Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-12-2005, 09:27
Michel Michel is offline
Friend
 
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
AcProtect anti-dump tip

Hello !

I had some fights against the anti-dump trick of AcProtect. Now, it's solved and I would be happy if this simple tip may help someone.

The trick is that this protector replace a lot of instructions of the original prog by calls to some indirect jump table. This is done at the pack time, so it's not possible to intercept the substitution.
For example :
.....
00450AC9 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00450ACB 2BC3 SUB EAX,EBX
00450ACF .....
in the original exe, has been replaced in the packed one by :
.....
00450AC9 E8 0BB02D00 CALL Target.0072BAD9
00450ACF .....

We can see that the number of bytes needed by the call (5) is the same as the length of the substitued instructions.

Of course, address 0072BAD9 is in the "Perplex" section. At this address we are in the first table :
.....
0072BAD3 FF25 1C9C1700 JMP DWORD PTR DS:[00179C1C]
0072BAD9 FF25 209C1700 JMP DWORD PTR DS:[00179C20] <- here 1
0072BADF FF25 249C1700 JMP DWORD PTR DS:[00179C24]
.....
Address 00179C20 is not in an image module, but in a private one which is builded by the AcProtect decrypt routines. So, your dumped cann't works as this module doesn't exist.
At 00179C20 we are in the second table :
.....
00179C1C 0017AF06
00179C20 0017AF0C <- here 2
00179C24 0017AF12
.....
So the final address of the call, where the instructions are finally executed, is 0017AF0C, in the same external module :
.....
0017AF0C 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0017AF0F 2BC3 SUB EAX,EBX
0017AF11 C3 RETN
.....

Now, what to do if the module 0017... doesn't exist ?
The first an nicest way would to restitue the delocalized instructions at their right place and put away all the Perplex section (not needed for IAT).
But in my target, there are more or less 1000 substitutions, so, manually, as Ricardo could say, it isn't a job for his sister...
If someone can write a plugin for Olly, that would be very nice, but sorry, I don't have the skill for.
The second way should be to add a section, but windoze don't like sections at address below the image base, so the image base would be changed too : I don't have yet tried that...
To put the codes in a DLL would works, but it's a little hard and not very elegant.
What I propose is to patch the first table so the Perplex section remains but the 0017... module becomes no more needed. We can see that the first table has a 6 bytes step (length of the JMP []) and the last table has 6 bytes step too (5 for the codes + 1 for the RET). Thus, the idea is to put the codes directlly in the first table.
The steps are :

1 - knowing where the first table is :
When the OEP is reached, put a bpm on access Perplex section and run : you land in the table : up...down... take note of the first and last address : all the table is a one piece.

2 - patching
Restart Olly and break at the OEP again. Then assemble this little piece of code :

0044C945 BF F5B07200 MOV EDI,0072B0F5 <<- first address of table
0044C94A 8B77 02 MOV ESI,DWORD PTR DS:[EDI+2]
0044C94D 8B36 MOV ESI,DWORD PTR DS:[ESI]
0044C94F B9 06000000 MOV ECX,6
0044C954 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0044C956 81FF 5FC87200 CMP EDI,0072C85F <<- last address of table
0044C95C ^7E EC JLE SHORT Target.0044C94A

Put F2 after the JLE and run.
Now the table looks like this :
.....
0072BAD3 8BF1 MOV ESI,ECX
0072BAD5 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
0072BAD8 C3 RETN
0072BAD9 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0072BADC 2BC3 SUB EAX,EBX
0072BADE C3 RETN

0072BADF 03C1 ADD EAX,ECX
0072BAE1 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0072BAE4 C3 RETN
.....
After breaking, you can copy the patched table and past it in your dumped. All the rest of the Perplex section may be zeroed (more clear for IDA... If you are familiar with LordPE, you can also delete the whole Perplex and append a new section with only the patched table in).

I know this problem was already discussed on this forum, but I have searched and don't found no more the thread... Maybe there are other solutions ?

I don't talk about reaching OEP and IAT rebuilding because they are easy and this isn't a full tut, but if someone has any problem with that, maybe I can try to help him.

Regards and thanks for your lecture
Reply With Quote
  #2  
Old 02-12-2005, 20:31
tr1stan
 
Posts: n/a
Cool

nice info...thanks...
but why don't you rebuild the complete code section?
write a small prog which scans the code section for these special calls/jumps
and then copy the spliced opcodes back to their original position.

imho it's the best way to remove anything related to the protector.
Reply With Quote
  #3  
Old 02-12-2005, 22:18
lownoise
 
Posts: n/a
I remember that Lunar Dust wrote some time a go a little program who did what tr1stan wrote. Maybee it's on the ftp or on woodmann board (down at the moment)
Reply With Quote
  #4  
Old 02-13-2005, 00:26
Michel Michel is offline
Friend
 
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
It seems to me not so easy to scan the prog in order to find the calls : E8 isn't a "reserved byte", so it's a kind of little piece of dissassembler you must write. I don't say it's impossible, but according to my knowledje, it's easier to left a small extra section.
Now, if you have precise idea about some simple algo able to identify the calls, yes, why not try ? That should be the king way...
If someone knows the tool what Lownoise speak about, I would like try it too...
Thanks
Reply With Quote
  #5  
Old 02-13-2005, 04:07
lownoise
 
Posts: n/a
Michel, It's on the ftp and it's called ACstripper ;-)
Reply With Quote
  #6  
Old 02-13-2005, 05:05
Michel Michel is offline
Friend
 
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
Thanks very much. I have tried AcStripper but my target is loaded and nothing appends...???
Reply With Quote
  #7  
Old 02-13-2005, 18:27
lownoise
 
Posts: n/a
When woodmann's board is backup try to search on the forum for acprotect. i thought lunar posted some sourcecode that tries to fix dumped acprotect protection.
Acstripper is specific to some versions . your target is probable protected with a newer version. Maybee you can PM Lunar for some help?
Reply With Quote
  #8  
Old 02-13-2005, 19:37
Michel Michel is offline
Friend
 
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
You are right, I think it's a recent version : Peid, even with a 200 kb userdb.txt, cann't detect it, but PID 0.5 can. Nevertheless, this version is really easy to unpack.
What is funny is I found these bits of string in the perplex section : "PROGRAM MANAGER.] BY YODA.T.COM/ - .LUGIN - .IALS/FILE_INFO/DOWNLOAD1.PHP?FILE=ACPROTECT_NAGREM" :Lol, it seems the author has read the Shub-Nigurrath's nagremover tut...
The tools he don't like are : EXESPY.WXR95.REGMON.FILE MONITOR.REGMONEX.WINDOW DETECTIVE.DEBUGVIEW.RESSPY.ADVANCED REGISTRY TRACER.REGSNAP.MEMSPY.MEMORY DOCTOR.PROCDUMP32.MEMORY EDITOR.FROGSICE.SMU WINSPECTOR.MEMORY DUMPER.MEMORYMONITOR.NUMEGA SOFTICE LOADER.URSOFT W32DASM.-=CHINA CRACKING GROUP=-.OllyDbg.TRW2000...
Ciao.
Reply With Quote
  #9  
Old 02-13-2005, 23:10
lownoise
 
Posts: n/a
Yes i agree with you . The author of Acprotect AKA Ultraprotect is a member of this forum!! I once modified a ollyplugin witch enabled acprotect to run in olly. Don't know if the plugin still works. Search the forum and you'll find him
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VB6 Anti-debug/dump/patch poc tool Top10 Source Code 0 02-10-2017 01:53
What is "anti-dump"? volodya General Discussion 13 08-31-2003 01:26


All times are GMT +8. The time now is 09:07.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )