Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-14-2005, 21:00
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
installshield trialware

hi
i have a program that protected with installshield trialware. peid detected it as safedisc 3.00.00.

finding the oep is easy. but my problem is IAT.

the tecnique that used in it is for example :

CALL DWORD PTR DS:[XXXXXXXX]

and in XXXXXXXX :

push SEED1
pushfd
push ad
push esp
push SEED2
call dll.YYYYYYY
add esp,8
push 0
pop eax
popad
popfd
retn

and function YYYYYYYY use seed1 and seed2 and the position of caller function to produce the adress of dll import.

i can manually corect IAT by watching some place in YYYYYYY function.
but i need a way to automate it. i test patching YYYYYYY function to correct IAT or ollyscript. but in each approach i have some problem.

have anyone any way to automate correction of IAT?

regards
Reply With Quote
  #2  
Old 12-14-2005, 23:00
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello toro:

I have read several times your post, but I cannot understand which the problem is.

Have you tried the IAT rebuilding with ImportReconstructor?

What the results have been, if so?

If the address of the APi is a combination of seed1, seed2 and RVA of the call (is this right?), in any case you need the resultant address to be pointing to a valid imported function address. So, could you explain a little bit more what do you want to do?

Cheers

Nacho_dj
Reply With Quote
  #3  
Old 12-14-2005, 23:55
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi Nacho_dj

i used imprec with no success. it create wrong IAT.
i can found the correct address for each IAT cell by setting a bp on the end of YYYYYYYY function. but i want to correct IAT automatically. i patched the YYYYYYYY function to correct the related IAT cell in each call. but it is not enough. because i can not sure that all of api used when i run the program.

i wrote a script that inject a call for each cell of IAT and execute it. so this script can found an api address for each cell but the result of YYYYYYY function is depend of the caller function. so the result from injection is not true.

so in any of this approach i can not correct IAT. this is my problem.
Reply With Quote
  #4  
Old 12-15-2005, 12:49
nskSem
 
Posts: n/a
It is not trivial task, but:
1. You should inject your DLL in the reversing process
2. It DLL must patch code place before "ret", that jumps to imported function.
3. In series, you must scan and call all import-calling places, for the restoring original calls.
4. And som other things ...

For details read attach.
Attached Files
File Type: rar Unpack_SafeDisc_2_xx_and_3_xx.rar (475.8 KB, 48 views)
Reply With Quote
  #5  
Old 12-15-2005, 16:39
peleon peleon is offline
Friend
 
Join Date: Sep 2003
Posts: 174
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
peleon Reputation: 7
Looks a promising tutorial...I have been translating with babelfish to english but I'm even more confused with direct read into russian

Is that same tutorial translated into english somewhere?

Thanks
Reply With Quote
  #6  
Old 12-15-2005, 18:01
nskSem
 
Posts: n/a
There is one in Dutch (NFS Underground II).
Attached Files
File Type: rar CIP _ Tutorial Manual unpack NFSU2 (Safedisc v3_xx).rar (247.0 KB, 26 views)
Reply With Quote
  #7  
Old 12-15-2005, 18:05
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello toro:

Could you PM the target name? I would like to have a look to it.


Thanks and cheers!

Nacho_dj
Reply With Quote
  #8  
Old 12-16-2005, 22:47
ajron ajron is offline
Family
 
Join Date: Jan 2002
Location: Poland
Posts: 40
Rept. Given: 0
Rept. Rcvd 33 Times in 7 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ajron Reputation: 33
It's probably Safecast protection. I've coded safecast unpacker, but I need more targets to test it before I release it. I have 2 targets (2.65 & 3.0), but it's not enough, so could you PM the target name/link, too?

Steps to unpack Safecast:
1. find OEP and IAT ;)

2. break on OEP

3. make tracer to get real api on every iat entry (imprec is not good enough), but not overwrite iat yet

4. search for fake api calls in section code:
0xFF15 - CALL [xxxx]
0xFF25 - JMP [xxxx]
0xE9 - JMP xxxx
0x8bxx - mov r32,[xxxx]

and trace to get real api

5. fix fake api calls/jmps, so they use proper iat entry (from point 3)

6. search for redirected calls in section code:
these calls point to code:
push ecx
push eax
call xxxx

which points to code like this:
mov eax, 6FBh
pop ecx
lea eax, [eax+ecx]
mov eax, [eax]
jmp eax

or this:
mov eax, 324Bh
pop ecx
add eax, ecx
mov eax, [eax]
jmp eax

and trace until get back to code section.

In this step protection engine restore a few bytes in redirected call instruction and after this instruction. You can hook WriteProcessMemory to see this.

7. update iat and fix header

8. dump file

9. use imprec to buil import table

10. if target works fine, be happy ;)

Last edited by ajron; 12-16-2005 at 22:50.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:47.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )