#1
|
|||
|
|||
SVKP 1.3x - Download Accelerator plus v7.5
Hi folks,
Im currently having a play with unpacking SVKP. The unpackme's are easily solved, and so are a few other apps. But this app puzzles me... The stolen bytes seem to be some kind of psuedo code, nearly 600 lines worth. So I added the Virtual Allocated section to the dump and diverted the EP. But it then becomes machine specific because of the emulated api. Begin Stolen Bytes: 0052D1E4 End Stolen Bytes: 0052D24E I have resolved these pointers: 0 00152180 ? 0000 00F79B75 > 1 00152180 kernel32.dll 01DB GetVersion 0 00152184 ? 0000 00F7AB8B > 1 00152184 kernel32.dll 01DC GetVersionExA 0 00152188 ? 0000 00F6AE6C > 1 00152188 kernel32.dll 0176 GetModuleHandleA 0 00152268 ? 0000 00F69E56 > 1 00152268 kernel32.dll 013C GetCurrentProcess 0 001534E4 ? 0000 00F7BC35 > 1 001534E4 user32.dll 01DD MessageBoxA Could someone confirm if these are correct? But still have these left: 0 0015332C ? 0000 00F764E6 0 00153330 ? 0000 00F78B53 0 00153334 ? 0000 00F71E99 0 00153670 ? 0000 00401000 Any help on this matter would be greatly appreiciated. (Also anyhelp on cracking it, the whole reg routine hinges on one byte @ 005C3FAC, but sometimes it wants it to be 0 sometimes it wants it to be 1!, makes no sense!) |
#2
|
||||
|
||||
for imports in svkp here is svkp import fixer and a little tutorial what is needed for svkp import fixer to work.
When you apply import fixer to dumped file, run fixed dump trough olly till you break at oep, now run importrec and no more invalid ptrs. I'm currently not able to download this app, but svkp import fixer works w/o problem with svkp 1.3 and 1.4 dumped files. cheers |
#3
|
|||
|
|||
0052D0E1 C2 1000 RETN 10
0052D0E4 90 NOP //oep 0052D0E5 90 NOP 0052D0E6 90 NOP 0052D0E7 90 NOP ... ... 0052D14C 90 NOP //stolen bytes 0052D14D 90 NOP 0052D14E E8 BC0EF0FF CALL dap.0042E00F //here 0052D153 391D 40025C00 CMP DWORD PTR DS:[5C0240],EBX 0052D159 75 0C JNZ SHORT dap.0052D167 0052D15B 68 8AD25200 PUSH dap.0052D28A 0052D160 FF15 94315500 CALL NEAR DWORD PTR DS:[553194] ; msvcrt.__setusermatherr 0052D166 59 POP ECX ; dap.0052D153 0052D167 E8 0C010000 CALL dap.0052D278 MS VC (with MFC .dll) app You can cut this one.. 0 00153670 ? 0000 00401000 About those 3 unresolved: 0 0015332C ? 0000 00F764E6 0 00153330 ? 0000 00F78B53 0 00153334 ? 0000 00F71E99 5 Resolved these pointers are correct one. My dap.exe 2,37 MB (2.487.296 bytes) , md5 hash == 53E8C02AD30FD09652DEE62FD750DFC0 has oep at 0052D0E4 (106 stolen bytes) Search for constants (rva address) ... //find references | selected commands 0052EF50 - FF25 2C335500 JMP NEAR DWORD PTR DS:[55332C] 0052EF56 - FF25 34335500 JMP NEAR DWORD PTR DS:[553334] 0052EF5C - FF25 30335500 JMP NEAR DWORD PTR DS:[553330] Encrypted code when you are on eip = 0052D14E 004CEE82 5A POP EDX ; dap.0052D153 004CEE83 2949 9A SUB DWORD PTR DS:[ECX-66],ECX 004CEE86 17 POP SS ; Modification of segment register 004CEE87 EE OUT DX,AL ; I/O command 004CEE88 8568 25 TEST DWORD PTR DS:[EAX+25],EBP 004CEE8B 9B WAIT 004CEE8C 2AC0 SUB AL,AL 004CEE8E 17 POP SS ; Modification of segment register 004CEE8F DB9F FD2112B6 FISTP DWORD PTR DS:[EDI+B61221FD] 004CEE95 8205 7CD0EF02 BD ADD BYTE PTR DS:[2EFD07C],-43 004CEE9C 4F DEC EDI ; ntdll.7C910738 004CEE9D 02E8 ADD CH,AL code decryption happens here (use memory bp on write) : 0012E998 AC LODS BYTE PTR DS:[ESI] 0012E999 32C2 XOR AL,DL 0012E99B AA STOS BYTE PTR ES:[EDI] 0012E99C ^ E2 FA LOOPD SHORT 0012E998 0012E99E 59 POP ECX ; 0BE9FCF5 0012E99F 5E POP ESI ; 0BE9FCF5 0012E9A0 FF15 82234300 CALL NEAR DWORD PTR DS:[432382] 0012E9A6 81C4 54000000 ADD ESP,54 0012E9AC 61 POPAD 0012E9AD 68 82EE4C00 PUSH 4CEE82 0012E9B2 C3 RETN 004CEE82 E8 C9000600 CALL dap.0052EF50 004CEE87 6A 00 PUSH 0 004CEE89 FF15 44365500 CALL NEAR DWORD PTR DS:[553644] 004CEE8F E8 1ADC0500 CALL dap.0052CAAE ; JMP to MFC42.#6438 004CEE94 FF15 84335500 CALL NEAR DWORD PTR DS:[553384] ... ... ... 004D01F9 E8 C923F3FF CALL dap.004025C7 004D01FE 8BC8 MOV ECX,EAX 004D0200 E8 A96CF8FF CALL dap.00456EAE 004D0205 6A 00 PUSH 0 004D0207 FFB5 58FCFFFF PUSH DWORD PTR SS:[EBP-3A8] 004D020D 8B8D 7CEBFFFF MOV ECX,DWORD PTR SS:[EBP-1484] ; dap.005C3EC0 004D0213 E8 C8390000 CALL dap.004D3BE0 code is not encrypted 0052EF56 - FF25 34335500 JMP NEAR DWORD PTR DS:[553334] //reference 004D293A E8 17C60500 CALL dap.0052EF56 code is not encrypted 0052EF5C - FF25 30335500 JMP NEAR DWORD PTR DS:[553330] //reference 004D373A E8 1DB80500 CALL dap.0052EF5C Now if you search for those commands you see it occurs very often (more then 90 times) 60 PUSHAD 50 PUSH EAX 51 PUSH ECX 52 PUSH EDX 53 PUSH EBX 55 PUSH EBP 56 PUSH ESI 57 PUSH EDI binary search: 60 50 51 52 53 55 56 57 so i assume this target has some parts of code section that decrypt only when nedded (like Formik & Optimik -> use google to find this appz ; but those 2 have only 7 or 9 encrypted code sections ; svkp goes this way: decrypt code on when nedded , load it in memory , then encrypt it back) Last one encrypted section ends at 004F2C79 . 004F2C73 80 DB 80 004F2C74 9B DB 9B 004F2C75 29 DB 29 ; CHAR ')' 004F2C76 . 854E E4 TEST DWORD PTR DS:[ESI-1C],ECX 004F2C79 . 60 PUSHAD |
#4
|
|||
|
|||
Im not really an expert, but why can't you just add those allocated sections to the dump? Since the code is still static in the dump, you could just leave the unresolved APIs and let them be emulated by the added sections.
I've tested this on two different machines, and it seems to work. Dont know really, but you could test this one out. http://rapidshare.de/files/10083923/test_.zip.html OEP at 0052D1E4 Code:
0052D247 90 NOP ---- STOLEN CODE! etc 0052D24E . E8 CC47F7FF CALL DAP.004A1A1F Code:
Run trace, selected line Back=630. Thread=Main Address=00EB05B3 Command=PUSH EAX -- STOLEN CODE! Is that what you've done? :-P Anyways, good luck with it, you tha man! |
#5
|
|||
|
|||
hehe welcome back bro, long time no see
Yeh ive tried it, it only works on a few pc's, not everyones. Im going to keep trying though |
#6
|
|||
|
|||
"Yeh ive tried it, it only works on a few pc's, not everyones."
dupmed image still access jumps to api(s) inside the svkp code, tens of refrences are only accessed inside the svkp code only. |
#7
|
|||
|
|||
True.
I PM'd Britedream about this a little while ago and he suggested that the reason the exe didnt run on all machines was due to the Emulated API info in the added sections being based on my machine. (If you see what I mean) I believe this to be true. Unless there is another reason why it will only execute on my machine? This EXE runs fine on my PC, but will it on yours? I have included IAT Tree with it aswell. http://rapidshare.de/files/10223754/Unpacked-DAP.rar.html |
#8
|
|||
|
|||
Yeah, that one doesnt work for me. It crashes with an access violation:
0052D2A9 . E8 C4000000 CALL <JMP.&msvcrt._initterm> ---> 0041AC3C . FF15 3C335500 CALL NEAR DWORD PTR DS:[55333C] ; Unpacked.00F87A4B ---> 77D48E00 C17412 39 0E SAL DWORD PTR DS:[EDX+EDX+39],0E Crashing : Trying to reach EF8A3609 It doesnt reach the correct API. I compared yours with mine and they are different here : 00F87A4B - E9 B013DC76 JMP USER32.77D48E00 -- Yours 00EB7A4B - E9 D813E876 JMP USER32.RegisterWindowMessageA - Mine Actually none of the USER32 APIs are found. Im sitting on WinXPSP2 btw. |
#9
|
|||
|
|||
svkp goes from 0012xxxx to some other section:
(example from some VC unpackme with oep elimination ): 02DAE159 81C5 991DAD6D ADD EBP,6DAD1D99 02DAE15F 50 PUSH EAX 02DAE160 /E9 AE000000 JMP 02DAE213 Problem are encrypted sections not imports ... Last edited by hosiminh; 01-02-2006 at 22:56. |
#10
|
|||
|
|||
Point Proven.
Now how can we go about working around it? Is it not possible to stop the API's being redirected through the SVKP code? RE: Crypted Sections I believe you said earlier Quote:
Last edited by Whiterat; 01-02-2006 at 22:48. |
#11
|
|||
|
|||
Quote:
-> kind a problemmo if program has alot of functions you have to check... (check Formik to see what i am talking about -> there is one function on printing too that should decrypt on fly... ) Last edited by hosiminh; 01-02-2006 at 23:08. |
#12
|
|||
|
|||
I decided to download SVKP from the FTP to help me learn more, when reading through the examples folder I found this option:
Quote:
Its well worth downloading SVKP, its got lots of useful info in it. |
#13
|
|||
|
|||
I had a look to the ENCRYPTED blocks long, long ago (in first versions of SVK-Protector) and they could easily repared, just wait to be decrypted with BP on execution.
Anyway, is SVK-Protector a dead project? It looks like for me |
#14
|
|||
|
|||
Dont be so sure, there are new versions every now and then.
And yes, bp on execution is great....except when there are like 90 functions! And no idea how to execute some of them! |
#15
|
||||
|
||||
Well if you have located them just change eip to pushad/push eax... decrypt code and dump it =)
I've used hiew to scan for pattern in optimik and just redirected eip to those addreses, dumped them with ice-ext and fixed dump or event better would be to code debug loader if there is more then 20 crypted code places and automate process of eip redirection/code dumping. cheers |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
svkp | infern0 | General Discussion | 3 | 06-05-2011 18:34 |
The new svkp 143 | britedream | General Discussion | 3 | 09-19-2004 22:22 |