Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, September 28 2021 @ 03:31 AM CEST
Anticrack Software Protector Pro v1.35 - manually unpacking | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Anticrack Software Protector Pro v1.35 - manually unpacking
Authored by: haggar on Tuesday, September 13 2005 @ 09:34 PM CEST
Hi, this is small update for this tutorial.

I didn't explain code redirecting because I didn't have problems with it and because I was so damn tired to examne it better, but I must say couple more words about it. There are two ways of code replacing. Both ways substitute some original code with calls to protectors .perplex section. Difference is that in a first way, there is some execution there and then returning to target section, but second way of redirection is different.

In second redirection, you will jump to protectors section but there you will find whole table of jumps that leads to some allocated place of memory. For example (from one shareware program), that jump table look like this:

007570F5 -FF25 08D01400 JMP DWORD PTR DS:[14D008]
007570FB -FF25 0CD01400 JMP DWORD PTR DS:[14D00C]
...
there can be hundreds of jumps here
...
00758859 -FF25 A0DF1400 JMP DWORD PTR DS:[14DFA0]
0075885F -FF25 A4DF1400 JMP DWORD PTR DS:[14DFA4]

All that jumps point to some other code that also looks like some table, I'm following first jump:

0014DFA8 8B7E 0C MOV EDI,DWORD PTR DS:[ESI+C]
0014DFAB 03FB ADD EDI,EBX ; videofix.004EDF08
0014DFAD C3 RETN
0014DFAE 8916 MOV DWORD PTR DS:[ESI],EDX
0014DFB0 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] ; videofix.004EDF10
0014DFB3 C3 RETN
...
hundreds of similar code patterns
...
0014F706 8B4F 44 MOV ECX,DWORD PTR DS:[EDI+44]
0014F709 8BD3 MOV EDX,EBX ; videofix.004EDF08
0014F70B C3 RETN
0014F70C 8B56 44 MOV EDX,DWORD PTR DS:[ESI+44]
0014F70F 2BD0 SUB EDX,EAX ; videofix.004EDF08
0014F711 C3 RETN

Altough this at first look this is very hard problem to solve, this can be fixed very easy. Thing is that first jump points to first code pattern, second jump on second,... and last jump on last pattern. Also, notice that instruction JMP DWORD that throws you to code pattern has same number of bytes as pattern itself, six bytes, and that is rule for all jumps/patterns. So, here is big trick ;), you can just bynary copy-paste whole table of code patterns from allocated block to replace that table of jumps. It will work perfectly. And that's it :)


Ofcourse, this tutorial is far from complete and there should be more researching on this subject, but I doubt that I will soon lay my hands on this protector.

Regards , and If you have some comments, questions or sugestions, just ask.


 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.78 seconds