Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-10-2005, 03:54
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
An Unknown Packer !

Few days ago, one of my friends gave me the download address of DiskInternals Unereaser 2.3 as an unpacking target.
Shit... OllyDbg never stops at OEP and alot of exceptions occurs. Its packer checks CRC, and... amazingly it detects Modified OllyDbg and closes it easily.
PeID says the exe file is packed by UPX. But it's obvious that it says wrong !

Sometimes ago, I found that SDProtector checks the ClassID of OllyDbg main window. I mean CPU ClassID. Here is the parts of ClassIDs which SDProtector searchs for them :


ACPU
ACPUASM
ACPUDUMP
ACPUSTACK
ACPUINFO
ACPUREG
TCPU
TCPUASM
TCPUDUMP
TCPUSTACK
TCPUINFO
TCPUREG


So after patching OllyDbg to hide its caption and change its exe name, I've patched it to change ...CPU... to ...CCC... . This trick defeated SDProtector (I know the effective debugger detection of SD is based on ZwQueryInformationProcess ), but this time...
I couldn't find the ClassIDs list of this unknown packer. Its Crack-Tools detection engine is active in runtime (like SD) and immediately detects OllyDbg when it's started.
I think it detects other ClassIDs of OllyDbg, but which of them?

Is there any suggestion?

Here is the download link :
hxxp://www.diskinternals.com/download/Uneraser_Setup.zip

Best Regards.
Reply With Quote
  #2  
Old 10-10-2005, 04:00
al-kaiser
 
Posts: n/a
This app is packed with execryptor, this is a hard one!!!!
Reply With Quote
  #3  
Old 10-10-2005, 04:27
arnix arnix is offline
Friend
 
Join Date: Feb 2005
Posts: 68
Rept. Given: 11
Rept. Rcvd 18 Times in 7 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 4 Posts
arnix Reputation: 18
I haven't downloaded it, but I think it's EXECryptor, look at its section names, are they some random letters (like "j20jf0we") ??? If yes, its EXECryptor, 99%.
Reply With Quote
  #4  
Old 10-10-2005, 04:53
imagin
 
Posts: n/a
YES - this is EXEcryptor - 100 % example section names (in target) "q2j0st88,fa3rybkx,3usq.nuq,.......", EXECryptor ... and new version of EXEcryptor unpack is too hard..... (best antidebugg,TEA encrypt,TLS Table trick and API hook detect...... )

Last edited by imagin; 10-10-2005 at 05:01.
Reply With Quote
  #5  
Old 10-10-2005, 05:59
gunterg gunterg is offline
Friend
 
Join Date: Sep 2004
Posts: 59
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 3 Posts
gunterg Reputation: 2
Yes is 100 % Execryptor

All programs to www.diskinternals.com packed with Execryptor
Reply With Quote
  #6  
Old 10-10-2005, 08:41
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Oh, shit
That's the first time I see this crap

So how Execryptor detects OllyDbg?
Reply With Quote
  #7  
Old 10-10-2005, 17:21
JuneMouse
 
Posts: n/a
So how Execryptor detects OllyDbg?
isdebuggerpresent,
ZwQueryInformationprocess
FindWindows
OpenProcess and scanning export table of parent process
thread local storage
and lots of other tricks
you can read about some of them in andrea geddons blog in reteam
as well as in some threads at woodmanns
also there is a sample crackme in crackmes.de
and kao has written a solution on it
hope it would be enough info for starters
Reply With Quote
  #8  
Old 10-10-2005, 20:28
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Really thanks JuneMouse.

Here is the Modified OllyDbg with following Fixes :

- OutputDebugString fix (by pHoEniX)
- Hide from Execryptor & many packers (by TeSt)
- Hide from SDProtector (by myself )

Place this in OllyDbg folder, and rename a copy of OllyDbg.ini to Modifyd.ini (For different settings between original and modified ollyDbg).

Best regards.
Attached Files
File Type: rar Modifyd.rar (526.7 KB, 54 views)

Last edited by Newbie_Cracker; 10-11-2005 at 06:59.
Reply With Quote
  #9  
Old 10-11-2005, 03:19
baatazu
 
Posts: n/a
ExeCryptor author is one of us
Reply With Quote
  #10  
Old 10-11-2005, 10:43
doug
 
Posts: n/a
Quote:
Originally Posted by newbie_cracker
Here is the Modified OllyDbg with following Fixes :
...
Place this in OllyDbg folder, and rename a copy of OllyDbg.ini to Modifyd.ini (For different settings between original and modified ollyDbg).
Thanks for the file.
I noticed that you removed all the exported entries (names) from ollydbg.exe. How do you handle the plugins with those modifications? They all link to ollydbg.exe + use function names. Do you just keep ollydbg.exe in the same directory and hope for the best? Or do the plugins have to be patched as well ?
Reply With Quote
  #11  
Old 10-11-2005, 14:35
JuneMouse
 
Posts: n/a
every plugin maps and resolves the exports imports whtever it is called
so stripping the export table doesnt have any problem just have the original exe in the directory
actully if i remember well just view executable and modify (zeroing out)
the export table entry in peheader defeats that checks
as i think (it was just relying on the expecting a export table header)

actually i was coding to incorporate this export table elimination in runtime
on the PLUGIN NTGLOBALFLAG (see there is a big thread in this forum second or third topmost read ever since the beginning of the board quiet a honour
i would say called using tls in olly)
but i saw reports that crudds re-pair already eliminates export -table
and also some such methods were already discussed by shub-nigurrath

and i suck coding c which is what i coded the plugin in so its still sleeping in some shells around the world

also this outputdebugstring if you see also has a big thread
here (yeah i have a small percentage of contribution to that thread too
which goggles modified and crudd incorporated in his re-pair)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unknown Packer Beyond2000! General Discussion 15 06-30-2009 04:40


All times are GMT +8. The time now is 21:31.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )