Manually unpacking AntiCrack Protector 1.0x

Monday, February 07 2005 @ 08:29 PM CET

Contributed by: KaGra

Manually unpacking this packer with OllyDbg, and IAT reconstruction with ImpRec.
This one has some catchy anti-debugging tricks aboard ;)

************* AntiCrack Protector 1.0x Manually unpack tutorial by KaGra *****************

Hallo to all my readerz.Well,since I have see no unpack tutorial in this
protector I decided to make one.The zip containz the packed and the unpacked
files.This is not a hard protector at all,and I don't know why no tutor
exists till now.Let us begin...

Toolz used: Olly v1.10,OllyDump Plugin,HideOlly plugin,ImpRec v1.6f

Ok,I used the Hide Plug to hide Olly from the IsDebuggerPresent API that
is used as an anti-debugging "trick".So,use this plug to avoid setting
breakpoints on that API constantly.

Open the target exe and load it into Olly.If any messages appear press OK
and Yes.Those messages inform U that Olly has quessed that maybe the target
is packed,and asks for the continuation of the analyzation.So U are at EP (Entry Point)

0050F000 > $ 60 PUSHAD
0050F001 . F8 CLC
0050F002 . F8 CLC
0050F003 . 4F DEC EDI
0050F004 . 87CF XCHG EDI,ECX
0050F006 . 66:B9 7F55 MOV CX,557F
0050F00A . 7E 03 JLE SHORT ColorPic.0050F00F
0050F00C . 7F 01 JG SHORT ColorPic.0050F00F
0050F00E . 7B 75 JPO SHORT ColorPic.0050F085
0050F010 01 DB 01
0050F011 F9 DB F9
0050F012 7C DB 7C ; CHAR '|'
0050F013 03 DB 03

Now make sure that U don't have any hardware,memory,software or other breakpoints set
because this packer will find them and will stop the execution of the program,if U
start to executing it.Make also sure that the only exceptions that are checked in
Debbuging Options are Ignore memory access violations in kernel32 and int3 breaks.Well I
figured out this combination of checked exception during trying to unpack it,do not brake your
mind with that.Now,press Shift+F9,an exception occured,continue with Shift+F9.Shit!
The application terminates,and killz Olly also.Well this is an anti-debbuging trick
that Uses three API's:With createtoolhelp32snapshot,creates a list with the current
handles of the running processes.With Process32first it takes the first handle and
takes the rest using process32next.After taking all those handles,the prog has
hardcoded (well actually created during runtime) some names of debuggerz and unprotectorz,
including Olly'z name (OLLYDBG.exe).It searches again using those API's for a proccess
named OLLYDBG (and others),and compares it's handler with it's running father thread.If it is the
same,it terminates and terminates Olly.If one of the running processes is also a
"bad" program,it may terminate it.So what we will do?

We will change the code of createtoolhelp32snapshot API,to return
immediatelly using a ret opcode.Have also in mind that we cannot place any breakpoints
at the first opcode of any API (meaning that U cannot double-click on API's name in
search name in all modules and place a breakpoint at the first opcode,but also do
not put an opcode using commandline plugin like:bp createtoolhelp32snapshot).This is because
the protector,just before calling an API searches for the first opcode.If there finds a CC
instruction (which is a software breakpoint that is set using eg "bp createtoolhelp32snapshot")
it termimanes.For this,it just uses such kind of commands:

MOV eax,byte ptr ds:[XXXXXXXX] <--- XXXXXXXX location contains the address of an API
CMP eax,CC

So,load again the target.Do not run yet.In code section,right click and search for name in all
modules.Find createtoolhelp32snapshot API,and double click on it.U are at it's code,HeRe:

77E92ED1 > 55 PUSH EBP
77E92ED4 83EC 0C SUB ESP,0C
77E92ED7 56 PUSH ESI
77E92EDD 0F84 3FE60000 JE kernel32.77EA1522

See a little down,till the retn where the code of the API ends.This is HeRe:

77E92F2A 56 PUSH ESI
77E92F2E E8 12000000 CALL kernel32.77E92F45
77E92F35 85F6 TEST ESI,ESI
77E92F37 0F8C F4E50000 JL kernel32.77EA1531
77E92F40 5E POP ESI
77E92F41 C9 LEAVE
77E92F42 C2 0800 RETN 8

Ok,it ends with a RETN 8.So,go at 77E92ED2 and enter the following new commands:

77E92ED1 > 55 PUSH EBP
77E92ED5 C2 0800 RETN 8

The POP instruction is to make stack as it was before the PUSH EBP,the XOR makes EAX=0
and is used as a flag from the program to continue the execution without crashing (because
it will think that there are not any other processes running at that time,nothing bad actually)
and the retn 8 to return to the code.So,now no proccesses taken,no Olly detection.

Press Shift+F9 (if exceptions occur,again Shift+F9) and the prog runz just fine under Olly.
Now reload it into Olly,make all the anti-tracing things we said and press one time Shift+F9.
Olly breaks for an exception of access violation.Now press the "M" button and see the contents
of memory.Right click on code section (named .text) and set a memory breakpoint on access.Now
one more time Shift+F9,Olly pauses and U see garbage.Right click->Analysis->Analyze code and
we are actually at the OEP,HeRe:

0041A4C9 . 68 28F34300 PUSH ColorPic.0043F328
0041A4CE . 68 58DC4100 PUSH ColorPic.0041DC58 ; SE handler installation
0041A4D3 . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041A4D9 . 50 PUSH EAX
0041A4DA . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0041A4E1 . 83EC 58 SUB ESP,58
0041A4E4 . 53 PUSH EBX
0041A4E5 . 56 PUSH ESI
0041A4E6 . 57 PUSH EDI
0041A4E7 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0041A4EA . FF15 50B24300 CALL DWORD PTR DS:[43B250] ; kernel32.GetVersion

Remove memory breakpoint now and dump the exe using Olly plugin,without having checked
the Import rebuilding option.Do not close Olly.Now open ImpRec and enter as OEP the
value (OEP as appearz)-(ImageBase)=0041A4C9-00400000=1A4C9.Now IAT autosearch and Get
Imports.Now show invalid.We have one invalid thunk.Try tracing levelz,no one validates the
thunk.Well,most of the tutorz out there would now just say "now cut the invalid thunks etc".
But if U cut the thunk as invalid,the exe will not work.Why?Because this pointer that is
unresovled (in me is 5124DB) and should properely have pointed at an API,is just showing
to a memory address that code of the exe is.This code of the exe has been dumped with
OllyDump,and may was part of the protector,but now is part of the exe.And cutting this
thunk we prevent this necessary code to be executed,althought it has nothing to do with
APIs.And where is the API that should have been pointed here,properely?Well,as there is
no other invalid thunk,may be one of the valids and has been just replaced (moved) in
another place (another pointer).Anyway,now fix dump and it will tell U that there are still
unresolved pointers.Well,not really.Run the fixed exe and...yeap,it's unpacked!

This was it U riderz of the StorM.Drink some VoDka for me also in next tutor...

Thankz to: ???