Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-30-2005, 07:17
Whiterat
 
Posts: n/a
Question SVKP 1.3x - Download Accelerator plus v7.5

Hi folks,

Im currently having a play with unpacking SVKP.
The unpackme's are easily solved, and so are a few other apps.

But this app puzzles me...

The stolen bytes seem to be some kind of psuedo code, nearly 600 lines worth.
So I added the Virtual Allocated section to the dump and diverted the EP.
But it then becomes machine specific because of the emulated api.

Begin Stolen Bytes: 0052D1E4
End Stolen Bytes: 0052D24E

I have resolved these pointers:
0 00152180 ? 0000 00F79B75 > 1 00152180 kernel32.dll 01DB GetVersion
0 00152184 ? 0000 00F7AB8B > 1 00152184 kernel32.dll 01DC GetVersionExA
0 00152188 ? 0000 00F6AE6C > 1 00152188 kernel32.dll 0176 GetModuleHandleA
0 00152268 ? 0000 00F69E56 > 1 00152268 kernel32.dll 013C GetCurrentProcess
0 001534E4 ? 0000 00F7BC35 > 1 001534E4 user32.dll 01DD MessageBoxA

Could someone confirm if these are correct?

But still have these left:
0 0015332C ? 0000 00F764E6
0 00153330 ? 0000 00F78B53
0 00153334 ? 0000 00F71E99
0 00153670 ? 0000 00401000

Any help on this matter would be greatly appreiciated.

(Also anyhelp on cracking it, the whole reg routine hinges on one byte @ 005C3FAC, but sometimes it wants it to be 0 sometimes it wants it to be 1!, makes no sense!)
Reply With Quote
  #2  
Old 12-30-2005, 10:17
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
for imports in svkp here is svkp import fixer and a little tutorial what is needed for svkp import fixer to work.
When you apply import fixer to dumped file, run fixed dump trough olly till you break at oep, now run importrec and no more invalid ptrs.

I'm currently not able to download this app, but svkp import fixer works w/o problem with svkp 1.3 and 1.4 dumped files.

cheers
Attached Files
File Type: rar SVKP_imports.rar (30.7 KB, 40 views)
File Type: rar src.rar (7.1 KB, 34 views)
Reply With Quote
  #3  
Old 12-30-2005, 16:56
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
0052D0E1 C2 1000 RETN 10
0052D0E4 90 NOP //oep
0052D0E5 90 NOP
0052D0E6 90 NOP
0052D0E7 90 NOP
...
...
0052D14C 90 NOP //stolen bytes
0052D14D 90 NOP
0052D14E E8 BC0EF0FF CALL dap.0042E00F //here
0052D153 391D 40025C00 CMP DWORD PTR DS:[5C0240],EBX
0052D159 75 0C JNZ SHORT dap.0052D167
0052D15B 68 8AD25200 PUSH dap.0052D28A
0052D160 FF15 94315500 CALL NEAR DWORD PTR DS:[553194] ; msvcrt.__setusermatherr
0052D166 59 POP ECX ; dap.0052D153
0052D167 E8 0C010000 CALL dap.0052D278
MS VC (with MFC .dll) app


You can cut this one..
0 00153670 ? 0000 00401000

About those 3 unresolved:
0 0015332C ? 0000 00F764E6
0 00153330 ? 0000 00F78B53
0 00153334 ? 0000 00F71E99

5 Resolved these pointers are correct one.

My dap.exe 2,37 MB (2.487.296 bytes) , md5 hash == 53E8C02AD30FD09652DEE62FD750DFC0
has oep at 0052D0E4 (106 stolen bytes)


Search for constants (rva address) ...

//find references | selected commands
0052EF50 - FF25 2C335500 JMP NEAR DWORD PTR DS:[55332C]
0052EF56 - FF25 34335500 JMP NEAR DWORD PTR DS:[553334]
0052EF5C - FF25 30335500 JMP NEAR DWORD PTR DS:[553330]

Encrypted code when you are on eip = 0052D14E
004CEE82 5A POP EDX ; dap.0052D153
004CEE83 2949 9A SUB DWORD PTR DS:[ECX-66],ECX
004CEE86 17 POP SS ; Modification of segment register
004CEE87 EE OUT DX,AL ; I/O command
004CEE88 8568 25 TEST DWORD PTR DS:[EAX+25],EBP
004CEE8B 9B WAIT
004CEE8C 2AC0 SUB AL,AL
004CEE8E 17 POP SS ; Modification of segment register
004CEE8F DB9F FD2112B6 FISTP DWORD PTR DS:[EDI+B61221FD]
004CEE95 8205 7CD0EF02 BD ADD BYTE PTR DS:[2EFD07C],-43
004CEE9C 4F DEC EDI ; ntdll.7C910738
004CEE9D 02E8 ADD CH,AL

code decryption happens here (use memory bp on write) :
0012E998 AC LODS BYTE PTR DS:[ESI]
0012E999 32C2 XOR AL,DL
0012E99B AA STOS BYTE PTR ES:[EDI]
0012E99C ^ E2 FA LOOPD SHORT 0012E998
0012E99E 59 POP ECX ; 0BE9FCF5
0012E99F 5E POP ESI ; 0BE9FCF5
0012E9A0 FF15 82234300 CALL NEAR DWORD PTR DS:[432382]
0012E9A6 81C4 54000000 ADD ESP,54
0012E9AC 61 POPAD
0012E9AD 68 82EE4C00 PUSH 4CEE82
0012E9B2 C3 RETN


004CEE82 E8 C9000600 CALL dap.0052EF50
004CEE87 6A 00 PUSH 0
004CEE89 FF15 44365500 CALL NEAR DWORD PTR DS:[553644]
004CEE8F E8 1ADC0500 CALL dap.0052CAAE ; JMP to MFC42.#6438
004CEE94 FF15 84335500 CALL NEAR DWORD PTR DS:[553384]
...
...
...
004D01F9 E8 C923F3FF CALL dap.004025C7
004D01FE 8BC8 MOV ECX,EAX
004D0200 E8 A96CF8FF CALL dap.00456EAE
004D0205 6A 00 PUSH 0
004D0207 FFB5 58FCFFFF PUSH DWORD PTR SS:[EBP-3A8]
004D020D 8B8D 7CEBFFFF MOV ECX,DWORD PTR SS:[EBP-1484] ; dap.005C3EC0
004D0213 E8 C8390000 CALL dap.004D3BE0



code is not encrypted
0052EF56 - FF25 34335500 JMP NEAR DWORD PTR DS:[553334]

//reference
004D293A E8 17C60500 CALL dap.0052EF56

code is not encrypted
0052EF5C - FF25 30335500 JMP NEAR DWORD PTR DS:[553330]

//reference
004D373A E8 1DB80500 CALL dap.0052EF5C


Now if you search for those commands you see it occurs very often (more then 90 times)

60 PUSHAD
50 PUSH EAX
51 PUSH ECX
52 PUSH EDX
53 PUSH EBX
55 PUSH EBP
56 PUSH ESI
57 PUSH EDI

binary search:
60 50 51 52 53 55 56 57

so i assume this target has some parts of code section that decrypt only when nedded (like Formik & Optimik -> use google to find this appz ; but those 2 have only 7 or 9 encrypted code sections ; svkp goes this way: decrypt code on when nedded , load it in memory , then encrypt it back)

Last one encrypted section ends at 004F2C79 .

004F2C73 80 DB 80
004F2C74 9B DB 9B
004F2C75 29 DB 29 ; CHAR ')'
004F2C76 . 854E E4 TEST DWORD PTR DS:[ESI-1C],ECX
004F2C79 . 60 PUSHAD
Reply With Quote
  #4  
Old 12-30-2005, 18:35
DappA
 
Posts: n/a
Im not really an expert, but why can't you just add those allocated sections to the dump? Since the code is still static in the dump, you could just leave the unresolved APIs and let them be emulated by the added sections.

I've tested this on two different machines, and it seems to work. Dont know really, but you could test this one out.

http://rapidshare.de/files/10083923/test_.zip.html

OEP at 0052D1E4

Code:
0052D247      90            NOP ---- STOLEN CODE! etc
0052D24E   .  E8 CC47F7FF   CALL DAP.004A1A1F
Stolen Code starts at
Code:
Run trace, selected line
Back=630.
Thread=Main
Address=00EB05B3
Command=PUSH EAX -- STOLEN CODE!
Add this memory section to the dump, recover the IAT, rebuild PE, and set the EP to 00EB05B3-Imagebase = 00AB05B3

Is that what you've done? :-P
Anyways, good luck with it, you tha man!
Reply With Quote
  #5  
Old 01-02-2006, 01:23
Whiterat
 
Posts: n/a
hehe welcome back bro, long time no see

Yeh ive tried it, it only works on a few pc's, not everyones.
Im going to keep trying though
Reply With Quote
  #6  
Old 01-02-2006, 05:55
BetaMaster BetaMaster is offline
Friend
 
Join Date: Dec 2002
Posts: 77
Rept. Given: 6
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
BetaMaster Reputation: 3
"Yeh ive tried it, it only works on a few pc's, not everyones."


dupmed image still access jumps to api(s) inside the svkp code, tens of refrences are only accessed inside the svkp code only.
Reply With Quote
  #7  
Old 01-02-2006, 06:38
Whiterat
 
Posts: n/a
True.
I PM'd Britedream about this a little while ago and he suggested that the reason the exe didnt run on all machines was due to the Emulated API info in the added sections being based on my machine.
(If you see what I mean)

I believe this to be true.
Unless there is another reason why it will only execute on my machine?

This EXE runs fine on my PC, but will it on yours?
I have included IAT Tree with it aswell.

http://rapidshare.de/files/10223754/Unpacked-DAP.rar.html
Reply With Quote
  #8  
Old 01-02-2006, 12:18
DappA
 
Posts: n/a
Yeah, that one doesnt work for me. It crashes with an access violation:

0052D2A9 . E8 C4000000 CALL <JMP.&msvcrt._initterm>
--->
0041AC3C . FF15 3C335500 CALL NEAR DWORD PTR DS:[55333C] ; Unpacked.00F87A4B
--->
77D48E00 C17412 39 0E SAL DWORD PTR DS:[EDX+EDX+39],0E
Crashing : Trying to reach EF8A3609

It doesnt reach the correct API. I compared yours with mine and they are different here :

00F87A4B - E9 B013DC76 JMP USER32.77D48E00 -- Yours
00EB7A4B - E9 D813E876 JMP USER32.RegisterWindowMessageA - Mine

Actually none of the USER32 APIs are found.
Im sitting on WinXPSP2 btw.
Reply With Quote
  #9  
Old 01-02-2006, 22:39
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
svkp goes from 0012xxxx to some other section:

(example from some VC unpackme with oep elimination ):
02DAE159 81C5 991DAD6D ADD EBP,6DAD1D99
02DAE15F 50 PUSH EAX
02DAE160 /E9 AE000000 JMP 02DAE213

Problem are encrypted sections not imports ...

Last edited by hosiminh; 01-02-2006 at 22:56.
Reply With Quote
  #10  
Old 01-02-2006, 22:42
Whiterat
 
Posts: n/a
Point Proven.

Now how can we go about working around it?
Is it not possible to stop the API's being redirected through the SVKP code?

RE: Crypted Sections
I believe you said earlier
Quote:
..svkp goes this way: decrypt code on when nedded , load it in memory , then encrypt it back)
So its not impossible....just incredibly time consuming?

Last edited by Whiterat; 01-02-2006 at 22:48.
Reply With Quote
  #11  
Old 01-02-2006, 23:06
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
Quote:
So its not impossible....just incredibly time consuming?
Yep , but remember , in order to be sure evrything gets decrypted you have to use program (not just run it and say : if it runs Ok then game over )
-> kind a problemmo if program has alot of functions you have to check...

(check Formik to see what i am talking about -> there is one function on printing too that should decrypt on fly... )

Last edited by hosiminh; 01-02-2006 at 23:08.
Reply With Quote
  #12  
Old 01-03-2006, 02:17
Whiterat
 
Posts: n/a
I decided to download SVKP from the FTP to help me learn more, when reading through the examples folder I found this option:
Quote:
Today's problem protections like SVKP is dumping.
Crackers wait when protected application is decoded
in memory and then with special programs (dumpers)
dump it from memory.
SVKP uses some technics against dumping. But if
you use special blocks is protected application
more secure and it isn't easy dump it correct.

You can use two types of encrypted blocks:

Type1 - these blocks are decrypted before using
and after use encrypted again

Type2 - these blocks are decrypted before using
and after use removed. This mean, encrypted code
is not possible call again!!

Note: Don't use this method in Visual Basic !
So presumably we are facing Type1?
Its well worth downloading SVKP, its got lots of useful info in it.
Reply With Quote
  #13  
Old 01-03-2006, 08:25
peleon peleon is offline
Friend
 
Join Date: Sep 2003
Posts: 174
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
peleon Reputation: 7
I had a look to the ENCRYPTED blocks long, long ago (in first versions of SVK-Protector) and they could easily repared, just wait to be decrypted with BP on execution.

Anyway, is SVK-Protector a dead project? It looks like for me
Reply With Quote
  #14  
Old 01-03-2006, 11:54
Whiterat
 
Posts: n/a
Dont be so sure, there are new versions every now and then.
And yes, bp on execution is great....except when there are like 90 functions!
And no idea how to execute some of them!
Reply With Quote
  #15  
Old 01-03-2006, 13:18
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
Well if you have located them just change eip to pushad/push eax... decrypt code and dump it =)
I've used hiew to scan for pattern in optimik and just redirected eip to those addreses, dumped them with ice-ext and fixed dump

or event better would be to code debug loader if there is more then 20 crypted code places and automate process of eip redirection/code dumping.

cheers
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
svkp infern0 General Discussion 3 06-05-2011 18:34
The new svkp 143 britedream General Discussion 3 09-19-2004 22:22


All times are GMT +8. The time now is 03:45.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )