Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-13-2018, 03:29
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
How to find out how an exe was packed and how to unpack it?

Hi,

I'm trying to use IDA pro on two applications, booth seam not to like that, when trying to open them I get "Can't find translation for virtual address 0x[some number]" also trying to attach a debugger to a already running process results in that process crashing.
One of them just plainly refuses to start when ida is running.

Now I'm a bloody beginner so don't really know how to get around such an obstacle.

Booth Applications are 64 bit binary's although of one of them there is also a 32 bit Version.

The tool "protection id 6.2.3" tells me that that booth applications are protected by Obsidium x64 V1.5 build 5, respectively build 105


Can someone more knowledgeable give me some advice how to tackle such sort of issue.


Cheers
David X.

Last edited by DavidXanatos; 07-13-2018 at 04:07.
Reply With Quote
  #2  
Old 07-13-2018, 08:28
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
You are encountering anti-debugger techniques.

ScyllaHide for example can help you defeat these though Obsidium is quite hard and may not even work in the latest version requiring some custom scripts or tools instead. See:
Quote:
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library.
Quote:
https://github.com/nihilus/ScyllaHide
But perhaps you should learn about the nice Search feature of the forum first as it can certainly help novices who have a bit of information go down the right path: https://forum.exetools.com/showthread.php?t=16245


And after you read and properly digest that discussion, probably if you are new to this, you would be best trying some easier unpack targets first before going to a difficult one but this depends on how you work best.
Reply With Quote
  #3  
Old 07-13-2018, 16:33
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 454
Rept. Given: 27
Rept. Rcvd 398 Times in 129 Posts
Thanks Given: 21
Thanks Rcvd at 1,823 Times in 349 Posts
CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399
You could try other x64 debugger/disassembler:
https://x64dbg.com/#start

Let me know about result.
Reply With Quote
  #4  
Old 07-14-2018, 00:25
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
So my progress so far:

With ScyllaHide I could get the application protected with the build 5 to start and run despite IDA being attached, although it runs super slowly.

The other application protected with Obsidium x64 V1.5 build 105 of which there is a 32 and 64 bit version however seams just to freeze when I attach IDA :/

Now, to why I tackle two apps at once, booth do the same (that is allowing one to remove components out of a windows installation image), I would like to extract the file/reg key lists for the components in order to make a open source application with similar functionality. Editing images is easy M$ provides the necessary tools, but knowing what files and registry entries to remove/modify is something to be found out. Windows 10 is a mess and I feal like the world needs such a tool being openly available.

Now to the x64dbg, really cool project.
However I couldn't get it to work, when I attach it to any of the 3 exe's I have, it ends um in a exception

Code:
EXCEPTION_DEBUG_INFO:
           dwFirstChance: 0
           ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
          ExceptionFlags: 00000000
        ExceptionAddress: 0000000077112DD5 ntdll.0000000077112DD5
        NumberParameters: 2
ExceptionInformation[00]: 0000000000000001 Write
ExceptionInformation[01]: 0000000076F159C0 <kernel32.BaseThreadInitThunk> Inaccessible Address
Last chance exception on 0000000077112DD5 (C0000005, EXCEPTION_ACCESS_VIOLATION)!
and I can't make it ignore it, in IDA when the exception hit I had the option to pass it through to the application and ignore all subsequent exception of that type.

In x64dbg I have unchecked all break on check boxes in options ad trying to add last exception to the list of exceptions to be ignored, as well as adding a range of 0-ffffffff, but nothing I tried made it ignore said exception.

Am I missing some option or is that a missing feature?

In x64dbg in the Scylla window I found an option to dump the process from memory, that seamed to at least do something. Strangely making a memory dump with WinHex from eider of the apps fails. The dump can not be started, it crashes, however the dumps can be loaded into IDA so that's a start.
I also see long lists of reg keys and file paths, but no idea how they belong together.
Also at least the second (more problematic app) is loading some component lists from the installation image so to learn how that works it would be good to see it in action.


David X.
Reply With Quote
  #5  
Old 07-14-2018, 04:30
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,342
Rept. Given: 947
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,282
Thanks Rcvd at 479 Times in 338 Posts
niculaita Reputation: 89
open soft, open megadumper for net apps, dump files, or upload exe. If dongle or card are used we can not help you too much without them
__________________
Decode and Conquer
Reply With Quote
  #6  
Old 07-14-2018, 05:25
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Quote:
Originally Posted by niculaita View Post
open soft, open megadumper for net apps, dump files, or upload exe. If dongle or card are used we can not help you too much without them
Booth tools are available for download...

The good one but also with the newer version of protection can be run without a license, but then the best functions are not available.

The other one can be run for free although with a often appearing annoying nag screen and its by far not as good as the first one.

Hence if possible I would like to get a look inside the first one, the second one is kind of plan B.

There are a couple thinks I want to find out:

One is as mentioned; the lists of files and reg keys for each component which can be removed. (these are the most interesting part I think, booth tools have slightly different collections of components, hence they probably have been manually generated at some point in time)

The other thing is that some of the lists are generated from the mounted installation image, here I would like to know hot to load those oneself (although at least for some I have somewhat an idea how its done).

Things like the Provisioned apps can be enumerated and also removed using dism commands.
I assume the list of drivers to be removed is also generated on the fly, most likely just parsing the all the *.inf files.

But things like telemetry, error reporting, smart screen, windows defender or Cotana a.k.a. windows search can not be removed this way, instead one need to know which files and registry entries to remove by hand.


The hard way to find out those info's would be to run the tools always with only one option selected and then diff the resulting installation images, even though that could be automatized it would probably take forever.
So I take it as a good opportunity to learn some reverse engineering. Haven't expected though booth tools to be equipped with anti debugging techniques though. Well... more opportunity to learn something new I guess.

David X.

Last edited by DavidXanatos; 07-20-2018 at 22:36.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to unpack .dll packed with HASP4 Asus General Discussion 1 03-28-2005 02:36
how do u unpack if u dont find how a exe is packed? mefistor General Discussion 1 03-26-2003 05:43


All times are GMT +8. The time now is 13:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )