#1
|
|||
|
|||
Xprotector Problem.. + Info
Himm humm
First sorry FOr My English.. Hi , I need your advice on TLS (Thread Local Storage) On My hand i can crack any Xprot Version(from 1.5 to 1.x) but i have problem on dump file Tls for rebuild exe. my work simple 1-Crash xprot (lame) Threads (on random gen..0-xxx (Read if need How works Xprot White Paper) via int3/0 Protect with ring0 loader. (i simple use a ring0 dumper (it working very well also 1.06) 2-Then you have Enabled V-Memory Block.. 3-But there not stop anti etc.. 4-then load Softice and go main Xprt Main Threads and change simple Eip to (call exitprocess). (Note Not Software Threads,you can find which threads real via look cpu process which thread or use SPY++ From Vc Studio) 5-Now you have ready to works Softice & Importrec You can also dump direct with lord_pe or another.. 6-look dump inside for oep 03e8h byte Xprot Shit Oep before (you can find your self there 03e8 byte with a look - it a rubbis!) (also much vc+ prog oep 401000) 7-give oep,try some block for import (to find correct one) 8-But you can fix with your hand some call because xprot fck kernel user adavapi call etc.. try trace your self on asm view (on importrec) Yes Exe Build ok all import call oep etc.etc but, TLS not correct and i dont know anything for TLS how i fix it ? About how to i crack if i dont have a working exe ? via patch memory. simple fix dump (resource etc..) then load it any dissambler find patch point write a loader Crash V-MemProtect (with protect ring0 int3/0 IDT) Use a dll injekt on target process change mem Thats all.. |
#2
|
|||
|
|||
Read this:
hxxp://www.microsoft.com/msj/0999/hood/hood0999.aspx and this: hxxp://www.anticrack.de/modules.php?op=modload&name=News&file=article&sid=4402 But I'm really curious about your mentioning on random gen..0-xxx (Read if need How works Xprot White Paper) via int3/0 Protect with ring0 loader Could you be more precise? Could you direct me to the white paper and what do you mean by "int3/0 Protect"? |
#3
|
|||
|
|||
...
Thanks I will read..
"But I'm really curious about your mentioning on random gen..0-xxx " I mean there On xprot packer menu you can add thread for security checks.. many pieces e.g 25 or 100 or more if you see a demo xprot packer. and you can find white pager here hxxp://www.xprotector.com/files/XprotectorWhitePaper.pdf there have a schema for thread working still. "Could you be more precise? Could you direct me to the white paper and what do you mean by "int3/0 Protect"?" and this From IDT table you can protect it int3/int0 via ring0 driver for hide softice tricks etc.. if you try run a packed xprotected exe then try to protect int3 / int 0 (i mean try to hide int3/0) after on packed exe a threads crashing because all there threads controlling all time idt etc.. then he cant read idt some place and a crash come.. after all other threads and main control threads waiting it now you have crashed all protect system (maybe not crash but status to wait) you maybe not see this because you must a system debugger like vc++ (just in time debugging check on menu) and about int3 hide tricks crash not works on all packed exe if not works my still i try on first my packed exe file and its all time crashing with my still after its crashed i run again another packed exe (cant crash) then it also avaible to crashed then i do my way.. sorry my english realy bad.. |
#4
|
|||
|
|||
Sorry, man. Really hard to understand. But I've read that white paper. Sound cool. I have to think what we can do.
Due to your remarks as to the IDT protection. It is impossible to protect IDT in general case. IDT MUST always be in memory otherwise the system will immediately crash. Therefore the only option I can think of is to protect int1/int3 vectors with DR-registers. But X-Prot takes them out... No. They THINK they take them out |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
looking for adware info and homepage hijacker info | chad1111 | General Discussion | 7 | 01-10-2005 21:02 |
Need some info. | hobgoblin | General Discussion | 3 | 06-29-2004 05:14 |
need info | tryin2learn | General Discussion | 4 | 07-08-2003 15:12 |