Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
advanced search  
Topics
News (14)
Tutorials (115)
Crackmes (70)
Coding (23)
Challenges
Download
Hall Of Fame
User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User
Banners
 Welcome to BiW Reversing
 Sunday, April 02 2023 @ 11:39 AM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

unpacking symbiont's crackme1

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
TheHyper
New to the board
New to the board


Joined: 02 May 2006
Posts: 12
PostPosted: Tue Jun 27, 2006 8:02 pm    Post subject: unpacking symbiont's crackme1 Reply with quote
I am trying to unpack symbiont's crackme1(from crackmes.de). It seems he is the author of beria pe protector. Cool

I want to dump the exe from memory but certain sections are page guarded. LordPe says that it cannot read the memory. I tried iceext but it also gives an error. Is there a way to bypass this protection Question
Back to top
View user's profile Send private message Visit poster's website
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246
PostPosted: Tue Jun 27, 2006 8:39 pm    Post subject: Reply with quote
Hi.


Yep, symbiont is beria author and I wrote one tutorial for old version. He coded new because old one was buggy.


You can dump second process using intelli dump engine in LordPE.

Right click on process -> active dump engine ->IntelliDump -> Select!

Then dump it.


See you.
Back to top
View user's profile Send private message
symbiont
New to the board
New to the board


Joined: 01 Dec 2005
Posts: 2
PostPosted: Tue Jun 27, 2006 8:48 pm    Post subject: Reply with quote
I'd really get a lot of comments and advices about beria.
have fun with the crackme!
Back to top
View user's profile Send private message
TheHyper
New to the board
New to the board


Joined: 02 May 2006
Posts: 12
PostPosted: Tue Jun 27, 2006 8:53 pm    Post subject: Reply with quote
Embarassed so much to learn. just downloaded your tutorial. It will be very useful.
I think he changed the import protection. He is using access violation exception instead of breakpoint exception.
Back to top
View user's profile Send private message Visit poster's website
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246
PostPosted: Wed Jun 28, 2006 12:56 pm    Post subject: Reply with quote
Yes, he sad that he changed it. It looks very similar with bustme1.

I was just examning first process, here is script that will remove most obfuscation and junk, along with most RDTSC checks:

Code:

//New Beria - dejunk script

var addr
var counter

mov addr,401000
mov counter,0
LABEL_01:
find addr, #33C050EB0358EB02EBFB#
cmp $RESULT,0
je END_01
mov addr,$RESULT
mov [addr],#90909090909090909090#
add counter,1
jmp LABEL_01
END_01:
log "Jump obfuscation:"
log counter

mov addr,401000
mov counter,0
LABEL_02:
find addr, #33C09393939393939393#
cmp $RESULT,0
je END_02
mov addr,$RESULT
mov [addr],#90909090909090909090#
add counter,1
jmp LABEL_02
END_02:
log "Garbage XCHG EAX,EBX:"
log counter

mov addr,401000
mov counter,0
LABEL_03:
find addr, #33C050535292935A5B58#
cmp $RESULT,0
je END_03
mov addr,$RESULT
mov [addr],#90909090909090909090#
add counter,1
jmp LABEL_03
END_03:
log "Garbage exchanging 2:"
log counter

mov addr,401000
mov counter,0
LABEL_04:
find addr, #33C06033C333D933CA61#
cmp $RESULT,0
je END_04
mov addr,$RESULT
mov [addr],#90909090909090909090#
add counter,1
jmp LABEL_04
END_04:
log "Garbage POPAD-PUSHAD:"
log counter

mov addr,401000
mov counter,0
LABEL_05:
find addr, #33C05058505850585058#
cmp $RESULT,0
je END_05
mov addr,$RESULT
mov [addr],#90909090909090909090#
add counter,1
jmp LABEL_05
END_05:
log "Garbage PUSH-POP:"
log counter

mov addr,401000
mov counter,0
LABEL_06:
find addr, #0F31894424#
cmp $RESULT,0
je END_06
mov addr,$RESULT
mov [addr],#909090909090#
add counter,1
jmp LABEL_06
END_06:
log "Most RDTSC initializations:"
log counter

mov addr,401000
mov counter,0
LABEL_07:
find addr, #0F312B4424??894424??817C24??FFFFFF5F76#
cmp $RESULT,0
je END_07
mov addr,$RESULT
mov [addr],#909090909090909090909090909090909090Eb#
add counter,1
jmp LABEL_07
END_07:
log "Most RDTSC checks:"
log counter

log "Patch rest of them manually !"

ret




Ok, here are comments for symbiont:

I just checked first process. Anti debug tricks are weak. First, there is no any checksums to detect pathes. We have RDTSC checks that we can just patch and unpackme will run normally. Also, RDTSC checks are functional only if we trace and do not notice them.

Good way to use them is to place some important code between two RDTSC pairs where cracker must stop for a moment. For example, between two RDTSC opcodes you generate some exception. The best way is that exception is some that is not ignored in Olly by default (like Array bounds exceeded C000008C, or Invalid Lock Sequence C000001E,etc...) so cracker must stop at it and add it to custom ones in Olly options. Also, hide RDTSC with some obfuscation so it cannot be seen. I just examned SDProtector and it uses such tricks very smart.



Obfuscation is easy to remove too. You use some code like XCHG EAX,EBX multiple times that can be easily found and patched. Also, such obfuscation doesn't screw Olly ouput. The best obfuscation is that you have lot of small junky jumps that skips one or more bytes. Such obfuscation is almost impossible to remove with scripts or tools because you can always patch "reall" code and screw app. Examples

jmp short @f
db 0e9h <---------- Junky bytes, you place one to three four.
@@:

or

jnz short @f
jz short @f
db 0ebh
@@:

And million similar variations. Take olly and check how that uses PElock, SVKP, Obsidium, etc...

Obfuscation can be very smart too, check it in Krypton, SafeGuard, PE-Armor, etc...


Other tricks are FindWindowA that can be easily avoided by changing OLLYDBG class and breakpoint checks on APIs. It's OK, but those are just minor tricks in protectors.


You can throw in:

IsDebuggerPresent (returns EAX=1 if debugger is found)

CheckRemoteDebuggerPresent (returns EAX=1 if debugger is found)

CreateToolhelp32Snapshot - you can find any hostile process, who started protected app, etc...

ZwQueryInformationProcess - not well documented so I don't know much about it, but it can detect debugger.

ZwQuerySystemInformation - similar, you can get information about drivers that runs in background so you can detect SoftIce, SyserDebugger, Sysinternals tools....

ZwSetInformationThread - TheHyper knows how to use it, it can make process memory unreadable for debugger (lot of protectors use it, werry annoying trick)

CreateFileA - it is used to detect drivers combined with GetLastError (I myself failed to use it)

EnumDeviceDrivers - you can enumerate of all drivers and then examne which one is on your blacklist. I never sow that some protector use it, but I used it and it works very good.

SetUnhandledExceptionFilter - you set final handler, then generate exception. Windows check is application debugged and in such case it let debugger to handle exception. In that case app crushes under Olly.



There are a lot more anti debug tricks, but these are one that I know how they work. There is INT 68 for detecting SoftIce but only works on Win 9x. INT1 also is used as SoftIce trick, but I don't know much about SoftIce and interrupts.

Those are some suggestions , nothing original, just what I sow in other protectors.



Regards

haggar
Back to top
View user's profile Send private message
SKiLLa
Frequent poster
Frequent poster


Joined: 29 Mar 2005
Posts: 79
PostPosted: Thu Jun 29, 2006 10:29 am    Post subject: Reply with quote
You can also dump with OllyDump, you won't get any errors nor warnings. Using LordPE's IntelliJob you might still get a warning about missing bytes, but the dump should be OK.

PS: @haggar --> your reply is almost a complete essay, nice Very Happy

Quote:
ZwQueryInformationProcess

That trick is explained (including solution) at: hxxp://www.rootkit.com/newsread.php?newsid=284
Back to top
View user's profile Send private message
bengunn
Regular
Regular


Joined: 15 Apr 2005
Posts: 118
PostPosted: Thu Jun 29, 2006 2:59 pm    Post subject: xp pro sp1 Reply with quote
symbiont wrote:
I'd really get a lot of comments and advices about beria.
have fun with the crackme!

I can't get it to run on win xp pro sp1 english Sad
Back to top
View user's profile Send private message
symbiont
New to the board
New to the board


Joined: 01 Dec 2005
Posts: 2
PostPosted: Thu Jun 29, 2006 8:36 pm    Post subject: Reply with quote
hmm i am sorry. maybe you could be more specific about the problem.
where and when does it crash?
Back to top
View user's profile Send private message
bengunn
Regular
Regular


Joined: 15 Apr 2005
Posts: 118
PostPosted: Fri Jun 30, 2006 12:13 am    Post subject: Reply with quote
symbiont wrote:
hmm i am sorry. maybe you could be more specific about the problem.
where and when does it crash?

No sorry I can't be more specific, it doesn't appear to crash just terminate, I wasn't debugging it, just run it and it exit's. It doesn't really matter its not of enough interest to me to try and find why, I mentioned it fyi only, thanks anyway.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2023 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.84 seconds