Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-18-2022, 00:40
squareD's Avatar
squareD squareD is offline
VIP
 
Join Date: Aug 2005
Location: Banana Republic
Posts: 287
Rept. Given: 31
Rept. Rcvd 35 Times in 27 Posts
Thanks Given: 32
Thanks Rcvd at 106 Times in 69 Posts
squareD Reputation: 36
x32dbg and debugging special question

Well I'm coming from ollydbg and I'm learning this debugger...

My actual target is a filemanager, don't want to say which, protected by a soft called eleckey, made from a company called sciensoft

I'm testing to find out, how to generate a key from ID and an activation from key and I'm not a professionell who studied IT

My problem at least is the systemcall "sysenter" with eax==E5
After this call the change from goodboy to badboy has been done...
Can't debug furthermore to see how and where the calculation has gone

eax==E5 means NtQueryInformationAtom and I don't know how to get on
Can't break, can't see what is happening, it's just frustrating!!!

May be someone, may be mr.exodia himself, can give me a hint to go on?
__________________
The three worst enemies of the reversers: sun , fresh air and especially this unbearable roar of birds ...

Last edited by squareD; 03-18-2022 at 00:49.
Reply With Quote
The Following User Says Thank You to squareD For This Useful Post:
niculaita (03-27-2022)
  #2  
Old 03-20-2022, 00:43
pp2 pp2 is offline
Friend
 
Join Date: Jan 2002
Posts: 55
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 11 Posts
pp2 Reputation: 2
You cannot debug or step into kernel calls, like syscall's using just x32dbg, x64dbg or any other pure userspace debugger. Use windbg in live (kernel) mode instead, if you need to see what's happening in this syscall. But even with windbg you cannot step into syscall, but just set conditional breakpoint on syscall handler (can be obtained by reading MSRs) with EAX==0xE5.
Reply With Quote
The Following 2 Users Say Thank You to pp2 For This Useful Post:
sh3dow (03-21-2022), squareD (03-20-2022)
  #3  
Old 03-26-2022, 23:26
squareD's Avatar
squareD squareD is offline
VIP
 
Join Date: Aug 2005
Location: Banana Republic
Posts: 287
Rept. Given: 31
Rept. Rcvd 35 Times in 27 Posts
Thanks Given: 32
Thanks Rcvd at 106 Times in 69 Posts
squareD Reputation: 36
I'm out of work with ring 0 debugger...
Syser Debugger v1.99 doesn't want to work with VM Workstation, because of some graphic problems?
And Windbg is always disabled and want me to do a bcdedit -debug on
After this my win 7 in VM Workstation isn't able to boot and breaks
So there's no way beside of VM to debug and that doesn't work
New PC, new harddisk to make it, I don't think I do so
Sorry for stealing your time, ring 0 debugging isn't possible for me at this time

And saddly new Syser is only a ring 3 debugger!
__________________
The three worst enemies of the reversers: sun , fresh air and especially this unbearable roar of birds ...

Last edited by squareD; 03-26-2022 at 23:37.
Reply With Quote
The Following User Says Thank You to squareD For This Useful Post:
niculaita (03-27-2022)
  #4  
Old 03-27-2022, 06:54
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 128
Rept. Given: 106
Rept. Rcvd 79 Times in 24 Posts
Thanks Given: 386
Thanks Rcvd at 158 Times in 54 Posts
sh3dow Reputation: 79
Why your VM unable to boot itself? that strange. did you configure the VM and windbg correctly? you need to check again. also in case you didn't know, you need to configure the Debuggee (win7), windbg and the VM software (from Vmware setting) not only the Debuggee and windbg.

Also in case you have secure boot enabled on your win7 VM it need to be disabled.
Reply With Quote
  #5  
Old 04-22-2022, 17:57
fqjp fqjp is offline
Friend
 
Join Date: Apr 2011
Posts: 34
Rept. Given: 1
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 26 Times in 14 Posts
fqjp Reputation: 2
It may be that the program is anti-debugging.
How you got E5 corresponds to NtQueryInformationAtom?
I got the index number of SSDT of NtQueryInformationAtom is 114 on WIN7 64 system.
Reply With Quote
  #6  
Old 04-22-2022, 20:31
squareD's Avatar
squareD squareD is offline
VIP
 
Join Date: Aug 2005
Location: Banana Republic
Posts: 287
Rept. Given: 31
Rept. Rcvd 35 Times in 27 Posts
Thanks Given: 32
Thanks Rcvd at 106 Times in 69 Posts
squareD Reputation: 36
In meanwhile I gave up analyzing this calculation of sciensoft
The target uses online activation with probably modified algo and so I'm unsure if working on will give me a solution
Instead I analyzed the protection algo, made a bruteforcer for patching bytes in this programs and maybe I'm on the way to crack it
I kow it's only the second best way and I never ever will do it again, but solved is solved
__________________
The three worst enemies of the reversers: sun , fresh air and especially this unbearable roar of birds ...
Reply With Quote
The Following User Says Thank You to squareD For This Useful Post:
niculaita (04-22-2022)
  #7  
Old 04-23-2022, 01:33
wassim_ wassim_ is offline
Friend
 
Join Date: Nov 2002
Posts: 103
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 14
Thanks Rcvd at 10 Times in 4 Posts
wassim_ Reputation: 2
Is the main exe packed?
Are you trying to reverse elecckey's dll?
I can have a look if you'd like a helping hand.
Please share target via pm.
Edit: it seems I can't send or receive PMs anymore.
Please post here if you still need assistance.

Last edited by wassim_; 04-23-2022 at 04:45.
Reply With Quote
  #8  
Old 04-25-2022, 23:46
squareD's Avatar
squareD squareD is offline
VIP
 
Join Date: Aug 2005
Location: Banana Republic
Posts: 287
Rept. Given: 31
Rept. Rcvd 35 Times in 27 Posts
Thanks Given: 32
Thanks Rcvd at 106 Times in 69 Posts
squareD Reputation: 36
Not only main, but all EXE are packed/protected

I decoded the algo of protection, so I'm able to patch this programs
The x86 version seems to be full working and x64 version there are left two problems to solve

Hope you are not another spy to get out, what I'm doing?

https://www.sp-download.de/sc19/sc19_x64.exe

Try it and help me, every helping hand is welcome
__________________
The three worst enemies of the reversers: sun , fresh air and especially this unbearable roar of birds ...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 20:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )