PDA

View Full Version : Integrity checking.


Zumo
April 8th, 2012, 21:30
I have an app fully unpacked and fixed the dump using ImpREC, but it refuses to run (showing in task manager but no windows.) It's obviously doing an integrity check which is why I'm here. The packer/protector was Yoda's Protector 1.03.2 beta 3. The app creates and depends on reg keys and files in multiple directories as shown using ProcMon. The app is ID'd as Visual Basic 5.0/6.0 using Exeinfo, PEiD, and RDG Packer Detector. For what it's worth, using VB Decompiler, VBReFormer, P32Dasm and others, it seems it's not been obfuscated. I've searched endlessly on integrity checking and the likes to no avail. Most results eventually lead to foreign language websites (Turkish, Arabic, and Chinese mostly) with crappy translations using chrome. I've found something called "Defeating File Integrity Checks Through Redirection" on Fravia's site. However, that piece was from '98, so I'm not sure how relevant that would be today. I'd be eternally grateful for any guidance I can get. Thanks!

rendari
April 8th, 2012, 22:25
Breakpoint ZwCreateFile to see if it's opening a handle to itself and checking that way.

Also Hardware Breakpoint on read on the code section/PE header and see if it's checking those.

Zumo
April 9th, 2012, 00:05
FYI, I'm pretty new to this, so there's a good chance I may not know what you say sometimes. With that said, it does indeed break on ZwCreateFile with:

Code:
Handles, item 9
Handle=0000000C
Type=File (dir)
Refs= 2.
Access=00100020 SYNCHRONIZE|TRAVERSE
Name=l:\Program Files\****\**** <----------- The DIR of the executable.



As for setting a HWBP on access in the code/PE section, I don't see that option, only memory breakpoint on access/write and "break-on-access."