Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Help for unknown protector (https://forum.exetools.com/showthread.php?t=13180)

Newbie_Cracker 12-27-2010 17:20
Help for unknown protector
 
Hello everybody.

Few days ago I saw an unknown protector (at last for me).

Here is the link of protected target:
Code:
http://download.akvis.com/akvis-lightshop-setup.exe
The EP of protector is this like.
Code:
010F4000 <> /EB 01                      JMP SHORT Lightsho.010F4003
010F4002    |99                        CDQ
010F4003    \50                        PUSH EAX
010F4004    EB 04                      JMP SHORT Lightsho.010F400A
010F4006    2B67 A9                    SUB ESP,DWORD PTR DS:[EDI-57]
010F4009    15 E8140000                ADC EAX,14E8
010F400E    00EB                      ADD BL,CH
010F4010    0321                      ADD ESP,DWORD PTR DS:[ECX]
010F4012    96                        XCHG EAX,ESI
010F4013    D6                        SALC
010F4014    EB 03                      JMP SHORT Lightsho.010F4019
Section has no name.
It's unpacking routine is starnge!
After 6th exception, it writes the code section.

None of the breakpoints work to trap write sequence.

Does someone know what's its name?

Newbie_Cracker 12-27-2010 18:15
I found the decompression routine, but still don't know why OlluDbg cannot break on write to memory!!!

Protector stub calls VirtualProtectEx after 6th exception (copies first 6 bytes, executes them and jumps in middle of API) to change the access to code setion. Is this the cause of bypassing memory breakpoint (as it's page gaurd)?

It seems that protector clears hardware breakpoints too.

unknownone 12-27-2010 21:54
why don't you use a plugin for olly which hide debugger and protect against common antidebugging tricks?

Archer 12-28-2010 02:29
OEP RVA 00626A7D

Archer 12-28-2010 17:56
Unpacked file here http://www.multiupload.com/I3989AR3HX
Two api calls left unidentified
0046A918 . FF15 6C40BC00 CALL DWORD PTR DS:[BC406C]
0046AB1C . FF15 6840BC00 CALL DWORD PTR DS:[BC4068]
They don't look like regular API calls so I just nopped them.
Overlay also exists but wasn't appended to minimize the size.
Last sections were cut and resources were rebuilt.
The file seems to be working fine on 2 different OSs but I haven't tested it thoroughly.
It's just unpacked, nothing else is patched or cracked.

Newbie_Cracker 12-28-2010 18:44
It's not too hard to unpack, I didn't work on its API redirection routine yet. Because It's too easy to crack using a loader !! ;)

I just want to know the name of protector.

Anyways, thanks Archer.

uLysse 12-28-2010 21:24
It's Obsidium v1.4

API redirections like that :
Code:
003E1858  60                  PUSHAD
003E1859  9C                  PUSHFD
003E185A  66:BD F6AD          MOV BP,0ADF6
003E185E  EB 03                JMP SHORT 003E1863
003E1860  0253 24              ADD DL,BYTE PTR DS:[EBX+24]
003E1863  66:BB 0E99          MOV BX,990E
003E1867  -E9 752EFDFF          JMP 003B46E1
are typical of Obsidium.

And this (mov reg32, API / nop) :
Code:
00A268C6  . BB 49AA807C    MOV EBX,kernel32.GetProcessHeap
00A268CB  . 90            NOP
00A268CC  . FFD3          CALL EBX                                ; [GetProcessHeap
is typical of the 1.4 version of Obsidium

Archer 12-29-2010 00:07
If anyone made a research of Obsidium would be interesting to know what the 2 unidentified calls from my post above are doing. Don't look like regular api calls, neither look like protector api, eax is unused and they don't seem to make any changes in the dump.

uLysse 12-29-2010 06:34
Your 2 unidentified calls are calls to API protector.
By tracing them, eax is affected by a specific value.

The list of these "codes" has been given on crackl@b

By tracing in 0046A918, eax becomes D5D7FD6D
-> setExternalKey

By tracing in 0046AB1C, eax becomes 4EC72EC2
-> isRegistered

Newbie_Cracker 01-11-2011 17:42
Quote:
Originally Posted by uLysse (Post 70853)
It's Obsidium v1.4
Thanks bro.

I will work on it.

Regards.


All times are GMT +8. The time now is 08:17.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX