New Protector

Anyone look at this new protector.

h**p://www.softdefender.com

[ArC]

^DAEMON^ already wrote an unpacker for SoftDefender.

Yeah, as far as I remember SVK is "with us" from winter 2001 or spring 2002.
Try this helpful tool: hxxp://mup.lockless.com/database/SVK-Protector/SVK-Protector.1.32.Special.dll.zip

Regards.

[ArC]

Nice thing

the softdefender unpacker doesnt work....

besides, it has some good anti=debug, I'm enjoying studying it

-Lunar

Daemon unpacker should work only for versions <=1.1
But the link I've written could be useful after dumping...

Ugh...


Found SoftICE detector quite easily, just NtQuerySystemInformation with NTice.sys, easy to get around..

I'm still having trouble finding normal debugger detector. I know it called GetProcessTimes() twice, and if the times are zero, or they don't match it says "Debugger detected" - to elimiinate tracing not doubt. But even so only called GetProcessTimes() once when I debug with Olly, and then Exit MessageBox.

Thought it was calling ZwQueryInformationProcess, but doesn't look like it now after all (calling with ProcessDebugPort). API only gets called twice, once from GetprocessTimes (argument is 4, which is processtime), and another from windows DLL itself (argument is 26, ProcessWow64Environment, which is always zero). Never called with argument 7 (ProcessDebugPort). And of course I"ve already "edited" the bytes at fs:[30] away to eliminate PEB debug detection.

Any hints? Maybe a way to detect that I haven't heard of yet?

-Lunar

Lunar Dust: I can't help You because last time I was playing with SVK was last year.... I don't remember how does it work. (I've spend just few minuts with this one ).

Regards.

Um, Wait a minute, I didnt think this was SVK..I thought SVK used a system driver. This is Soft Defender....

-Lunar

Hehe.

Now time to make a keygen.....


-Lunar

You're right... Sof Defender... but not a lost I'm not familiar with SVK nor SoftDefender and I ALWAYS mislead them...

Regards.

[Jay]

Hi Lunar_Dust,
Thanks for uploading but I have some problems with your unpacked version on win9x and win2000
Linked to missing export KERNEL32.DLL:RestoreLastError
also you appear to have forgotten to put in the missing bytes from oep. How did you resolve api's with imprec, did you use a custom made plugin? I couldn't get imprec to resolve them without a plugin (maybe cos I'm using old imprec??). Anyway just thought I would let you know and thanks to you too as one of the few willing to share your knowledge and tools.

Sure thing.

SoftDefender rips the first 9 bytes from the OEP, and although they can be recovered easily, they really aren't necessary for a program to run. Hence I left it as is.

For IAT, I used ImpREC 1.6 with Level3 trap flag tracing. SoftDefender takes some of the API's, such as GetVersion, GetCommandLineA, etc,etc, and calls them for itself when it first loads. When the target goes to call these APIs softdefend simply fills in the appropriate values. Hence, you will find API which cannot be traced. Calls into 004xxxxx space. In fact, do not try to trace them or ImpREC will hang. No big deal, I just dumped SoftDefend from memory and disamsed it, and went to OEP. It's a Visual C program, so it has exact same startup code. I just loaded up a program of my own and disasmed it, and looked at the code where those certain APIs were called. From this I was able to fill in 4 out of 6 API's that were unknown. (calls into 004xxxxx space, rather than 001xxxxx space. 001xxxxx calls are able to be resolved with trace level 3).

For the last two APIs I simply used SOftICE to place a BPM X break on the code line that references them ( the address of code I found when disasm softdefender dump), and then walked thru to see what values Softdefend gives back. Looking at these I can then tell which API has gotten called for the startup code API's. For example, if I saw a string instruction and then saw softdefender memory held "C:\WINDOWS" I knew this was GetWindowsDirectoryA API. Hence I was able to then complete the IAT.

These are API I found SoftDefender to override in such a manner:

GetSystemDirectoryA
GetVersionExA
GetCommandLineA
GetCurrentProcessId
GetCurrentDirectoryA
SetCurrentDirectoryA
GetModuleHandleA
GetModuleFilenameA
GetVersion
GetStartupInfoA
GetWindowsDirectoryA


Sorry about that kernel32 error, I unpacked it under XP and didn't think there was any problems....to attempt to fix it, open the file in hex editor and goto where RestoreLastError string is. Change it to "SetLastError", and make sure you null terminate it properly. This should fix it i believe.

I am 20% into writing an unpacker. Taking longer because softdefend actually creates a new process after all the debug checks. (I have successfully bypassed all anti-debug code)

-Lunar

I've found the anti-autodump stuff to be working pretty well, he creates a .tmp file which contains a value calculated from the API GetTickCount(), - then simply calls CreateProcess(). Looks like the new process looks for the file, gets tick count again possibly, and decides if it's being debugged. Anyways, it hurts a debugger because it basically switched processes. (or so it would seem )

It doesn't affect debugging however, except in the fact that you can't latch on to the new process like you wish you would.

Also, the program continues to readfile upon some file (don't know yet, haven't traced it). Once this readfile is in place, I notice all original program's data is now in memory and valid, even the OEP bytes are still intact.

Beatch is going down soon, I can emulate any call I want...hehe

-Lunar

[Jay]

Hi Lunar_Dust,
Thanks for the reply and useful tips. No problem about the import I had already unpacked it, just wanted to check out your method of dumping and rebuilding. Look forward to hearing some more about methods of bypassing anti-debug in olly of which I have very little experience, a small tut perhaps if you find the time?? (grovel). I think sdef shows promise as a protector and would expect to see some shareware protected with it, author has improved it since 1.1 do you aggree?.