Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-27-2007, 20:27
abccc
 
Posts: n/a
hashing algorithms

hi every one

I am not familiar with hashing algorithms and I am not sure if they can prevent a program from execution .. but I got this target that got alot of them and here it is.....


target : Proxy switcher standard 3.11

site : h**p://www.proxyswitcher.com

packer :UPX .... (very easy)


after unpacking it is crached .. I analyze with PEID then found these


ADLER32 :: 00252EE1 :: 00652EE1
The reference is above.
ADLER32 :: 00252FAA :: 00652FAA
The reference is above.
ADLER32 :: 00252FB7 :: 00652FB7
The reference is above.
BASE64 table :: 000E190C :: 004E190C
Referenced at 006A02E0
BASE64 table :: 001EE87E :: 005EE87E
Referenced at 005EE879
BASE64 table :: 00209DB4 :: 00609DB4
Referenced at 006B66DC
BLOWFISH [sbox] :: 002A8B6C :: 006A8B6C
Referenced at 005FFEFA
CCITT-CRC16 [long] :: 0029F888 :: 0069F888
Referenced at 004B5530
CCITT-CRC16 [word] :: 001FD63B :: 005FD63B
Referenced at 005FD61F
CRC16 (rev) [word] :: 001EF276 :: 005EF276
Referenced at 005EF25E
CRC32 :: 001EF4A0 :: 005EF4A0
Referenced at 005EF486
CRC32 :: 0029FC88 :: 0069FC88
Referenced at 004B5553
CRC32 :: 002B7AB0 :: 006B7AB0
Referenced at 00653165
Referenced at 00653170
Referenced at 00653290
Referenced at 00653566
GOST [sbox 1] :: 002A7B6C :: 006A7B6C
Referenced at 005FF9AA
Referenced at 005FFB16
HAVAL (5 pass) [char] :: 002A05CC :: 006A05CC
Referenced at 005FA9E1
Referenced at 005FAC71
Referenced at 005FAFAD
MD5 :: 001F1ABB :: 005F1ABB
The reference is above.
MD5 :: 0029F3F8 :: 0069F3F8
The reference is above.
Q128 :: 002A9BB4 :: 006A9BB4
Referenced at 00601452
Referenced at 00601467
Referenced at 0060147D
Referenced at 00601493
Referenced at 006014E6
Referenced at 006014FC
Referenced at 00601512
Referenced at 00601528
Referenced at 00601592
Referenced at 006015B3
Referenced at 006015D6
Referenced at 006015F9
RIPEMD-256 [Init] :: 001F6D35 :: 005F6D35
The reference is above.
RIPEMD-320 [Init] :: 001F1920 :: 005F1920
The reference is above.
SHA1 [Compress] :: 0008EA51 :: 0048EA51
The reference is above.
SHA1 [Compress] :: 001FA435 :: 005FA435
The reference is above.
SHARK [CE-box] :: 002ABFF4 :: 006ABFF4
Referenced at 00602B53
Referenced at 00603118
Referenced at 006033CC
SNEFRU :: 002A064C :: 006A064C
Referenced at 005FBA6A
SQUARE [SD] :: 002ABEB4 :: 006ABEB4
Referenced at 00602ECF
Referenced at 00602EE4
Referenced at 00602EFB
Referenced at 00602F0D
Referenced at 00602F1D
Referenced at 00602F32
Referenced at 00602F49
Referenced at 00602F5A
SQUARE [SD] :: 002B40F4 :: 006B40F4
Referenced at 00603AA0
Referenced at 00603AAF
Referenced at 00603AC3
Referenced at 00603AD9
Referenced at 00603AF7
Referenced at 00603B09
Referenced at 00603B20
Referenced at 00603B39
Referenced at 00603B56
Referenced at 00603B68
Referenced at 00603B7F
Referenced at 00603B98
Referenced at 00603BAD
Referenced at 00603BB7
Referenced at 00603BC6
Referenced at 00603BD9
SQUARE [TE] :: 002A6B4C :: 006A6B4C
Referenced at 005FD105
Referenced at 005FD14D
Referenced at 005FD19E
Referenced at 005FD1E7
SQUARE [TE] :: 002B45F4 :: 006B45F4
Referenced at 00603687
TEAN [32 rounds] :: 0001D4C1 :: 0041D4C1
The reference is above.
TIGER :: 002A464C :: 006A464C
Referenced at 005FBC7C
TWOFISH [8x8] :: 002AABB4 :: 006AABB4
Referenced at 00602251
Referenced at 00602266
Referenced at 006022C3
Referenced at 006022DB
Referenced at 006022ED
Referenced at 00602314
Referenced at 0060233E
Referenced at 0060234F
Referenced at 00602522
Referenced at 00602548
Referenced at 00602597
Referenced at 006025C4
Referenced at 006026A8
Referenced at 006026B1
Referenced at 00602710
Referenced at 0060273D
Referenced at 0060276A
Referenced at 006027A0
Referenced at 0060280D
{Big number} :: 00205630 :: 00605630
Referenced at 006054D0
{Big number} :: 00205D40 :: 00605D40
The reference is above.
{Big number} :: 002591A4 :: 006591A4
Referenced at 00659070
{Big number} :: 0025A640 :: 0065A640
Referenced at 0065A4B6
{Big number} :: 0025A6DC :: 0065A6DC
Referenced at 0065A4DD
{Big number} :: 0026BE74 :: 0066BE74
Referenced at 0066BB73


I stuck here any help...
Reply With Quote
  #2  
Old 09-28-2007, 15:25
Sabor Sabor is offline
Friend
 
Join Date: Sep 2005
Posts: 68
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Sabor Reputation: 3
hm

In the brief minute that I looked at this app I see two things. First is I patched a few random bytes on the original file and it did not crash. The fact I was even able to patch any bytes tells me it is not packed. Also I just loaded it in ida, and with the exception of some weird segment names and some ida msg, the file looks comphrensible and not packed. Why do you think it is upx? Although I could be wrong, I would suggest delete your unpack version, make a copy of the original app and just dissamble it in ida and have fun should run fine and be patchable. To answer your original question, just about any algo can be a crc algo. The most likely algos to be a crc are usually hash algos. And when you do encounter these, they are easy to spot as they either read from disk or read from memory the pe file, so just break on approriate apis, readfile, readmem etc. I dont think you have to do anything here but install the app and then patch the registration check.
Reply With Quote
  #3  
Old 09-28-2007, 19:14
abccc
 
Posts: n/a
Thankz alot for your reply Sabor ..and when I analyzed that app with PEID it said it is UPX also when manual unpacking did not work for me, I could unpack it with upx v 3.1 with parameter -d and I successfully did but still not working... please take a look to attached picture.
Attached Images
File Type: gif upx1.gif (15.9 KB, 9 views)
Reply With Quote
  #4  
Old 09-28-2007, 19:28
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,107
Rept. Given: 221
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 106
Thanks Rcvd at 220 Times in 125 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
PEiD is actually saying that it is UPolyX which is PEiD's way of saying it has no idea if it is packed or not. The section names have been renamed to UPX to fool you. Doesn't sound like it is packed at all.

PETools is more reliable than PEiD and PE Explorer is very good at identifying and unpacking UPX if it is present.

Git
Reply With Quote
  #5  
Old 09-28-2007, 21:42
abccc
 
Posts: n/a
thnkz GIT... and while I am trying to find any solution for this I hope if somebody could take a look to the code and tell us any hints about that.
Reply With Quote
  #6  
Old 09-29-2007, 12:15
Sabor Sabor is offline
Friend
 
Join Date: Sep 2005
Posts: 68
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Sabor Reputation: 3
hmm

You can load it in olly/ida/sice directly and dont need to unpack or fix anything. Just find the registration routine which accesses registry for reg info. Patch it to be nice and you should be done.
Reply With Quote
  #7  
Old 09-30-2007, 00:17
abccc
 
Posts: n/a
Quote:
Originally Posted by Sabor
You can load it in olly/ida/sice directly and dont need to unpack or fix anything. Just find the registration routine which accesses registry for reg info. Patch it to be nice and you should be done.

well, I tryed to run under ollydbg ,it always crachs and I think it got anti-debug tricks or something like that here what I got

00497D16 C600 00 mov byte ptr [eax], 0
error : access violation when writing to [00000000]

and it goes into loop because I tryed to continue with shift+f9 and
I used a plugin to hide debuger but with no lock at all....

Last edited by abccc; 09-30-2007 at 00:24.
Reply With Quote
  #8  
Old 10-01-2007, 07:20
Sabor Sabor is offline
Friend
 
Join Date: Sep 2005
Posts: 68
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Sabor Reputation: 3
hmm

Do we have the same app?

Program Files\Proxy Switcher Standard

Thats the dir I have and the .app is ProxySwitcher.exe 4.15mb. I place it in olly with ignoring all debug exceptions. I have normal antidebug. Also that address you pasted instruction does not correpond. Try downloading the app again and doing a fresh install, I think your unpack attempt broke it.

00497D06 . B9 48804900 MOV ECX,ProxySwi.00498048 ; ASCII "InProcess debug forced."
00497D0B . B2 01 MOV DL,1
00497D0D . A1 BCA14000 MOV EAX,DWORD PTR DS:[40A1BC]
00497D12 . E8 5D69F7FF CALL ProxySwi.0040E674
00497D17 . E8 28BEF6FF CALL ProxySwi.00403B44
00497D1C > 6A 00 PUSH 0 ; /RootPathName = NULL
00497D1E . E8 09F9F6FF CALL <JMP.&kernel32.GetDriveTypeA> ; \GetDriveTypeA
00497D23 . 83F8 04 CMP EAX,4
00497D26 . 75 20 JNZ SHORT ProxySwi.00497D48
00497D28 . A1 04C46B00 MOV EAX,DWORD PTR DS:[6BC404]
00497D2D . 8338 01 CMP DWORD PTR DS:[EAX],1
00497D30 . 74 16 JE SHORT ProxySwi.00497D48
00497D32 . B9 68804900 MOV ECX,ProxySwi.00498068 ; ASCII "Shellexecute wont work properly on network drive."

Thats what I have for that addr. So reinstall app, start fresh, and just load it directly in olly and see what you get.
DONGS
Reply With Quote
  #9  
Old 10-02-2007, 08:37
abccc
 
Posts: n/a
yupppppp, you are great man sabor and I realy have great regard for your patience. you are right WE ARE not talking about same apps.
i'am really sorry about that. reason because I have Downloaded it from another site

i discover that when you write down size of your app 4.15 mine was 1.92 and it was compressed with upx
I do not know why the other site has to compresse it, anyway I realy want to thank you for everything

Now one more question please, when I enter name and serial and press OK botton I did not get any message like invalid registration
or so..any hints where I should but my Breakpoint
Reply With Quote
  #10  
Old 10-02-2007, 14:42
Sabor Sabor is offline
Friend
 
Join Date: Sep 2005
Posts: 68
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Sabor Reputation: 3
hmmm

Probably because it is constantly reading the registration information prior to hitting the ok button. What this likely means, it has already checked your registration information before even clicking "ok". That might not be the case though. What you can do is set a memory breakpoint (if your using olly this is easy) on the code section in memory manager when you are at registration screen. This should land you in the loop where it is relative to getting the reginfo either constantly or after clicking "ok" button. Just do some sniffing around that area and you will find it.

DONGS
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hashing Utility v1.0 chessgod101 Community Tools 16 11-07-2021 11:58
quick CRC32 hashing tool with drag and drop support destr0 Community Tools 1 05-16-2015 09:28


All times are GMT +8. The time now is 17:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )