Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-09-2004, 17:52
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
SVKP, Armadillo or SDProtector

Hi,
just a stupid question, but what packer do you think is the more difficult to unpack between SVKP, Armadillo or SDProtector?

I'm talking only of packing, not about registration algorithms or other.

Consider:

SVKP: Main packing with compression without RSA encrypted features
Armadillo: Copymem+Nanomites+Code splicing without secured sections
SDProtector: Main packing with compression without RSA encrypted features

What you think is the most hard?
Reply With Quote
  #2  
Old 12-09-2004, 20:45
softworm softworm is offline
Friend
 
Join Date: Feb 2004
Posts: 43
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
softworm Reputation: 0
To me,it's Armadillo
Reply With Quote
  #3  
Old 12-09-2004, 21:09
nikita@work
 
Posts: n/a
SDProtector aka SoftDefender very simple and looks like UPX-based
Reply With Quote
  #4  
Old 12-09-2004, 21:14
stephenteh
 
Posts: n/a
for me....Armadillo + Nanomites protection...
Reply With Quote
  #5  
Old 12-09-2004, 21:24
karlss0n
 
Posts: n/a
Armadillo with nanomites look's trouble but not unbeatable.

But if you add Serial + CopyMemII, then it's look's like solid stone without holes. I can't do anything with it, but i'm not a guru
Reply With Quote
  #6  
Old 12-10-2004, 02:44
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
newer armadillos with serial can't be keygenned and so not unpacked. only way are leaked keys.
Reply With Quote
  #7  
Old 12-10-2004, 05:42
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
Quote:
Originally Posted by nikita@work
SDProtector aka SoftDefender very simple and looks like UPX-based
throw us a quick tut together then will you.
Reply With Quote
  #8  
Old 12-10-2004, 07:32
nikita@work
 
Posts: n/a
Quote:
Originally Posted by Jay
throw us a quick tut together then will you.
It will be really short.
Go to the end of packed stream and look for code like this
Code:
pop edx
pushad
mov ebx, PackedStreamSize
mov esi, offset PackedStream
lea   edi, RawDataOffset
Just rip decompress function (or use lzo1x from Oberhummer's UCL) and postfilter (only if relocs present). To decrypt imports you will need RC4 key from protector runtime context. And near the key there are original OEP address, ImageBase, IAT address, etc.

P.S. There is an original PE header at the end of unpacked stream . So as I told before it looks like UPX-based product ;)

Last edited by nikita@work; 12-10-2004 at 07:44.
Reply With Quote
  #9  
Old 12-10-2004, 08:29
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
Just rip decompress function, To decrypt imports you will need RC4 key.

Could just be me but I fail to see how that description of how to unpack sd can be described as simple or compared to unpacking upx. Still if you don't have time for a more in-depth tutorial then to bad for us.
Reply With Quote
  #10  
Old 12-10-2004, 15:23
zaratustra
 
Posts: n/a
nothing is impossible,
give to an dumped program what it needs, it is my
philosophy
Reply With Quote
  #11  
Old 12-10-2004, 20:11
ricnar456 ricnar456 is offline
Friend
 
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
armadillo with copymem2

armadillo with copymem2 and nanomites are not hard to unpack, is only hard mechanichal work.
If you have the correct scritps made for help you in the task, the hard task is made by your machine and you go to sleep and when you return the 90% of the work is made automatically and with injects and scripts.
I unpack the armadillo.exe (3.77 version), make the dump takes 10 minutes with known methods, repair the table is a little more slow for the found of magic call is more difficult than previous versions but in 30 minutes the table is repaired and you are in the oep with all table perfect.
The last task is the nanomites, the first time is difficult for is needed write the scrits and injects to make the work this take me 1 or 2 days, but this will be write one only time, for the futures armadillos you have the hard work maded.
Next you put the injects and scripts to work for bruteforce the original program to try injecting in the nanomite routine starting in GetThreadContext and ending in SetThreadContext) you inject the address of the first nanomites and try for this value the 8 flag conbination for look all posibilities and store the results for each nanomite and posibilities of combination of flags,the second phase, with other script with the values stored you determine what type of jump is, where go to jump, and is ready, the last script acomodate the correct values in the dumped.
Is the better solution to the hard encription of the tables 1 to 4 than in newer versions are imposible to find and look for the values.
With this method you only need adjust your scripts to the new version (slightly changes) and the machine work for you, only you need a little manual adjust and the dumped is running.

Ricardo Narvaja
Reply With Quote
  #12  
Old 12-10-2004, 20:14
ricnar456 ricnar456 is offline
Friend
 
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
softdefender

sofdefender is very easy to unpack only work with times.

if you look the api GetTickCount the program take the time, but in a moment compare the time witha previous time and decide if create the second process or not.
In this form altering only one jump or playing with the times you can run in one single process mode and the unpack is very easy.

armadillo is very more difficult obviously.

Ricardo
Reply With Quote
  #13  
Old 12-10-2004, 21:01
iwill
 
Posts: n/a
Ricardo
Quote:
if you look the api GetTickCount the program take the time, but in a moment compare the time witha previous time and decide if create the second process or not.
In this form altering only one jump or playing with the times you can run in one single process mode and the unpack is very easy.

armadillo is very more difficult obviously.
Have you ever tried the lastest version - SDProtector 1.16? It's not so easy as you said; soft defender is just a very old version of SDProtector, it seems the author has already switched to SDProtector and given up soft defender.
Reply With Quote
  #14  
Old 12-10-2004, 21:25
nikita@work
 
Posts: n/a
Quote:
Originally Posted by iwill
Have you ever tried the lastest version - SDProtector 1.16? It's not so easy as you said; soft defender is just a very old version of SDProtector, it seems the author has already switched to SDProtector and given up soft defender.
Very interesting, can you provide setup or sample?
Reply With Quote
  #15  
Old 12-10-2004, 21:58
ricnar456 ricnar456 is offline
Friend
 
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
I have a old tut

than is based in old softdefender and with non registered version but i think the idea for make one only single process is the same in sdpro, i don't know if all is exactly in the last version and when i look i add the newer additions but i think the idea can help others here the tuts of softdefender.



Ricardo Narvaja
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with old SDProtector Newbie_Cracker General Discussion 8 01-28-2008 07:16
Unpacking SdProtector Pro bLaCk-eye General Discussion 2 08-12-2004 22:10


All times are GMT +8. The time now is 14:37.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )