#1
|
|||
|
|||
How to find out how an exe was packed and how to unpack it?
Hi,
I'm trying to use IDA pro on two applications, booth seam not to like that, when trying to open them I get "Can't find translation for virtual address 0x[some number]" also trying to attach a debugger to a already running process results in that process crashing. One of them just plainly refuses to start when ida is running. Now I'm a bloody beginner so don't really know how to get around such an obstacle. Booth Applications are 64 bit binary's although of one of them there is also a 32 bit Version. The tool "protection id 6.2.3" tells me that that booth applications are protected by Obsidium x64 V1.5 build 5, respectively build 105 Can someone more knowledgeable give me some advice how to tackle such sort of issue. Cheers David X. Last edited by DavidXanatos; 07-13-2018 at 04:07. |
#2
|
|||
|
|||
You are encountering anti-debugger techniques.
ScyllaHide for example can help you defeat these though Obsidium is quite hard and may not even work in the latest version requiring some custom scripts or tools instead. See: Quote:
Quote:
And after you read and properly digest that discussion, probably if you are new to this, you would be best trying some easier unpack targets first before going to a difficult one but this depends on how you work best. |
#3
|
|||
|
|||
You could try other x64 debugger/disassembler:
https://x64dbg.com/#start Let me know about result. |
#4
|
|||
|
|||
So my progress so far:
With ScyllaHide I could get the application protected with the build 5 to start and run despite IDA being attached, although it runs super slowly. The other application protected with Obsidium x64 V1.5 build 105 of which there is a 32 and 64 bit version however seams just to freeze when I attach IDA :/ Now, to why I tackle two apps at once, booth do the same (that is allowing one to remove components out of a windows installation image), I would like to extract the file/reg key lists for the components in order to make a open source application with similar functionality. Editing images is easy M$ provides the necessary tools, but knowing what files and registry entries to remove/modify is something to be found out. Windows 10 is a mess and I feal like the world needs such a tool being openly available. Now to the x64dbg, really cool project. However I couldn't get it to work, when I attach it to any of the 3 exe's I have, it ends um in a exception Code:
EXCEPTION_DEBUG_INFO: dwFirstChance: 0 ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION) ExceptionFlags: 00000000 ExceptionAddress: 0000000077112DD5 ntdll.0000000077112DD5 NumberParameters: 2 ExceptionInformation[00]: 0000000000000001 Write ExceptionInformation[01]: 0000000076F159C0 <kernel32.BaseThreadInitThunk> Inaccessible Address Last chance exception on 0000000077112DD5 (C0000005, EXCEPTION_ACCESS_VIOLATION)! In x64dbg I have unchecked all break on check boxes in options ad trying to add last exception to the list of exceptions to be ignored, as well as adding a range of 0-ffffffff, but nothing I tried made it ignore said exception. Am I missing some option or is that a missing feature? In x64dbg in the Scylla window I found an option to dump the process from memory, that seamed to at least do something. Strangely making a memory dump with WinHex from eider of the apps fails. The dump can not be started, it crashes, however the dumps can be loaded into IDA so that's a start. I also see long lists of reg keys and file paths, but no idea how they belong together. Also at least the second (more problematic app) is loading some component lists from the installation image so to learn how that works it would be good to see it in action. David X. |
#5
|
||||
|
||||
open soft, open megadumper for net apps, dump files, or upload exe. If dongle or card are used we can not help you too much without them
__________________
Decode and Conquer |
#6
|
|||
|
|||
Quote:
The good one but also with the newer version of protection can be run without a license, but then the best functions are not available. The other one can be run for free although with a often appearing annoying nag screen and its by far not as good as the first one. Hence if possible I would like to get a look inside the first one, the second one is kind of plan B. There are a couple thinks I want to find out: One is as mentioned; the lists of files and reg keys for each component which can be removed. (these are the most interesting part I think, booth tools have slightly different collections of components, hence they probably have been manually generated at some point in time) The other thing is that some of the lists are generated from the mounted installation image, here I would like to know hot to load those oneself (although at least for some I have somewhat an idea how its done). Things like the Provisioned apps can be enumerated and also removed using dism commands. I assume the list of drivers to be removed is also generated on the fly, most likely just parsing the all the *.inf files. But things like telemetry, error reporting, smart screen, windows defender or Cotana a.k.a. windows search can not be removed this way, instead one need to know which files and registry entries to remove by hand. The hard way to find out those info's would be to run the tools always with only one option selected and then diff the resulting installation images, even though that could be automatized it would probably take forever. So I take it as a good opportunity to learn some reverse engineering. Haven't expected though booth tools to be equipped with anti debugging techniques though. Well... more opportunity to learn something new I guess. David X. Last edited by DavidXanatos; 07-20-2018 at 22:36. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to unpack .dll packed with HASP4 | Asus | General Discussion | 1 | 03-28-2005 02:36 |
how do u unpack if u dont find how a exe is packed? | mefistor | General Discussion | 1 | 03-26-2003 05:43 |