Exetools  

Go Back   Exetools > General > General Discussion

Notices

Closed Thread
 
Thread Tools Display Modes
  #16  
Old 10-25-2017, 14:51
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
@TechLord:

Did you do the "Junk Marking", to see the decrypted code and disable emulation or is there an easy way?

I get to see where the Security.Dll (I think its the security dll, cause if I disable the writes JE/alloc it will say can't allocate Dll error) is loaded, what loads it and stuff, also I got to see where the decrypted code gets written for the first time. But I couldn't find the second Junk marker. Still trying... and its frustrating..

Also I've tried using UIF, and my manual splicing fix still works, then attached the memory regions missing(like the one I believe is the Security Dll and the one with size 0E6000H) but the dump crashes. I thing I am missing the API redirection/emulation Fix. I wish I could put all of this in a video.

Quote:
I wish I had 10 Rept., still can't get GIV script v0.2. Please share that attachment link if someone has it already.
[Update]
Got past the second Junk Marker its actually a Call that decrypts the code pages,

I believe I am at the Import Redirection itself, need help now.


Code:
So here is a video, check it out.. 
I am getting almost 740 api's but still can't get the dump working.

Video

Oh I missed it, the error I get is "Out of Memory"
Come on Guys, its about time, someone helped me...
Regards,
Ben

Last edited by Benten; 10-27-2017 at 19:18.
  #17  
Old 10-28-2017, 03:29
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
@TechLord,where you at I need help man... still waiting for that tut
  #18  
Old 10-28-2017, 21:57
abhi93696 abhi93696 is offline
Friend
 
Join Date: Mar 2017
Location: India
Posts: 73
Rept. Given: 0
Rept. Rcvd 8 Times in 2 Posts
Thanks Given: 146
Thanks Rcvd at 159 Times in 64 Posts
abhi93696 Reputation: 10
Hi

Check this out(it might give u some reference)-:
Also some little explanation-:
Extra
Quote:
http://www.bit.ly/2yaIdjI
Regards
The Following User Says Thank You to abhi93696 For This Useful Post:
Benten (10-28-2017)
  #19  
Old 10-28-2017, 22:18
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
Thumbs up

Quote:
Originally Posted by abhi93696 View Post
Hi

Check this out(it might give u some reference)-:

Also some little explanation-:

Extra

Regards
Mr Haggar is someone worth mentioning. Also Mr. Ricardo, did some good tutorials. I know it's against the rules but Thank you @abhi93696, may be I'll get banned for thanking your efforts, but that's a risk worth taking
The Following 2 Users Say Thank You to Benten For This Useful Post:
abhi93696 (10-28-2017), Apuromafo (03-04-2019)
  #20  
Old 10-28-2017, 22:33
abhi93696 abhi93696 is offline
Friend
 
Join Date: Mar 2017
Location: India
Posts: 73
Rept. Given: 0
Rept. Rcvd 8 Times in 2 Posts
Thanks Given: 146
Thanks Rcvd at 159 Times in 64 Posts
abhi93696 Reputation: 10
Smile

Quote:
Originally Posted by Benten View Post
Mr Haggar is someone worth mentioning. Also Mr. Ricardo, did some good tutorials. I know it's against the rules but Thank you @abhi93696, may be I'll get banned for thanking your efforts, but that's a risk worth taking
Aww... Thank you!
Btw there's No rule like that ,so you will not get banned
Actually That rule means ONLY "THANK YOU" posts are culprits not others!

Have A Nice day

Edit-: Really appreciate that you remove that post! Really nice of you
  #21  
Old 10-29-2017, 19:53
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
Thumbs up Ok Guys EZCD x64 is almost down :),

Guess what it's Complete Manual IAT fixing/rebuilding (whatever you wanna call it) And hell yeah, no tools except Scylla .

So I hope the same works for x86.. thanks for all the cheering up..

the dump is not polished still gets access violation errors and stuff but it runs (duh).. here goes the proof attached.

I know, I know... its fucked up.. but still better than struck at some Scylla imports ; well it's something way better to start with, if you ask me.

Don't forget to add some reputation to me if you like it.. I just need Rept. 11, to download that GIV script.. That's all I need for now.

Once again @abhi93696 thanks for the support man.. It's all about our actions, and actions speaks louder, isn't it buddy
Attached Files
File Type: rar EZCD Proof.rar (621.2 KB, 13 views)

Last edited by Benten; 10-30-2017 at 00:07.
The Following 2 Users Say Thank You to Benten For This Useful Post:
abhi93696 (10-29-2017), Apuromafo (03-04-2019)
  #22  
Old 10-29-2017, 21:28
abhi93696 abhi93696 is offline
Friend
 
Join Date: Mar 2017
Location: India
Posts: 73
Rept. Given: 0
Rept. Rcvd 8 Times in 2 Posts
Thanks Given: 146
Thanks Rcvd at 159 Times in 64 Posts
abhi93696 Reputation: 10
Thumbs up

Quote:
Originally Posted by Benten View Post
Ok Guys EXCD x64 is almost down ,

Guess what it's Complete Manual IAT fixing/rebuilding (whatever you call it) And hell yeah, no tools except Scylla .

So I hope the same works for x86.. thanks for all the cheering up..

the dump is not polished still gets access violation errors and stuff but it still runs.. here is the proof attached.

I know, I know... its fucked up.. but still better than struck at Scylla and somewhere better to start guys..

Don't forget to add some reputation to me if you like it.. I just need Rept. 11, to download that GIV script.. That's all I need for now.
Congrats Man

Now tell me isn't this achievement better than if someone had provided you a tut & then you have reversed it??
Maybe ur dump is not a polished one but Now at least you can say "I DID IT! MYSELF" Take this in a positive way buddy

Quote:
Once again @abhi93696 thanks for the support man.. It's all about our actions, and actions speaks louder, isn't it buddy
No problem! Indeed its correct.... Also where there's a Will there's a WAY

BR
  #23  
Old 10-31-2017, 04:44
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
The X64 was rather easy to come by x86 is really tough though. I've tried everything It's really hard for me.

I think not many people like what I do or even don't like me personally, that's alright. But if someone besides me would take a look at it, it will be great.

I will upload what I have done shortly, I hope someone will help. I mean real help.
  #24  
Old 10-31-2017, 08:44
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@Benten I did some quick steps (7.0.6 32 bit):

1. You need a registered version (there are secure sections that determine which features you have, for example at 0x404D63)
- You can obtain this by buying the program and unpacking the registered version
- OR by brute forcing the symkeys and replacing the ECDSA parameters and unpacking that registered version (make sure not to click the update button)
2. Get to the entry point (standard protection, so quite easy), it is 0x4038C4
3. Fix the import elimination (redirect them with UIF to the section of size 0x10000 where the entry point originally is)
4. redirect the code splices (you can use another arma section near the end of the file)
5. dump+fix (make sure to check the 'use original thunk' option in Scylla or you'll get a crash)
6. now you will crash "Access violation at address 00536A4D in module 'ezcd_reg-dump_SCY.exe'. Read of address 00000000."
7. Hint to fix this and fully register: look into what ArmAccess.dll is.
The Following 3 Users Say Thank You to mr.exodia For This Useful Post:
abhi93696 (10-31-2017), Benten (10-31-2017), tonyweb (11-04-2017)
  #25  
Old 10-31-2017, 12:35
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
Finally the Lord heard me...

Thank you Mr. Exodia, I put a lot of effort in to learning. You coming here to help means a lot. This is the best present ever. Don't know what to say, I am so excited. Thank you for your time.

I am a big fan of your work. You are amazing.

Respects,
Ben

Last edited by Benten; 11-01-2017 at 01:45. Reason: Mr.Exodia is Amazing
  #26  
Old 10-31-2017, 21:49
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
TrapZero FFF Armadillo 9 x64 Manual Unpacking ENG by Ben

As promised here is the x64 IAT Elimination - Manual Unpacking
This is actually the FFF Tutorial. I've just added a much needed video to it.

Also I've identified some patterns to make the search easy. There are crashes so the dump is not perfect, but the unpacking works fine. May be locked features are crashing the dump, as Mr. Exodia puts it, needs more work I guess. I can't do brute forcing, we don't have any PC that good around the Coffee shop.

Thanks and Respects,

Last edited by Benten; 11-01-2017 at 04:55. Reason: Respects to Mr.Exodia, Mr.Smiling Wolf, TrapZero/FFF, Exetools Family & Regards to my Friend abhi93696
The Following User Says Thank You to Benten For This Useful Post:
abhi93696 (11-01-2017)
  #27  
Old 11-01-2017, 08:11
SmilingWolf SmilingWolf is offline
Family
 
Join Date: Dec 2014
Posts: 43
Rept. Given: 4
Rept. Rcvd 97 Times in 24 Posts
Thanks Given: 4
Thanks Rcvd at 148 Times in 30 Posts
SmilingWolf Reputation: 97
Quote:
Originally Posted by Benten View Post
May be locked features are crashing the dump
That's not how Secure Sections work. If the program works in trial mode but not once unpacked something got messed up in the process. Most likely it's the splices that haven't been fixed correctly. You can try to simply redirect them to the .pdata section instead of resolving/fixing them. Less likely it's because of some CALL or JMP to imports that for one reason or the other didn't make it into the final dump.

Quote:
Originally Posted by Benten View Post
I can't do brute forcing, we don't have any PC that good around the Coffee shop.
Code:
Global Information:
   TimeStamp : 522B6164
 First DWORD : BEB12B6C
  Project ID : EZ CD Audio Converter 5
     Website : http://www.poikosoft.com/buy.html
      Magic1 : A99D3A69
      Magic2 : 185F
        Salt : DDFD006F
  Crypt Seed : 3D1F87D1 (0xE, 0xF, 0x4, 0x4)

Public Certificate Information:
  Short V3 Level 10:
    Chk : 2C0F3520
    Sym : 2B7D0D69
  BaseP : 438743756 (Size=4F, Diff=2F67, MD5=32F5621D)
  Pub.X : 5166803264428898532848136302152315
  Pub.Y : 5885292780640973861494979822117782

  Short V3 Level 10:
    Chk : F4A58BED
    Sym : D25882FE
  BaseP : 2707316665 (Size=50, Diff=2FBC, MD5=EB410984)
  Pub.X : 9572786991591576323293497288923141
  Pub.Y : 7813891883224157983281644193935444

  Short V3 Level 10:
    Chk : D310A5F2
    Sym : F9B0ABB5
  BaseP : 3073286976 (Size=50, Diff=3012, MD5=5DD8378B)
  Pub.X : 8853314056135967505699477416912929
  Pub.Y : 2273504409043285102220298435426270

  Short V3 Level 10:
    Chk : 76B6BB27
    Sym : AA65E8AC
  BaseP : 3279749701 (Size=4F, Diff=3068, MD5=81777B0F)
  Pub.X : 3277174474704060691137745527117117
  Pub.Y : 308731733377103543808919722499418

Intercepted Libraries:
  -*
GIV's script v0.1 can be found on tuts4you just like *shameless plug* my Armadillo Factotum script. Never ask anyone but the original poster to mirror an attachment. It's against the rules.
The Following 2 Users Say Thank You to SmilingWolf For This Useful Post:
Benten (11-01-2017), tonyweb (11-04-2017)
  #28  
Old 11-01-2017, 11:35
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 114
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 22
Thanks Rcvd at 46 Times in 31 Posts
cybercoder Reputation: 11
It is possible to make a completely working copy (all features) without needing a key.. although it's easier that way... If I remember correctly you need to have a look into GetProtectionVariableA or something like that, there is a string reference to it might just help you to stop some crashing Not going to give it all away though..
The Following User Says Thank You to cybercoder For This Useful Post:
Benten (11-01-2017)
  #29  
Old 11-01-2017, 13:33
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
Smile Thankyou Mr. Smiling Wolf...

Lords are blessing me like never before. First Mr. Exodia And now Mr. Smiling wolf...Its Xmas with lots and lots of presents... loving it

Thank you Mr. Smiling Wolf for the help as always.. I will try that splices redirection. Can't believe you took some time to do that brute forcing for me, you are so kind as always.

Oops, sorry guys I accidently break a rule, hope you guys will let this one pass. It won't happen again. I promise

Mr.CyberCoder, thats really interesting to know. I will definitly give it a try.

I am absolutely speechless.. I mean the Lord himself did the brute forcing for me and Mr.Exodia almost cracked it for me, how awesome is that for a Xmas

Last edited by Benten; 11-01-2017 at 13:37. Reason: Respects to Mr.Exodia and Mr. Smiling Wolf.. Regards to ExeTools Family
  #30  
Old 11-02-2017, 15:20
Benten Benten is offline
Friend
 
Join Date: Sep 2017
Location: Oh that's personal stuff, Don't want MI6 at my Mom's face
Posts: 24
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 12
Thanks Rcvd at 13 Times in 9 Posts
Benten Reputation: 3
I was just fooling around the x86 code and struck upon this one. Thought you guys should see it.

There has been absolutely no luck building clean IAT till now, but I am trying. And no luck using tools either, I've hit my bottom and started using tools temporarily, that is.

The point is, I believe nop-ing the mov (below) inside the call that follows Push 0x100 unpacks the thing, correct me if wrong, and the errors are still there. If it were splices then that error shouldn't be there if I chose to run, right?

Code:
 mov byte ptr ds:[eax], dl
Anyway have a nice day. keep rocking...

Regards,
Ben
Attached Files
File Type: rar Video.rar (5.49 MB, 32 views)

Last edited by Benten; 11-02-2017 at 15:21. Reason: Respects to Mr.Exodia, Mr.Smiling Wolf, FFF & Regards to Abhi & Exetools family
Closed Thread

Tags
armadillo, armadillo unpacking, import elimination, tutorial request

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 14:02.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )