#1
|
||||
|
||||
An Unknown Packer !
Few days ago, one of my friends gave me the download address of DiskInternals Unereaser 2.3 as an unpacking target.
Shit... OllyDbg never stops at OEP and alot of exceptions occurs. Its packer checks CRC, and... amazingly it detects Modified OllyDbg and closes it easily. PeID says the exe file is packed by UPX. But it's obvious that it says wrong ! Sometimes ago, I found that SDProtector checks the ClassID of OllyDbg main window. I mean CPU ClassID. Here is the parts of ClassIDs which SDProtector searchs for them : ACPU ACPUASM ACPUDUMP ACPUSTACK ACPUINFO ACPUREG TCPU TCPUASM TCPUDUMP TCPUSTACK TCPUINFO TCPUREG So after patching OllyDbg to hide its caption and change its exe name, I've patched it to change ...CPU... to ...CCC... . This trick defeated SDProtector (I know the effective debugger detection of SD is based on ZwQueryInformationProcess ), but this time... I couldn't find the ClassIDs list of this unknown packer. Its Crack-Tools detection engine is active in runtime (like SD) and immediately detects OllyDbg when it's started. I think it detects other ClassIDs of OllyDbg, but which of them? Is there any suggestion? Here is the download link : hxxp://www.diskinternals.com/download/Uneraser_Setup.zip Best Regards. |
#2
|
|||
|
|||
This app is packed with execryptor, this is a hard one!!!!
|
#3
|
|||
|
|||
I haven't downloaded it, but I think it's EXECryptor, look at its section names, are they some random letters (like "j20jf0we") ??? If yes, its EXECryptor, 99%.
|
#4
|
|||
|
|||
YES - this is EXEcryptor - 100 % example section names (in target) "q2j0st88,fa3rybkx,3usq.nuq,.......", EXECryptor ... and new version of EXEcryptor unpack is too hard..... (best antidebugg,TEA encrypt,TLS Table trick and API hook detect...... )
Last edited by imagin; 10-10-2005 at 05:01. |
#5
|
|||
|
|||
Yes is 100 % Execryptor
All programs to www.diskinternals.com packed with Execryptor |
#6
|
||||
|
||||
Oh, shit
That's the first time I see this crap So how Execryptor detects OllyDbg? |
#7
|
|||
|
|||
So how Execryptor detects OllyDbg?
isdebuggerpresent, ZwQueryInformationprocess FindWindows OpenProcess and scanning export table of parent process thread local storage and lots of other tricks you can read about some of them in andrea geddons blog in reteam as well as in some threads at woodmanns also there is a sample crackme in crackmes.de and kao has written a solution on it hope it would be enough info for starters |
#8
|
||||
|
||||
Really thanks JuneMouse.
Here is the Modified OllyDbg with following Fixes : - OutputDebugString fix (by pHoEniX) - Hide from Execryptor & many packers (by TeSt) - Hide from SDProtector (by myself ) Place this in OllyDbg folder, and rename a copy of OllyDbg.ini to Modifyd.ini (For different settings between original and modified ollyDbg). Best regards. Last edited by Newbie_Cracker; 10-11-2005 at 06:59. |
#9
|
|||
|
|||
ExeCryptor author is one of us
|
#10
|
|||
|
|||
Quote:
I noticed that you removed all the exported entries (names) from ollydbg.exe. How do you handle the plugins with those modifications? They all link to ollydbg.exe + use function names. Do you just keep ollydbg.exe in the same directory and hope for the best? Or do the plugins have to be patched as well ? |
#11
|
|||
|
|||
every plugin maps and resolves the exports imports whtever it is called
so stripping the export table doesnt have any problem just have the original exe in the directory actully if i remember well just view executable and modify (zeroing out) the export table entry in peheader defeats that checks as i think (it was just relying on the expecting a export table header) actually i was coding to incorporate this export table elimination in runtime on the PLUGIN NTGLOBALFLAG (see there is a big thread in this forum second or third topmost read ever since the beginning of the board quiet a honour i would say called using tls in olly) but i saw reports that crudds re-pair already eliminates export -table and also some such methods were already discussed by shub-nigurrath and i suck coding c which is what i coded the plugin in so its still sleeping in some shells around the world also this outputdebugstring if you see also has a big thread here (yeah i have a small percentage of contribution to that thread too which goggles modified and crudd incorporated in his re-pair) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unknown Packer | Beyond2000! | General Discussion | 15 | 06-30-2009 04:40 |