Hi folks and welcome to new unpacking tutorial! Today we will see how can Thinstall with double process protection be easily unpacked. I was losing my nerves with this one, but after some time I realised that protection can be tricked with cheap trick. There is one tutorial for single process Thinstall on ARTEAM site http://cracking.accessroot.com/ written by MaDMAn_H3rCul3s which was helpfull to me, so you can also check that tutorial too.
Target for this tutorial was taken from Teddy Rogers site who has nice collection of unpackmes for practice and fun http://tuts4you.com. Also, since I'm using his unpackme archive, this tutorial can be published on his site too.
2. Killing Debug Blocker and finding OEP
As I sad, thinstall has double process protection which is acting like debug blocker feature and it doesn't alowes us to debug process of unpacking. Thinstall own debugger (first process) is creating second process, a debugee, and that second proces is performing unpacking. We need to debug that process instead first one. I was busting my ass trying to figure out how to god damn detach processes, but thanks to my pathetic knowledge about debugging I couldn't find the way. But I was thinking a little; since thinstall can be single protection too, maybe there is way to force double process protection to single one? I was examning this thinstall target and notice that debugger process doesn't use ReadProcessMemory and WriteProcessMemory api's, so debugger proces is just for preventing debugging and it doesn't do anything else. Second process is one that is doing all job. And I found easy way to force thinstal to think that it is single process protection. Lets go :)
First, use some plugin to hide Olly from IsDebuggerPresent API because thinstall checks this one million times. Open target in Olly and place breakpoint on CreateProcessA. Run target and when you break in kernel return to user code. You will find your self in double process protection loop. Bellow snippet is that whole block of code. You can see that we are in some allocated memory block. Since we are in CreateProcessA part, double process protection has already started. What we need is to break before that API is called. Place hardware bp on execution on this first line below and reastart Olly. Run and you should break at start:
7FF8600A PUSH EBP <-------------------- START!!! Place hw bp on execution here and resart to break!!!
7FF8600B MOV EBP,ESP
7FF8600D SUB ESP,0E0
When you stop at hw bp, remove it and we can go to fooling thinstall. Check this part imidiatley below our bp:
7FF86047 CALL DWORD PTR DS:[7FF9709C] ; kernel32.GetVersionExA
7FF8604D MOV EAX,DWORD PTR DS:[7FFA69AC]
7FF86052 AND EAX,2000000
7FF86057 TEST EAX,EAX
7FF86059 JE 7FF86212
Here protector calls GetVersionExA to check does our system sopports something. It seams that it checks does system support IsDebuggerPresent API. That API is supported only by NT windows family. It seams that thinstall can have double process only on NT computers !?! Anyway, to trick thinstall, change JE to JMP or change Z flag to 1. This way jump will be executed and it will jump across whole double protection procedure, here:
Ok, debug blocker is killed and we have to find OEP now. I sow this part in MaDMAn_H3rCul3s tutorial. Just search all string references and find this string
ASCII "APISPY: Calling EXE Entry Point %x
Double click on it and you will land:
7FF52C50 PUSH 7FF97660 ; ASCII "APISPY: Calling EXE Entry Point %x
7FF52C55 CALL 7FF54550
7FF52C5A POP ECX
7FF52C5B POP ECX
7FF52C5C CALL DWORD PTR SS:[EBP-3B8] <------------ Place bp here and run!!!
Place bp on that CALL below because that is OEp of packed program. Run and enter call:
As you can see, some of them do not lead to API's. Thinstall has some kind of redirection/emulation. Altough in MaDMAn_H3rCul3s tutorial imports was easy to fix, here is that problem harder. Open ImpREC and find imports. You will see that there is some invalid ones (13 in this case). First, DO NOT USE "Trace level 1" option in ImpREC, or any other! You will get incorrect imports! I have traced like lunatic through protector code in hope that I will found where imports are written, but my memory and hardware breakpoints was ignored and I just couldn't find redirection algo. That means we will have to manually fix imports. Not really manually, ImpREC and Olly will help us, but this approach will take some time.
This part reminds me to armadillo's redirection. Let's take a look. Check this jump in Olly:
004016FC JMP DWORD PTR DS:[4050B0]
Select it with left click and press ENTER to follow it in disassembler:
This is not simple, isn't it :) Ha, there is lot of API calls here, but which one is right one !?! Check this:
ntdll.RtlGetLastWin32Error <-------- Forget these ones ntdll.dll. Their purpose is for some internal usage.
kernel32.DeleteFileA <-------------- It could be this one.
kernel32.CloseHandle <-------------- Or it could be this one.
So it could be DeleteFileA or CloseHandle. But again, thinstall will help us. Check these strings:
These strings are telling you that CloseHandle is API that is stolen. As you can see, it is not easy and you will spend some time. But notice that right API is always close to RETN than others, ntdll.dll ones are for internal usage of protector and text strings will give you help. And finally, you can always run file after fixing and check in stack do they have right parameters.
In Olly you will check that you didn't make something wrong, but for repairing these imports use ImpREC. When you find IAT, click to show invalid one, than on one-by-one right click on each and select Disassemble/Hex view. There you will see same disassmebler view as in olly (only without strings) and when you see API that you think it is right one, right click on name and in popup menu click "Get Import". API's that I found from the beggining to the end are:
That's it, lucky that unpackme is small. For larger number of imports we could try to make some script or more generic approach.
I was going to dump file with LordPE but I get error message "Couldn't grab process memory :(", then I swiched to Intelli's engine but after fixing imports dump would just exit and also it lost icon. So I dumped it with OllyDump, fixed imports with ImpREC and dump worked fine.
4. Finall words
That's it :) ! We have unpacked double process Thinstall and it even wasn't so hard.
If somedy figure out how to fix imports with elegant patching, it would be nice thing to write small update for this tutorial. Btw, it is interesting how protected file has only one section.
In archive you will find target, dump, tutorial, and tree for ImpREC so you can check your dump.
Greets goes to detten, knight, thorpe, TDC, boro... all biw users, arteam and crackmes.de members. Thanks to MaDMAn_H3rCul3s for his tutorial and Teddy Rogers for his great site with unpackmes.