PDA

View Full Version : u talk about me :)


Unregistered
October 9th, 2001, 05:12
hi dudes, u guys talk bout my protector *GRINS*
oh i can detect icedump (it's really easy)
iam almost sure that u guys already have the file...
so go and destruct it

^DAEMON^ [UG2000/MYTH]

nchanta
October 9th, 2001, 06:10
eheh, hi DAEMON

i havent given the file to anyone, as per your wish's
but since u seem to consent with it being among us select few who read this board, ill try and get it posted

/me pokes daemon

i havent had a lot of time to actually look into this due to continuing work IRL, but i give it to all you people that do have time

nchanta
October 9th, 2001, 06:15
i cant seem to post attatchments...

nofurs
October 9th, 2001, 08:47
Heya Guys,
I'll upload it here

SpeKKeL
October 9th, 2001, 09:18
virus found...... PE_ZMORPH.ax....

SpeK

Unregistered
October 9th, 2001, 09:49
read the subject, this should be enough, or keep off!

DAEMON!

^DAEMON^
October 9th, 2001, 10:02
hmmm just want to say, that it's not that hard! there is always this one rule: if code is executeable it can be broken... i know that, of course! nobody cracked it so far... but i think it will be broken next days (weeks).... so go boys and give ur best!

DAEMON

+SplAj
October 11th, 2001, 07:41
...... duh, excuse me.....

What r we supposed to do with old teunlock1 ??? just dump and fix up the 11mb exe ???

why ?

Servus ^Daemon^

U R the UG for lamers bringing out automagic unpackers with your ace coding skills. Nothing wrong in that - I think you gave most of source code with unpacker, great. BUT Newbs should study and learn. But nobody does . They just wait for latest release and think they are UG's too. Same scenario with ALL auto-unpackers, especially with CASPR !!!

BUT here we try to TEACH USAGE OF THE *BRAIN* in RCE..........so that one day every one could knock up their own unpacker if they wanted. Back to my stupid question :-

R U saying Nchanta is mystified with teunlock1 + icedump /tracex
and so we should figure out the problem. I can't believe this ??? BUT , if this really is the target Nchanta was scared to upload for us then I say we make a challenge on the other board and find your tricks.

Then fix icedump source/re-compile and your trick is defeated ???

I don't readily have access to Win98/ME but I d/l the supposed target and will take a peek soon.

Greetz to Egoiste as well. Excellent cracker and programmer, lots of source code given to us to build on esp. with keygens. BTW i'm sure you appreciated we taught to manually defeat te!lock rather than use unpackers

It's great to see you *ace* guys frequent the all-new-super-lubed-RCE-MB and give us some challeges and tips as well

Spl/\j

+SplAj
October 11th, 2001, 08:02
duh, sorry for stupid question.....just checked IP ......... Nchanta is is playing a doppleganger game

clusurf==nchanta

so 'old' target is valid , just protected now.....

Later

^DAEMON^
October 11th, 2001, 08:07
hi splaj,

i've had no other exe than teunlock here as i gave out my protector to some crackers out there... so try it...

u'll like it! iam sure.... and yeah it's true it has icedump detection
and /tracex crashing

good luck
^DAEMON^

+SplAj
October 11th, 2001, 09:13
^DAEMON^

/me smiley...... maybe ?

see attachment

^DAEMON^
October 11th, 2001, 09:21
read subject ))

anyway most failed


please let me know if u traced or dumped the file....

^DAEMON^

+SplAj
October 11th, 2001, 09:26
^DAEMON^

I just checked my rebuild on another PC. Seems I cocked up a clean ExitProcess call......

Anyway I rebuilt the file and it appears functional. I used Win2K at my work PC....

thanks for the challenge.

+Spl/\j

^DAEMON^
October 11th, 2001, 09:32
so u didn't trace..... hehehe

fatal errrrrrrroorrrr
better destruct loader code... and see anti.debugging
u'll need this for further versions

+SplAj
October 11th, 2001, 09:34
^DAEMON^

As I said I don't use Win98/ME or Icedump ........ but for sure If I get time I will analyse the dumped code with your extra poly protection and TRY to understand it ..................

