I decoded the algo of protection, so I'm able to patch this programs
The x86 version seems to be full working and x64 version there are left two problems to solve

Hope you are not another spy to get out, what I'm doing? :D


Try it and help me, every helping hand is welcome

All times are GMT +8. The time now is 10:41.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX