Wednesday, December 13 2006 @ 08:49 AM CET Contributed by: ColdT Views: 10229
*** AsProtect - A reverse engineering approach ***
***** ***** by crUsAdEr ***** ****
This tutorial aims to discuss more about internal working of
AsProtect mainly, more than just unpacking it. So if you just want to unpack it
and don't want to waste your time on reverse engineering, forget the second part
of this tutorial!
TOOLS used :
IDA 4.15
Soft Ice on Win2k
LordPE
Revirgin (for unpacking only)
WinHex (for unpacking only)
Targets : ReGet Deluxe 3.0 beta (build 117) (but I think
any program protected with the same version of AsProtect will do)
Included : asprotect dll
Tuesday, December 12 2006 @ 09:51 PM CET Contributed by: ColdT Views: 8673
*** Armadillo – MANUALLY skinning
the mutant ***
***** ***** by crUsAdEr ***** ****
This tutorial aims to discuss about Armadillo 2.61 protection and how to
MANUALLY remove the armadillo protection layer! Hopefully this will demonstrate
some manual unpacking techniques that have been forgotten as crackers get more
and more dependent on tools.
TOOLS used :
IDA 4.15
Soft Ice on Win2kSP3
LordPE Deluxe
Targets : Get Right 5.0 beta 1
Prologue
Armadillo 2.61 just released with a few new features that make it slightly
more interesting to reverse. The fact that Armadillo debugs its own protected
program make it harder for us, crackers to debug the target but the good side
is that Armadillo code is not obfuscated or encrypted in anyway so we can
disassemble the protection layer and study it in IDA.
i)All code snippets in this tutorial are taken from IDA
disassembly, beside the IAT redirection part, code snippets in other parts of
this tutorial can be found at the same address in IDA if you can obtain the
same version of “getright.exe” file.
ii)Throughout this essay, I used variable names like “d
ebp+someName” to make it easier for readers to follow, when you are in sice,
you have to type out the actual value, for example “d enp+FFFFFAE0”.
iii)Armadillo protected programs starts 2 process, the
protecting layer debugs the protected target so I shall refer to the debugger
as “server” and the debugee as “client”.
iv)Also note that IAT redirection on WIN9x is different
from winNT/2k/XP so this essay only discuss IAT redirection on win2k though you
can find the redirection routine on win9x in a similar way!
(Finally, please READ those threads in Fravia board
about Armadillo protection and also make SURE you have a solid understanding of
PE format as it is essential to rebuild a working PE image!)
Monday, December 11 2006 @ 05:03 PM CET Contributed by: wizard Views: 23805
Target: Windows XP Pro kernel file (can be also Home or Embedded version)
Tools used:
Resource Hacker 3.2.2 (for pictures changing, you can use any other resource editor)
Hiew 6.11 (for palette changing, you can use any hex editor)
IrfanView 3.85 (for palette replacing in pictures to look how do they look
after that, you can use any other viewer or editor)
An image editor (for a new image editing)
Author: Wizard
Date: 29.10.2003
Level 2/10
Origin: An intellectual is someone whose mind watches itself, Mark Twain
Essay
Today's issue is dedicated to changing the startup logo of Windows XP. Well,
I suppose anyone who used Windows 2000 (NT 5) or Windows XP (NT 5.1) for a
long time might probably fed up with standard Windows logotype during the boot.
You may say, so what there're lots of tools around the net, which can change the
logo like 1, 2, 3. Of course, it is so, but those tools can learn you nothing. If
you wanna learn something then get your spade & let's start digging-in.
Saturday, December 09 2006 @ 05:27 PM CET Contributed by: ColdT Views: 16209
Hello,
well today I'm gonna teach you *censored*ers an easy way of 'reversing' crc32. CRC stands for Cyclic Redundancy Check and 32 the size of the result in bits, 32 bits = 1 dword = 4 bytes. Ok, enough of this crap. My method of finding out the values necessary for resulting in a given crc goes like this:
Wednesday, December 06 2006 @ 08:36 PM CET Contributed by: haggar Views: 20736
Level : intermediate
This is very short tutorial that brings just some small update for previous ones. Target is ExeCryptor 2.3.9 itself which can be found on official protector site. Tutorial shows unpacking and not cracking target. You will need OllyDbg (some script plugin, and some hide plugin), LordPE, ImpREC and Windows XP.