+Spl/\j

Unregistered
October 11th, 2001, 11:08
Hiya +SplAj,
yes I did upload the file cuz nchanta can't upload any file

clusurf==nchanta
nope
btw I'm cluesurf

regards
cluesurf

Bengaly
October 11th, 2001, 11:29
ehehehem daemon's stuff
Seems to easy for you eh? :-)
No such challange for HCUkers :-) .
cya
Benji

nofurs
October 11th, 2001, 11:39
Heya all,
I have done it just like +SplAj not tracing at all
and its 11mbs :P.Not yet rebuilt the imports .
cya

tsehp
October 11th, 2001, 15:51
Trying to follow what's happening here and finishing rv's tracer to also trace a te-locked notepad spekkel sent me:

what's the real news about this *impossible* to trace app ?

Will someone finally upload it there ? So the challenge will be complete. Don't do if it's usual int1/int3/int68 bchk meltice anti single step code, it's more than defeated at this time.

Thanks to reupload/send it to me, so my next days will be busy again ;-)

^DAEMON^
October 12th, 2001, 12:36
hiya... as i already said this version available to u is pretty old and the imports can be rebuilt pretty easy (tracing is damn hard!)
dumping and rebuilding was pretty easy in this version, so i'll go and give u another version soon!

till then ^DAEMON^

and bengaly please shut up...

nofurs
October 15th, 2001, 08:53
Heya +Tsehp,
The anti-debug is written in opcodes.Icedump /tracex does not work for this program.its prompts illegal protection error .Trying to resolved using but failed.Its strange that when selecting the file in Revirgin it doesn't prompts the error and ask you to fetch the IAT ;P,anyway I just click it and resolved and it automatically resolved 2 times ....
the second time is slow and it prompts errors and it doesn't resolved at all ;PP
Anyway you can download the file and take a look
cya
cluesurf

^DAEMON^
October 18th, 2001, 00:58
hmmmm if someone else was/is able to crack it please post a message here or mail me the file back to cdaemon@gmx.net!
thx

^DAEMON^

nchanta
October 18th, 2001, 07:57
excuse me splaj+.

i am not cluesurf, and i never masquerade as other people. i was hardly 'scared' to upload the file, i didnt upload for two reasons:

1. i was told not to give the .exe out willy-nilly and
2. i couldnt upload with my post.

i also wasnt very perplexed with the packer, i simply wanted to know (refer to original post) how daemon managed to detect the tracer.

simple question, that i feel still hasnt been answered?

NchantA.

^DAEMON^
October 19th, 2001, 14:05
just try it!

^DAEMON^

Unregistered
October 19th, 2001, 17:39
Does that happen to be win2k compat?

^DAEMON^
October 20th, 2001, 01:12
this file has got some header problems and won't work under 2k normally my protector IS compatible!

^DAEMON^

penfold
November 3rd, 2001, 05:13
i'll destruct it if you pay me $20 per hour.

hehe might be able to afford a packet of ciggies once im finished !

WOAH !! 6 seconds for it to execute / decrypt / whatever . feel the panic!

anyway, nice that it dosnt crash on my pc, or detect icedump, or detect softice . good work daemon! (win98se, sice4.0, icedump 5.17 hehe)

11,595,776 byte imagesize? hehe who the fuck coded that shitty unpacker! have they never heard of VirtualAlloc

tsehp
November 3rd, 2001, 07:40
Gosh this app doesn't let my tracer come in...congrats, I'm on this daemon

can you re upload a win2k compatible ?
tia,

tsehp

^DAEMON^
November 3rd, 2001, 10:29
but wait i'll upload a new version soon (the file is normally compatible but my protector fucked the header in some way)

till then ^DAEMON^

tE!
November 3rd, 2001, 10:39
I fear there's more than this app which don't let
your your tracer "come in".

Bah, know what Tsehp...I'm sick of win2k full ***STOPs
and KMODE exception.

Best use for revirgin was to test new BCWipe 2.36.1 on its
installation folder...

tsehp
November 3rd, 2001, 13:40
Te, why don't you upload it ? I raised the upload limit to 1 gig.

Daemon, the dp-borg2 is now traced, nice exports table trick

evaluator
November 6th, 2001, 03:09
Hi ^DAEMON^!

I like "unpacking"-deprotecting and
your protector is very interesting but
it is very NOT interesting deprotecting
SOME files!

It will very intersting if you will protect
your protector itself and upload here!

H3Xenoic
November 6th, 2001, 05:48
hi

penfold, i think the 11mb exe is part of the 'tricks' ? having a huge padded section full of zero takes just 1 line in source

*hint* best to check any large VSize numbers over RSize in the sections of target exe just to be aware about this in advance

BTW I would have copied lots of code in there as well while expanding to really fux the dump with a repeat .loop REPZ or something

however in this case just re-align the dump and petit size again

^DAEMON^
November 7th, 2001, 03:11
hahahahaha na the 11mb isn't a trick, r!sc coded this shit don't know why he didn't use virtualalloc ? anyway hrm i don't release the protector i always just give out a few files, this way no one can do an unpacker

^DAEMON^

-------------------------------
love me hate me fuck me
-------------------------------

evaluator
November 7th, 2001, 17:11
Hi Daemon!

I understand, why you won't publish your protector.
Also you can understand, why is not interesting deprotecting
SOME file.
!INTRIGUE NEEDED! Once again:
if you will upload here self-protected protector,
it will very interesting to deprotEto! (at least Previous_Version)

One critical note
Your protector is extraordinary &+but nonSOLID!

Here I submit dump file with one reconstructed Imported Function.
So can be reconstructed all others... I set OEP not 410000...
In other way, we can also reconstruct jump_table & calls to jump_table.

Question:
Does your protector
A. move jump_table &
B. change calls in program code for this?
Or you make it manually!?

GOTO post10825

^DAEMON^
November 8th, 2001, 02:04
the import wrapper can be configured

options are:

-no mutation (let import table where it is, if 1 then jmp table is mangled)
-wrap api calls
-wrap all (normally random choosen if not 1)

i've got a test in 3 weeks, so no time for this project! i'll improve it soon there are a lot of things need to be done!

^DAEMON^

evaluator
November 13th, 2001, 07:31
Hi, Daemon!

As I found same IAT-redirection trick uses also telock98(at least).
My question is for history purpose:
How is author of this trick?

Hi, Tsehp!
If Solodovnikov will add this trick to ASPRotect...
You can close your RV project...
OR you must force your tracer to trace until real EXPORT. Is this possible???

My suggestion:
1. Lets make big pause in RV project!
2. Collect new anti-tricks
3. Come back with turbo-enhanced RV

^DAEMON^
November 13th, 2001, 08:02
hmmmm 98% of the code is done by myself.... just very few tricks i have stolen from "k-kryptor"... all other i've done on my own...

the disassembler borg is something special it can't even be dumped if i don't protect the file!

anyway 3 weeks to go for my test...

iam pretty sure all of u will like the latest version....
200kb of poly code etc...
better anti-dumping
more code mangling
etc...

/me tries to kick your asses

^DAEMON^

---------
THE BIG PINK PUSSY IS BACK!
---------

+SplAj
November 13th, 2001, 08:37
^DAEMON^

GOOD LUCK

Bengaly
November 13th, 2001, 09:34
Yeah yeah relly good luck,
whatever u do Deamon,
Splayi and Tsehpi will kick it :-)
keep scramble and put more unneccery code in it and it will be even more nOneffective :-)

"Everything has a Flaw that's how the light gets" it heheh :-))

have fun

^DAEMON^
November 13th, 2001, 09:57
bengaly how often should i tell u ??!?! eh ?
EVERYTHING CAN BE BROKEN!
THERE IS ALWAYS THIS RULE:

IF CODE = EXECUTEABLE THEN BREAKABLE!!!!

i can only improve it and make it harder!!!
and i'll do....

hmmmm also i think they like the protector, hopefully

so long, the test is going to be really hard
wish me luck!

^DAEMON^

+SplAj
November 13th, 2001, 11:06
^DAEMON^

I did mean *good luck* with the EXAM

but you can kick bi-tarts butt for luck though

Bengaly
November 13th, 2001, 12:29
hehehe...

anyway DEAMON, than make it Profitble if its hard to unpack or so, just like aspack...
it will be handy u know
cya

^DAEMON^
November 15th, 2001, 07:35
maybe even some of u have got a few ideas....
about anti-debugging other ways to detect soft-ice
(then i do)

or some usefull tricks
maybe anti-dumping without modifying pe-header or api-hooking
every information can be usefull

maybe some tips for better import wrapping ???

^DAEMON^

Lord_Soth
November 15th, 2001, 12:19
DAMN DUDE!!

That's a VERY nice animation

tsehp
November 15th, 2001, 16:25
Quote:
Originally posted by evaluator
Hi, Daemon!

As I found same IAT-redirection trick uses also telock98(at least).
My question is for history purpose:
How is author of this trick?

Hi, Tsehp!
If Solodovnikov will add this trick to ASPRotect...
You can close your RV project...
OR you must force your tracer to trace until real EXPORT. Is this possible???

My suggestion:
1. Lets make big pause in RV project!
2. Collect new anti-tricks
3. Come back with turbo-enhanced RV


sorry but it seems that you really don't know how rv works...
let me explain :
I first coded some disasm code to fix the first schemes, first instr api executed then jmp to real api, or api call redirected, and it was working fine, just like imprec on first days.

Then aspr, vbox and other schemes began to mangle their iat calls, it was almost impossible to code a disam to decrypt/demangle them, so the tracer was began 10 days after first rv version.

Actually, 90% of my work is focused on the tracer, just because when this tool runs, it gets the first priority on the system and executes the apps, iat calls, everything.

This tracer serves iat resolving, and the only way to avoid it to go inside the api is to emulate the api... alexey made a first attempt with simple ones, but I also emulated them, so this was easily fixed. If someone tries to emulate all of them, he will have to build a different version for every kind of windows and every build

Like theOwl said in past posts, the tracer is a very important tool, It can also be used to dump programs, just like icedump on win9x, and later could also be used to build a boundschecker-like program, used to make all kind of reports you want, maybe opening it's behaviour and make it react with a script language could be very interesting.

tsehp
November 15th, 2001, 16:26
btw, Daemon, I have to thank you for your anti tracing features
that are actually solved.

can you do more please ? I feel I'm close to whatever was possible to invent, but I'm sure you can surprise me on a new version maybe ?

best regards,

tsehp

^DAEMON^
November 16th, 2001, 03:07
yeah sure i think i'll add r0-tracer instead of my lame "r3 engine" which is really damn slow ))

actual version is beta 6.5....

but wait i've got exam soon.... 2 weeks exactly

^DAEMON^

tsehp
November 16th, 2001, 03:22
and what will this change ?

^DAEMON^
November 16th, 2001, 03:27
@ least a nice speed improvement!
have u seen the carry flag trick in it ??? dp-teunlock....
maybe u have some advices for me

till then....

^DAEMON^

tsehp
November 17th, 2001, 06:41
carry flag ?
I only fixed the seh that is called to generate the key, used to decrypt the code after the loop that calls this seh itself (pofd with tf flag set)

rv was loosing control after this.

can u locate me this carry flag trick inside dp-borg2 to see what happens ?

tia

tsehp

evaluator
November 17th, 2001, 16:32
Viva Tsehp!

Today I successfully tested your TRACER with these protections:

PCGUARD (latest)
TELOCK 0.98
PE-PROT 0.9
also DAEMON'S protected file "DP-Borg2.exe"

This is GREAT! For example "GUW32 v1.0 beta8" can't trace these apps.

Failed for trace:
PELOCKnt v2.04
DAEMON'S protected file "DP-tEunlock.exe"

***
Now my STORY about tracing unresolved IAT entries:
When in my WIN98SE I choose unresolved entry and click on TRACE command...
my PC immediately RESETS.
This is new for me in new version. In older versions RV and program only crashes.
End of STORY.
***

Shaolin
November 17th, 2001, 18:32
lol, another one wich has problems with latest RV on Win9x?
Wtf, all guys in here are using Win2k? I tested latest RV on a different comp with Win98, and if I select tracer it crashes the computer! Anyway, for Win95 users it can turn into a real drama, but I won't talk about this anymore because I don't want my post deleted again.

Woodmann
November 17th, 2001, 18:51
Go ahead post away. you have until Sunday night until I start deleting.

Woodmann

Lord_Soth
November 17th, 2001, 19:09
hey tsehp,

I've never used your tracer, or that of IceDump unfortunately..
Remember that I once asked you about a tracer, for a
tool I wanted to code ?
This that will work ?

LS

tsehp
November 17th, 2001, 20:28
Quote:
Originally posted by evaluator
Viva Tsehp!

Today I successfully tested your TRACER with these protections:

PCGUARD (latest)
TELOCK 0.98
PE-PROT 0.9
also DAEMON'S protected file "DP-Borg2.exe"

This is GREAT! For example "GUW32 v1.0 beta8" can't trace these apps.

Failed for trace:
PELOCKnt v2.04
DAEMON'S protected file "DP-tEunlock.exe"

***
Now my STORY about tracing unresolved IAT entries:
When in my WIN98SE I choose unresolved entry and click on TRACE command...
my PC immediately RESETS.
This is new for me in new version. In older versions RV and program only crashes.
End of STORY.
***


1- can you save me some time and send me url for pelock + dr-teunlock.exe please, I'll take a look.


2-when the tracer doesn't find a valid api address, or is simply leaded to a ret into special iat entry, it just rets and goes wild.
Windows just can't intercept it, because of ring0 proviledges and this simply leads to a reboot/bsod/crash
I had a lot when I first coded it and that's not finished, but never had some damages on my hd ;-)

I have to code a protection that will stop it before it rets out of iat entry pretty soon, that's why beta is still inside rv actual build...

spekkel alredy sent me sw3 that holds two crashing entries, I'll normally have the time to fix them sunday/monday.

regards.

tsehp
November 17th, 2001, 20:30
Quote:
Originally posted by Shaolin
lol, another one wich has problems with latest RV on Win9x?
Wtf, all guys in here are using Win2k? I tested latest RV on a different comp with Win98, and if I select tracer it crashes the computer! Anyway, for Win95 users it can turn into a real drama, but I won't talk about this anymore because I don't want my post deleted again.


Shaolin, before I begin again to delete your posts :

1-a really big bunch of users, including me uses this tracer on win98, so be professional and tell us :
-the app + url
-iat entry
-method you used
And you will be considerated, otherwise, deleted...

2-where did you see that rv was supported on win95 ?

evaluator
November 18th, 2001, 17:49
Hi, Tsehp!
"dp-teunlock.exe" is here! Cluesurf submitted
as attachment "dp-teunlock.zip"! Look at fourth replay in this thread.
(attachment.php?s=&postid=8939)

About "PELOCKnt v2.04" protection.
I have Gabler's old protector "PE-PROT v0.9"
This file is first time internally protected (2nd section),
then with "PELOCKnt v2.04", then selfprotected.
From start to 407000 RVtracer is successfull, then crashes.
You can find "PE-PROT" at "exetools.com".

Shaolin
November 18th, 2001, 18:03
evaluator, as far as i know PE-PROT doesn't mess with import table, but I might be wrong.
tsehp, the *tracer* hangs on my Win95 with any packer/protector I tried...Now I understand the problem and why it crashes like that, and it's indeed quite difficult to find a reliable solution...Anyway, I think u shouldn't have done of it a PUBLIC beta, but only a beta for your betatesters. ehrm, enough critics hope u will fix that soon

Shaolin
November 18th, 2001, 18:08
oh, were did I see that RV is supported on Win95?
Well, a quote from your "Documentation":

added an auto kernel patcher, so revirgin should work on every win9x past and future versions.
When someone says Win9x I also think at Win95 anyway.

evaluator
November 19th, 2001, 02:12
Shaolin
In this case I wrote not about resolving import
but about tracing app. from start to OEP.
This is another tracer.
And finally, why you are unregistered?

tsehp
November 19th, 2001, 02:34
Quote:
Originally posted by Shaolin
oh, were did I see that RV is supported on Win95?
Well, a quote from your "Documentation":

added an auto kernel patcher, so revirgin should work on every win9x past and future versions.
When someone says Win9x I also think at Win95 anyway.


yes, you're right.
But I actually have 3 partitions : win me , win2k server and win xp.
It's pretty time consuming to make a support on win98 + win2k as long as win98 will disappear. So I wont be supporting for win95, you should better upgrade at least to win98se or win2k pro.

^DAEMON^
November 19th, 2001, 08:05
hi tsehp,

hmmm maybe u allow me a personal qwestion,
how old are u ??? (me is just interested)

(iam 21)

^DAEMON^

tsehp
November 19th, 2001, 13:39
I'm older than arthaxerxes which is 14 , and younger than splaj, which is 65

tsehp
November 19th, 2001, 15:49
me too !

Ok, I'm 33 . Remember my past comment : I'm too old for this ;-)

Daemon, your dp-teunlock just kills my tracer after 0x10000000 instructions traced...

I think I'm not gonna sleep tonite...

Seems like an exception that dp self generates, I'll take a look.

+SplAj
November 20th, 2001, 03:18
I did not know I was this young.

^DAEMON^
November 20th, 2001, 06:35
hiho some nice news, maybe ur interested

hmmmm perhaps u figured out that i've implemented an oldschool trick to prevent /protect on..... just disabling the screen for a short amount of time.... so now yesterday i found a way while playing around to stop icedump popping up on accesses to idt u'll get the example soon!

^DAEMON^

evaluator
November 20th, 2001, 08:12
Tsehp!
dp-teunlock.exe very often crashes under debuger. I think,
here can be some BUG, because DP-Borg2.exe not crashes!
So forget it and wait for new DP version.
How about PELOCKnt? Did you solve problem?
If you want, I will upload here problematic files (35kb zip).

tsehp
November 20th, 2001, 08:57
Quote:
Originally posted by ^DAEMON^
hiho some nice news, maybe ur interested

hmmmm perhaps u figured out that i've implemented an oldschool trick to prevent /protect on..... just disabling the screen for a short amount of time.... so now yesterday i found a way while playing around to stop icedump popping up on accesses to idt u'll get the example soon!

^DAEMON^


I already notified theOwl about your /protect on trick, that actually works against 6.024 icedump. he will surely make the necessary changes. I'm still on your #$*&&$ of dp-teunlock
grrrr ;-)

pretty good work, instead.

regards,

tsehp

tsehp
November 20th, 2001, 08:59
Quote:
Originally posted by evaluator
Tsehp!
dp-teunlock.exe very often crashes under debuger. I think,
here can be some BUG, because DP-Borg2.exe not crashes!
So forget it and wait for new DP version.
How about PELOCKnt? Did you solve problem?
If you want, I will upload here problematic files (35kb zip).


thanks but I can't stand the following thing :
icedump manages to trace anyway, and not rv, and I'm about to locate the guilty instr around 0xf06900 0xf069ff...

Let me fix my bug and then I'll look at pelock, one thing at a time
;-)

^DAEMON^
November 20th, 2001, 09:39
hehehe sleepless nights ???

hmmm i already thought that someone will tell the owl about the detection.... on the other hand i don't know if he is able to protect against that! so maybe iam in the next whatsnew.txt *grins*

there is no need any longer to disable the screen... icedump just doesn't catch sidt instruction! new tricks....
/me tries to be l33t, hehehe (@ least i try)


^DAEMON^

8 years now of reversing....

exit_2
November 20th, 2001, 10:25
Hello Daemon,
EliCZ's DumpXDT accesses GDT (and goes ring 0) and icedump doesn't detect it.
I think it is maybe one year old prog and I think The_Owl know it.

Btw: I think it is not good solution switch prog from ring3 to ring0 with methods like IDT, LDT, DIV0 (lame c-dilla's trick) and etc. I think better way is use Kernel32!ord0001 calls (VxD calls) or VxD.

Exit

evaluator
November 20th, 2001, 10:32
Daemon!
I simple don't use "/PROTECT" option...

^DAEMON^
November 20th, 2001, 10:53
hi exit!

haven't seen u a long time ähm i don't switch to r0!
it's just for detecting sice and icedump.... i don't manipulate therefore somethin....

(okay but only for anti-bpx)

^DAEMON^

evaluator
November 20th, 2001, 17:25
Splaj's revirgined file crashes under
my win98se. Here I submit more "virgin" one.

evaluator
November 20th, 2001, 18:01
Hey-hey, Splaj!
Only now I check your "SPLAJ-teunlock1.exe"
& it is broken file!
Here works only 3 import functions, because
their JMPs are not mangled!
You must repoint also mangled JMPs to new
IAT location!

tsehp
November 20th, 2001, 21:22
Quote:
Originally posted by ^DAEMON^
hiho some nice news, maybe ur interested

hmmmm perhaps u figured out that i've implemented an oldschool trick to prevent /protect on..... just disabling the screen for a short amount of time.... so now yesterday i found a way while playing around to stop icedump popping up on accesses to idt u'll get the example soon!

