Thread: New Protector
View Single Post
  #13  
Old 09-02-2003, 00:26
Lunar_Dust
 
Posts: n/a
Sure thing.

SoftDefender rips the first 9 bytes from the OEP, and although they can be recovered easily, they really aren't necessary for a program to run. Hence I left it as is.

For IAT, I used ImpREC 1.6 with Level3 trap flag tracing. SoftDefender takes some of the API's, such as GetVersion, GetCommandLineA, etc,etc, and calls them for itself when it first loads. When the target goes to call these APIs softdefend simply fills in the appropriate values. Hence, you will find API which cannot be traced. Calls into 004xxxxx space. In fact, do not try to trace them or ImpREC will hang. No big deal, I just dumped SoftDefend from memory and disamsed it, and went to OEP. It's a Visual C program, so it has exact same startup code. I just loaded up a program of my own and disasmed it, and looked at the code where those certain APIs were called. From this I was able to fill in 4 out of 6 API's that were unknown. (calls into 004xxxxx space, rather than 001xxxxx space. 001xxxxx calls are able to be resolved with trace level 3).

For the last two APIs I simply used SOftICE to place a BPM X break on the code line that references them ( the address of code I found when disasm softdefender dump), and then walked thru to see what values Softdefend gives back. Looking at these I can then tell which API has gotten called for the startup code API's. For example, if I saw a string instruction and then saw softdefender memory held "C:\WINDOWS" I knew this was GetWindowsDirectoryA API. Hence I was able to then complete the IAT.

These are API I found SoftDefender to override in such a manner:

GetSystemDirectoryA
GetVersionExA
GetCommandLineA
GetCurrentProcessId
GetCurrentDirectoryA
SetCurrentDirectoryA
GetModuleHandleA
GetModuleFilenameA
GetVersion
GetStartupInfoA
GetWindowsDirectoryA


Sorry about that kernel32 error, I unpacked it under XP and didn't think there was any problems....to attempt to fix it, open the file in hex editor and goto where RestoreLastError string is. Change it to "SetLastError", and make sure you null terminate it properly. This should fix it i believe.

I am 20% into writing an unpacker. Taking longer because softdefend actually creates a new process after all the debug checks. (I have successfully bypassed all anti-debug code)

-Lunar
Last edited by Lunar_Dust; 09-02-2003 at 00:30.
Reply With Quote