PDA

View Full Version : some new tricks from bi-tarts


tsehp
September 16th, 2001, 18:32
hiya,
just tried my new tracer (from revirgin beta) on fusion v2, from www.bit-arts.com

traced until 401000 , dumpd with procdump on win2k (I'll add the dump feature pretty soon, promised) , rebuilded iats without problems
begin 24b108 len e0c , you'll have to correct a little what the auto finder gave

rv inserted the new it into the dump, changed the oep to 401000,then problems :

I just think that like aspr, fearing the iat's protection system annihilation, they are forcing more and more apps to rely on tests for protection shell present or not, we already saw a lot of bunch of mem allocated by aspr and tested later by the target, with the consequences you can imagine if you don't "fix" this into your dump.

But bi-tarts found another trick , checking the pe with encrypted values (xored ) into the protection section of your dump, here are some addresses just for you to play and discover :
all in va's :
6d1002 : 0d (not encrypted) designed to check for num of sections, but if you make rv work, the dump will contain 0e sections, so change this value

4ee55f (xored with e5) contains old oep rva = 2d1000 change to 001000 to have the normal 401000 oep check

the others if you're lazy: 64a04f (xored a0) ; 6bcf2c (xored ce) ;
6cd041 (xored d0) ; 6cd38e (xored d3) and 6cd45c (xored d4),
finally check at 6d1004 change to ed5f1 , this value is tested with the ed5f1 contained into pe.

So more and more checks for protection shell into the main programs, I would be very interested how in aspr and in other schemes, they provide some sdk or guidelines for programmers to include such checks into their code, anyone have the sources ?
(very indirect warez requests from me again, soon to be auto banned of my forum, I promise

hey, look at what's provided on their site, concerning their protection system :

***
After spending three days attempting to bypass the copy-protection features, we were unable to use the evaluation application in an unauthorized manner".

E-testing labs (ZD Labs)
***

pray for them, be a nice guy


nchanta
September 17th, 2001, 00:19
bi-tarts have actually coded something usefull?

i find it hard to believe tsehp hehe...

unless bi-tarts fusion just jams in checks willy-nilly, then there must be user called API that does these silly checks. maybe they stole the idea from asprotect... ;P

what program were u unpacking tsehp?

NchantA
______________________________

Gravity was invented by Issac Walton. It is chiefly noticeable in the autumn when the apples are falling off the trees.

tsehp
September 17th, 2001, 01:45
no no, believe me, this time they really managed to find something new :

download www.bit-arts.com fusion v2 latest, and dump + rebuild with the info I provided.

The checks are not some mem checks like aspr does actually to see if protection is still there, but only some checks inside the pe-header :
1-num of sections
2-oep
3- last value I found, didn't look any further.

contact me if you want the dump + rv files, I'll mail them (too big for here)

+SplAj
September 17th, 2001, 04:17
hmmm saw these same tricks in Titaniumv2 , IntallCrap, Digicrap etc etc when I rebuilt them in July for a competitor of theirs

greetz Kop....... :-)

What tsehp describes is familiar...

xor the checking code with 1 byte.. used a calculator to fix that one ....Overwite memory if OEiP and/or 1st section length are incorrect... the fixed values are stored for comparison in the exe so just change them as required

Pretty lame duh.... also the stupid red 'Evaluation' box takes 5 seconds to bypass......

Did not mention the *new* tricks here cos nobody gives a shit about these big headed tranny braggers.....

Seems that checking the OEiP pointer is now becoming a standard anti dump policy. Thats one of the checks in lame aiswpp.exe (401000 = AX register = 1000 but real oeip 51a59c so error ! OEiP stored in the PE header offset 0x128)