Hallo,hallo.Nice talking with U again.Well,this time the victim is SDprotector.
Well,here I followed a little different approach to unpack this protector.What
I mean?HeRe it Comes...
Tools Used: Olly v1.10 and ImpRec v1.6f,Ollydump Plug,HideOlly Plug (I will not refer to it)
Well,I have checked all the Options of protection in SDprotector and protected the file.Those
options are in Options->Left part of the screen.I didn't touch anything else.
Load the exe target in Olly.In debugging options,check them all so that the execution
of the programm will not be interrupted by any exception (and then ask U to press Shift+F9
or Shift+F8 or Shift+F7 to continue).Run the exe.A messagebox appearz saying that debugger is
detected.Well it is hard to find what exactly protection against debugger this may has.
I found out that it detects a debbuger using CreateToolHelp32Snapshot to find out what windows
are open and compere them with a default string list (in the list is also Olly).It also uses
SetUnhandledException filter to find the debugger,but I really tried hard to find out how the
exception occured after the calling of this API.But I didnt find it.So I thought this:Why just
run the exe,not under Olly,and then just attach to the process?
Well,let's do so.I run the exe,a messagebox appears saying something of a demo version of
the packer (don't worry,the features we enabled for protecting this file work),and then the
screenbox of the exe process appears.Now,open Olly.Before U attach,a messagebox appears saying
that a debugger is detected,and closes the debugger.Run the exe again,and open LordPE to dump it.
Before U ever try to dump,it closes LordPE and exits.What is going on?
Well,it can't be using SetUnhandledExceptionFiler or any other kind of exception trick,because
it is not being debugged.So,the only thing that comes in my mind is that it has hardcoded
strings refering to processes or Window handles.It also has a loop that checks all the
running processes and windows handles with those strings,althought it is supposed to be
in the original exe's code section.Well,it is but the packer has given him some extra code
and this code still remains and makes this security check loop,althought we have passed the
And my quess is true.Rename LordPE.exe to something else.Run the exe.Now run the renamed
LordPE.It does not closes LordPE.So,do the same with Olly.Damn,it still closes her.Well,this
happens because Olly has inside her .data and .edata section strings that start with "Olly"
chars,and all those are hardcoded in the security loop that I mentioned before.So,open Olly,and
load Olly (yes,U hear right) in the first Olly.Click the "M" button and see the section of the
loaded Olly,in first Olly:
Address Size Owner Section Contains Type Access Initial Mapped as
00400000 00001000 OLLYDBG PE header Imag R RWE
00401000 000AF000 OLLYDBG .text code Imag R RWE
004B0000 0005B000 OLLYDBG .data data Imag R RWE
0050B000 00001000 OLLYDBG .tls Imag R RWE
0050C000 00001000 OLLYDBG .rdata Imag R RWE
0050D000 00002000 OLLYDBG .idata imports Imag R RWE
0050F000 00002000 OLLYDBG .edata exports Imag R RWE
00511000 00036000 OLLYDBG .rsrc resources Imag R RWE
00547000 0000C000 OLLYDBG .reloc relocations Imag R RWE
Go to the .idata section and search for the string Olly,withought having the case sensitive
checked.U find this:
Change ollydbg.exe to something else eg. fffffff.exe.Search again in this section.
We are lucky,because it is found just once.Go to the .data section and search again
for the same string.Damn,here the string exists in many places.Well,change all the
words that have this string inside them.
When done,dump with OllyDump the process,without checking the Import Rebuild Option on.
Well,Olly is now patched.Rename the dumped to anything that has not the string Olly in it.Now,
run the protected exe again till the main window of the crackme appearz.Now,run the dumped
new patched Olly.Wait a little (some seconds).
Well,it dooesn't detect Olly!Well,if in this part U have done something wrong,or make
something wrong in the following steps,next time will detect Olly,and U will need to change
the patched strings ALL to something else,again.I think that the protected exe,if once find
an exe string signature that may be a possible debugger or any other "hostile" program for
it,it put it somewhere (registry,memory,I don't know) and rembers it.So,just do the patch right
and follow every single instruction of the next linez.But there are pacthes that will patch Olly
against this protected exe once and for all.Such a patch is putting Fh 's in all strings that will
be replaced.I don't really know why this string makes this good thing for us,but it works.So,patch Olly
with Fh 's where U should patch (Hey,Fh ascii not chars!).
Now,in patched Olly that is running,check all the options of exceptions in Debugger Options,and in
option of Ignore also following custom exceptions should be nothing.
Now select the process of the protected exe that runs and attach to it.Do not open any other window
becuase the protected exe may detect Olly.Just the Debugging options and then the attach window.U are
Now,press the "M" button and set a memory breakpoint on access in .text section.In this section
is the original code of the protected exe.Go to your clock and change the hour.Make it one hour
less or one hour more.This is done,because changing it we stop the loop of the anti-debugging feature
that the running protected exe has.It seems that this loop checks periodicall the hour-mins-secs and
then performs the detection of debugger check.Really nasty,I made 2 hours to understand this!Now press
F9 to run the process.The debugger pauses at the breakpoint we have just set,HeRe:
If u hadn't check the time of your clock,an exception that could not be handled would occur,and
after some tracing U would have made (u cann't stay in a place forever!) the exe would have traced
Olly and exit.If u fail and try again,change accordinglt the time clock every time U try.
Yes,we are at the unpacked,original code of the exe.But where is the OEP?As U will know,we have
passed the OEP becuase we run the exe before patched Olly.But,becuase the exe is just appearing
a screen that asks for a Name and Registration code,it is in a loop,and not far "after" the OEP,
because no basic routine has been executed,that will make the flow of the programm to go much away
from the OEP.Now,we are at 0040111B paused.Just check a few lines up.We see this place:
Good place for an entry point,because we see a call at GetModuleHandleA (many progs need the
return value from such an API call,and call it some opcodes after the OEP) and we don't see any
other API calls of any kind before the opcode at 004010C2 (and generally,after the OEP API calls
like GetVersion,GetModuleHandleA,LoadLibrary or GetCommandLineA follow.).U may say,why could it
be not an earlier?Well,I tried and after the IAT rebuilding (that will follow) I couldn't make it
work.Eventually the OEP is 004010C2.In some other cases,when an exe is compiled with a
language compiler eg. C++,at the OEP arefour to five opcodes that are the same for every
produced with the same compiler exe.So,after landing at a place of code after the attach and
dump,the OEP cannot be far away,since not many opcode sequences like these exist from the place
we landed,and near it.Anyway,have in mind that it is NOT ALWAYS necessary to land exactly at
OEP,in order for the dump to work.We just say that OEP is the most ideal place,becuase all sections
are intact,nice and clean (and not changed by self-modifications or of modifications that happen during
runtime,between the exe in memory and other processes,or by itself).Remove the memory breakpoint.
Before dumping,right click in all section that u see in tha patched Olly (and PEheader as well) and
set access->Full access.This is done becuase during unpacking,the protector has protected the
access of those memory locations using probably VirtualProtect API's,and if we try to dump the
dumper will fail,or may create a false dump.Also,ImpreC will not be able to read the process from
memory,meaning the data that are contained and to be used,in order to fix the Imports (u can check
Now,dump the exe with OllyDump,without having checked the IMport Rebuilding,and as an OEP the
value of (OEP as seen in addressing)-Imagebase=004010C2-00400000=10C2.We now have the dump.
For the rebuilding part we will do everything without executing anything in Olly,just seing the code,
because we cannot put any software or hardware breakpoints,the packer detects them all.But don't
mind,because code at that time is not self-modified any more and the mem locations that we will
need contain hard-coded bytes,so no need to run it in Olly actually.Just using Olly as
a Dasm.OpenImpRec and put as OEP the value 10C2.Now IAT autosearch and Get Imports.
Now press Show invalid.We have many invalid.Select one invalid and right click in
it->Disassemble.What we see here is that in the place where the code of a valid API
should have been,are instructions that generate the call to that API.So the only thing
we have to do for all those invalids,is to follow in debugger this codes and
see where they finally jamp,at API's.We will know that we are for the first time in
API's code,because the address of the first opcode will be (and all those who follow and
are in the API!) in 7XXXXXXX format.Then,just a search in all module names in Olly will reveal
which API has as starting address this value,and we can identify this API.Then,we will manually
put the name of that API at the invalid thunk.
But how are we going to follow all those invlid thunks?We,check the Disassm of one invalid,eg
Well,all code till 00143BB5 is junk code,to confuse the reverser.So at 00143BB5 moves a value at
EAX,then a PUSHFD (junk opcode also,don't care about this) and at 00143BBB subtract 4BE4DE32 and
in EAX=77D43DFA.Then,the POPFD of junk,and we jamp at 77D43DFA.What API is there?Look in Olly
in Search for all module names and this API is TransLateMessage.So,in ImpRec,invalidate the thunk and
double click on it,and select from user32.dll the TransLateMessage API.Now again show invalid.Good,we
reduced invalids to one.As u can see,by this way we can fix all the invalid thunks.Do the same thing
for every invalid then.But there is one thunk that has not a Push eax-retn that jamps at an API.This
is thunk 468AB3.Well,in Olly go at 468AB3.U see this:
The call at 00468AE8 goes to the API.All till here is junk code.So in Olly go now at
0046CAAA and we are HeRe:
0046CAAA E8 01000000 CALL sdprotec.0046CAB0
0046CAAF FF58 05 CALL FAR FWORD PTR DS:[EAX+5] ; Far call
0046CAB2 C9 LEAVE
0046CAB3 0A00 OR AL,BYTE PTR DS:[EAX]
0046CAB5 008B 008038CC ADD BYTE PTR DS:[EBX+CC388000],CL
0046CABB 74 0A JE SHORT sdprotec.0046CAC7
0046CABD 50 PUSH EAX
0046CABE C3 RETN
It jamps at 0046CAB0.We cannot see the opcode of that,because it is mixed.So just go at
0046CAB0 and u see that:
0046CAB0 58 POP EAX
0046CAB1 05 C90A0000 ADD EAX,0AC9
0046CAB6 8B00 MOV EAX,DWORD PTR DS:[EAX]
0046CAB8 8038 CC CMP BYTE PTR DS:[EAX],0CC
0046CABB 74 0A JE SHORT sdprotec.0046CAC7
0046CABD 50 PUSH EAX
0046CABE C3 RETN
Well at 0046CABE jamps at the good API we are looking for.So,at 0046CAB0, EAX=0046CAAF
because of the call at 0046CAAA (so stack has return address 0046CAAA ),then adds
the value of 0AC9 so eax is now 0046D578.Now at [EAX] is the API address to fix this thunk.A
small trick that seeks for a software breakpoint there and then a PUSH EAX-RETN and we jamp there.
What is in [EAX]?Well,go at 0046D578 and U see that:
0046D578 76 64 JBE SHORT sdprotec.0046D5DE
0046D57A D6 SALC
0046D57B ^77 E3 JA SHORT sdprotec.0046D560
0046D57D A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
0046D57E D4 77 AAM 77
We are interested for the first four bytes in reverse,which give us the address of
77D66476h.I look in Olly,and this is API MessageBoxA.Then,I give this name to out final
invalid API thunk.Now press show invalid,no invalids.Fix dump now.
Run the fixed exe and...Yeeeaaahh!!!Last version of the so called SDprotector defeated!!!
Well,this was a hard protector.Took me at least 6 hours,including writing this tutor.This
is one contribution to all of U,that are really interested to see how other people think,
including the makers of this packer...
I can hear a voice in my mind...time to talk to it...