Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-30-2013, 10:13
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Arrow How can I break the *.so file that main program call for?

I have a ruby script test.rb, encrypted with a software.

After encryption, when run with "ruby.exe test.rb", it will call a *.so file to decrypt the file and then execute the file.

My question is how to break at the *.so file when debug "ruby.exe test.rb" with ollydbg?

Attachement content:
org\test.rb => original ruby script
output\encrypt_test.rb => encrypted ruby script
output\rgloader\rgloader192.mingw.so => ruby.exe will call this file to decript encrypt_test.rb

ruby download: h**p://rubyforge.org/frs/download.php/75127/rubyinstaller-1.9.2-p290.exe

Thanks in advance,
bridgeic
Attached Files
File Type: zip TEST.zip (46.1 KB, 9 views)
Reply With Quote
  #2  
Old 10-30-2013, 21:06
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
in this case SO is renamed DLL, just put breaks on export calls or use generic approach with CreateFileExA/W

PS. i guess it's blowfish based and to decrypt it you must have a license file
Reply With Quote
  #3  
Old 10-30-2013, 21:07
N0P's Avatar
N0P N0P is offline
Friend
 
Join Date: Aug 2003
Location: Brno[CzechRepublic]
Posts: 82
Rept. Given: 19
Rept. Rcvd 10 Times in 9 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 13 Posts
N0P Reputation: 10
easy way-> patch _rgloader_load in rgloader192.mingw.so to ebfe(infinite loop) then run script and attach olly
Reply With Quote
  #4  
Old 10-30-2013, 22:54
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by N0P View Post
easy way-> patch _rgloader_load in rgloader192.mingw.so to ebfe(infinite loop) then run script and attach olly
Dear NOP,

Many many thanks.

I never hear this method before(sorry, forgive my ignorance. ),

I search "ollydbg + ebfe" in Google, and finally, I found it, with patch the entrance to "ebfe", I can break at rgloader192.mingw.so now, and can debug it now, thanks again.
Reply With Quote
  #5  
Old 10-30-2013, 22:56
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Av0id View Post
in this case SO is renamed DLL, just put breaks on export calls or use generic approach with CreateFileExA/W

PS. i guess it's blowfish based and to decrypt it you must have a license file
Yes, really need a license, I use evaluation license on test.

> just put breaks on export calls or use generic approach with CreateFileExA/W

Sorry, I still haven't understood it, I'll do some search/study first, thanks a lot.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unlinker - a program for extracting functions from a PE file for later reuse jonwil Community Tools 5 11-25-2016 08:24
SOFTICE symblo loader won't break on program execution please help. logicalbit General Discussion 15 02-28-2003 02:33


All times are GMT +8. The time now is 22:46.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )