Posted: Tue Jun 27, 2006 8:02 pm Post subject: unpacking symbiont's crackme1
I am trying to unpack symbiont's crackme1(from crackmes.de). It seems he is the author of beria pe protector.
I want to dump the exe from memory but certain sections are page guarded. LordPe says that it cannot read the memory. I tried iceext but it also gives an error. Is there a way to bypass this protection
I just checked first process. Anti debug tricks are weak. First, there is no any checksums to detect pathes. We have RDTSC checks that we can just patch and unpackme will run normally. Also, RDTSC checks are functional only if we trace and do not notice them.
Good way to use them is to place some important code between two RDTSC pairs where cracker must stop for a moment. For example, between two RDTSC opcodes you generate some exception. The best way is that exception is some that is not ignored in Olly by default (like Array bounds exceeded C000008C, or Invalid Lock Sequence C000001E,etc...) so cracker must stop at it and add it to custom ones in Olly options. Also, hide RDTSC with some obfuscation so it cannot be seen. I just examned SDProtector and it uses such tricks very smart.
Obfuscation is easy to remove too. You use some code like XCHG EAX,EBX multiple times that can be easily found and patched. Also, such obfuscation doesn't screw Olly ouput. The best obfuscation is that you have lot of small junky jumps that skips one or more bytes. Such obfuscation is almost impossible to remove with scripts or tools because you can always patch "reall" code and screw app. Examples
jmp short @f
db 0e9h <---------- Junky bytes, you place one to three four.
jnz short @f
jz short @f
And million similar variations. Take olly and check how that uses PElock, SVKP, Obsidium, etc...
Obfuscation can be very smart too, check it in Krypton, SafeGuard, PE-Armor, etc...
Other tricks are FindWindowA that can be easily avoided by changing OLLYDBG class and breakpoint checks on APIs. It's OK, but those are just minor tricks in protectors.
You can throw in:
IsDebuggerPresent (returns EAX=1 if debugger is found)
CheckRemoteDebuggerPresent (returns EAX=1 if debugger is found)
CreateToolhelp32Snapshot - you can find any hostile process, who started protected app, etc...
ZwQueryInformationProcess - not well documented so I don't know much about it, but it can detect debugger.
ZwQuerySystemInformation - similar, you can get information about drivers that runs in background so you can detect SoftIce, SyserDebugger, Sysinternals tools....
ZwSetInformationThread - TheHyper knows how to use it, it can make process memory unreadable for debugger (lot of protectors use it, werry annoying trick)
CreateFileA - it is used to detect drivers combined with GetLastError (I myself failed to use it)
EnumDeviceDrivers - you can enumerate of all drivers and then examne which one is on your blacklist. I never sow that some protector use it, but I used it and it works very good.
SetUnhandledExceptionFilter - you set final handler, then generate exception. Windows check is application debugged and in such case it let debugger to handle exception. In that case app crushes under Olly.
There are a lot more anti debug tricks, but these are one that I know how they work. There is INT 68 for detecting SoftIce but only works on Win 9x. INT1 also is used as SoftIce trick, but I don't know much about SoftIce and interrupts.
Those are some suggestions , nothing original, just what I sow in other protectors.
hmm i am sorry. maybe you could be more specific about the problem.
where and when does it crash?
No sorry I can't be more specific, it doesn't appear to crash just terminate, I wasn't debugging it, just run it and it exit's. It doesn't really matter its not of enough interest to me to try and find why, I mentioned it fyi only, thanks anyway.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You can attach files in this forum You can download files in this forum