Request for EZCD x86 unpack Tutorial

[mr.exodia]

I changed "push 100" to "push 0", put a breakpoint on the first occurrence of EB03, run, revert the patch to not trigger crc checks and you get a 'clean' IAT. You still have to move the IAT with a tool like UIF though...

The push 100 is a call that decrypts a buffer I believe, but I didn't look at it for a long time.

[Benten]

Hey guys,

We had hell of a party yesterday.

OK back to business, I believe the reason scylla won't find useful imports is because there is a memory bridge and the IT needs to be rebuild manually.

Code:

At the OEP there are no more splices jmp, and the seemingly innocent API Calls, 
like the one below:

At the OEP

Now if we follow the first call to GetModuleHandleA, we land at the bridge:

The Infamous Bridge

Now if you follow the first long Jmp we land here:

The thing I believe is an Emulation.

That's where I am right now. We have this thing discussed in the AndreaGeddon PDF, which I uploaded a while ago.

Code:

We get a description on how to defeat this and a program too, 
but the call's we saw are a new thing I guess,

AndreaGeddon IAT Rebuilding

May be this is where I should stop (A newbie's definitely not gonna make it), but I am definitely gonna try.
Also I am trying to replace the ECDSA parameters to register this app and then dump it. Like Mr.Exodia told me to do, but that takes a lot of learning as well.

Ok guys our FAQ lnk's down, if admin guys see this please fix it; Also can we have a shout box too, it's really cool to have one. And a signature too, I mean I have to edit and add that respect line every time I post

[mr.exodia]

Replacing the ECDSA parameters doesn't require you to know anything. AKT has a plugin that comes with the latest version, just drag your exe in the inline tab and let it do the work for you.

As for that 'bridge' it doesn't affect anything for me (seems to be a thing they did themselves, it's not an arma feature afaik). I used UIF to rebuild the imports and just checked the box for direct addresses and that did it.

[Benten]

Thanks Mr.Exodia, you are really awesome and so kind and generous. I will definitely try it. Thanks for being a constant source of inspiration. super

So good to know that bridge is nothing, saved a lot of time. I was about to reconfigure AndreaGeddon Code.

[mr.exodia]

Quote:

Originally Posted by Benten

Oh the GIV Target and Script, its just Minimal protection no IT Elimination. When it comes to real stuff even Mr.Exodia seems confused (Oh no Offense please). He just said it himself (not just @3Mins, 38th Sec of this video), watch this old tut.

I just put myself through watching (part of) that tutorial (christ hearing my own 15 y/o voice was cringy) and I indeed mentioned both IAT elimination and redirection there in the same sentence. Had absolutely no clue what I was doing, but I probably meant to say that VirtualProtect is called to allow the code to be changed for import redirection (since it redirects to a random page it has to rewrite every absolute reference to the IAT).

As for bad tutorials, at the time I thought I was improving upon existing tutorials which was obviously not the case perhaps it would be a good idea to set up some wiki somewhere so everybody can contribute and improve?

[Benten]

Quote:

Originally Posted by mr.exodia

I just put myself through watching (part of) that tutorial (christ hearing my own 15 y/o voice was cringy) and I indeed mentioned both IAT elimination and redirection there in the same sentence. Had absolutely no clue what I was doing, but I probably meant to say that VirtualProtect is called to allow the code to be changed for import redirection (since it redirects to a random page it has to rewrite every absolute reference to the IAT).

As for bad tutorials, at the time I thought I was improving upon existing tutorials which was obviously not the case perhaps it would be a good idea to set up some wiki somewhere so everybody can contribute and improve?

Mr. Exodia, that was the nicest thing I've ever came across in my whole life. Now your place in my heart got even higher. Your tutorials, and the work you've done is so inspiring that I got into this unpacking thing. Now the way you commented above simply shows the world how better a person you are.

God Bless you. And thank you for not taking any offense.

As far as EZCD is concerned, I can't do it. I did some in lining and stuff but that didn't worked out so well for me. I've tried it for 2 days no sleep, now I look like a bloody mess. Also I believe that the EZCD is using ENHWID, cause I followed the Security.dll and found the below.

Code:

Screen Shot - Security.dll

I tried your tut below, but with windows 10 & x64Dbg the certificates are loaded after LocalAlloc, I believe. So I am unable to put a memory break just like you've done it. so that's also struck.

[mr.exodia]

Sleeping is more important than reversing this app... Regardless, every Armadillo app always calculates all hardware id types from what I know.

That tutorial is also a bit shit, but the LocalAlloc method was only to locate the 'certificate' functions (ReadByte, ReadWord, ReadDword). It might make more sense to try to follow along with what AKT is doing to see how it works (you can always do it on some unpackme later to learn how it works better).

The relevant (terrible) code for the ECDSA_Replace plugin starts at https://github.com/mrexodia/akt/blob/master/plugins/Arma_InlineHelper_Plugin_ECDSA_Replace/src/main.cpp#L115

Basically what the plugin does is hook that function, wait until a certain DWORD is found (part of the project ID I believe) and it will then just alter the ASCII of the ECDSA parameters before it's read into BigNumbers. This is similar how the 'certificates' tab of AKT works, but then it reads instead of writes.

Note that you cannot register EZ CD through their registration dialog (probably it calls their server/does validation or something). You can use the EnableRegister plugin and call "ezcd.exe REGISTER" from the command line to get the stock Armadillo registration dialog.

[Benten]

Mr.Exodia, you are right about the sleep, I just messed up a lot of things. Sleeping is very important.

And thanks to all your support, I got past the Registration part. Will update a video soon. It took a bit longer than expected, but I got it eventually. You've taken care of all of it didn't you? awesome

AKT is an awesome tools and it deserves good video tuts for itself, I will try whatever I can.

That Rep. is worth more than anything in my life, it brings a lot of honor to be at the receiving end and I am not sure if I am worthy of such an honor. Thank you Mr. Exodia, for making it so special. And a big big thank you for being there for me, when I need it the most.

stay awesome
Big Faannn
Ben

[Benten]

Guys,

I am going to close this thread in awhile, so if anybody has got anything to ask this is the time.

EZCD is done. I was just a mere instrument and the Lords (Mr. Exodia & Mr Smiling Wolf) spend their valuable time to teach me and help me, can't thank them enough.

I still can't believe they talked to me, awesoomee

So that is it guys I will put all the good tutorials I used to learn Armadillo in one place, just let me learn a few more unpackme's.