Help for unknown protector

[Newbie_Cracker]

Hello everybody.

Few days ago I saw an unknown protector (at last for me).

Here is the link of protected target:

Code:

http://download.akvis.com/akvis-lightshop-setup.exe

The EP of protector is this like.

Code:

010F4000 <> /EB 01                      JMP SHORT Lightsho.010F4003
010F4002    |99                         CDQ
010F4003    \50                         PUSH EAX
010F4004     EB 04                      JMP SHORT Lightsho.010F400A
010F4006     2B67 A9                    SUB ESP,DWORD PTR DS:[EDI-57]
010F4009     15 E8140000                ADC EAX,14E8
010F400E     00EB                       ADD BL,CH
010F4010     0321                       ADD ESP,DWORD PTR DS:[ECX]
010F4012     96                         XCHG EAX,ESI
010F4013     D6                         SALC
010F4014     EB 03                      JMP SHORT Lightsho.010F4019

Section has no name.
It's unpacking routine is starnge!
After 6th exception, it writes the code section.

None of the breakpoints work to trap write sequence.

Does someone know what's its name?

[Newbie_Cracker]

I found the decompression routine, but still don't know why OlluDbg cannot break on write to memory!!!

Protector stub calls VirtualProtectEx after 6th exception (copies first 6 bytes, executes them and jumps in middle of API) to change the access to code setion. Is this the cause of bypassing memory breakpoint (as it's page gaurd)?

It seems that protector clears hardware breakpoints too.

why don't you use a plugin for olly which hide debugger and protect against common antidebugging tricks?

[Archer]

OEP RVA 00626A7D

[Archer]

Unpacked file here http://www.multiupload.com/I3989AR3HX
Two api calls left unidentified
0046A918 . FF15 6C40BC00 CALL DWORD PTR DS:[BC406C]
0046AB1C . FF15 6840BC00 CALL DWORD PTR DS:[BC4068]
They don't look like regular API calls so I just nopped them.
Overlay also exists but wasn't appended to minimize the size.
Last sections were cut and resources were rebuilt.
The file seems to be working fine on 2 different OSs but I haven't tested it thoroughly.
It's just unpacked, nothing else is patched or cracked.

[Newbie_Cracker]

It's not too hard to unpack, I didn't work on its API redirection routine yet. Because It's too easy to crack using a loader !!

I just want to know the name of protector.

Anyways, thanks Archer.

[uLysse]

It's Obsidium v1.4

API redirections like that :

Code:

003E1858   60                   PUSHAD
003E1859   9C                   PUSHFD
003E185A   66:BD F6AD           MOV BP,0ADF6
003E185E   EB 03                JMP SHORT 003E1863
003E1860   0253 24              ADD DL,BYTE PTR DS:[EBX+24]
003E1863   66:BB 0E99           MOV BX,990E
003E1867  -E9 752EFDFF          JMP 003B46E1

are typical of Obsidium.

And this (mov reg32, API / nop) :

Code:

00A268C6   . BB 49AA807C    MOV EBX,kernel32.GetProcessHeap
00A268CB   . 90             NOP
00A268CC   . FFD3           CALL EBX                                 ; [GetProcessHeap

is typical of the 1.4 version of Obsidium

[Archer]

If anyone made a research of Obsidium would be interesting to know what the 2 unidentified calls from my post above are doing. Don't look like regular api calls, neither look like protector api, eax is unused and they don't seem to make any changes in the dump.

[uLysse]

Your 2 unidentified calls are calls to API protector.
By tracing them, eax is affected by a specific value.

The list of these "codes" has been given on crackl@b

By tracing in 0046A918, eax becomes D5D7FD6D
-> setExternalKey

By tracing in 0046AB1C, eax becomes 4EC72EC2
-> isRegistered

[Newbie_Cracker]

Quote:

Originally Posted by uLysse

It's Obsidium v1.4

Thanks bro.

I will work on it.

Regards.