^DAEMON^


yes in on port 3c5
or al,20
out port 3c5

black screen.

not triggering while latest icedump 6.024 traces your app, but triggering on rv :-(

tsehp
November 20th, 2001, 21:23
Quote:
Originally posted by ^DAEMON^
hehehe sleepless nights ???



there is no need any longer to disable the screen... icedump just doesn't catch sidt instruction! new tricks....
/me tries to be l33t, hehehe (@ least i try)


^DAEMON^

8 years now of reversing....


/me thinks you didn't checked its source... it does make some emulation for sidt.

^DAEMON^
November 21st, 2001, 03:16
ooooopssss sorry but i did a mistake! in my source forget the last news....

shame on me

^DAEMON^

hmmm could u gimme icedump 6.024 ??? (would be nice)

evaluator
November 21st, 2001, 03:35
Yeah, Tsehp!
Why you wrote about new ICEDUMP??
I didn't said about it, because I was planning
surprise for Daemon's future DP version!
OK, you are lucky guy, Daemon!
I sent to you private message with URL.

^DAEMON^
November 21st, 2001, 07:04
thx!

hmmm i found icedump 5.17 nice! so i can add "SUPPORT" for this one too....


^DAEMON^

hmmm i'll check out the tracer later today... hopefully it worx with k-kryptor... let's see

evaluator
November 21st, 2001, 08:19
plEasE,plEasE,Daemon!
If you will kill ICEDUMP 6.024 tracer,
I will CRY! Don't be THE DAEMON!

BTW, what is a "k-kryptor"?
Newest cruel anti-DD, or old one?
& where I can found it?

tsehp
November 21st, 2001, 08:43
Quote:
Originally posted by ^DAEMON^
ooooopssss sorry but i did a mistake! in my source forget the last news....

shame on me

^DAEMON^

hmmm could u gimme icedump 6.024 ??? (would be nice)


latest icedump is always at
icedump.tsx.org

I wonder what you used to also cause a problem to the rv win2k version, I'll find out ;-)

tsehp
November 21st, 2001, 08:45
Quote:
Originally posted by evaluator
Yeah, Tsehp!
Why you wrote about new ICEDUMP??
I didn't said about it, because I was planning
surprise for Daemon's future DP version!
OK, you are lucky guy, Daemon!
I sent to you private message with URL.


no no, sidt support is here since long on icedump.

If I remember almost since the tracer was coded.

I just added mine since build 10 (still not available)

evaluator
November 21st, 2001, 13:50
Ye-Yo, Daemon!
Today I had free time & MASTRUBATO DEPROTETO
also your DP-Borg2.
Have pFun!
Send your suggestions via...

^DAEMON^
November 21st, 2001, 14:33
hmmm i downloaded it @ least, but had no time yet to bring it to my puter @ home.... no emulator is 100% so time to search the bugs in their new tracer... hopefully i find a bug soon muahahaha

all of risc's latest programs were protected by k-kryptor!
like poxylok 1.3b and unsafedisc 2.30.31 and those! get em and try to unpack them! k-kryptor is one of the best protections i know of! hats off r!sc and noodle!

^DAEMON^

evaluator
November 22nd, 2001, 05:51
WOW, Tsehp!
I check K-Kriptor &&
this is crasy one!
It crashes ICEDUMP's tracer!
And your RVtracer also!
It firs emulates part KERNEL export instruction
and then jumps to this instruction!
I have downloaded "UnSafedisc" from
www.programmerstools.com (in august)

^DAEMON^
November 22nd, 2001, 08:13
hehehe i've got several betas of k-kryptor and a unpacker for each beta

sorry but i can't spread em! some dudes out there have got my unpackers.... maybe u are lucky and get em...

k-kryptor.k2 + unpacker
k-kryptor.k4 + unpacker
k-kryptor.k5 + unpacker
k-kryptor.k8 + rebuilder
k-kryptor.k9 (this one i don't own ) but a nice workin unpacker

i totally bored r!sc to death.... he doesn't gave me any new beta...

^DAEMON^

tsehp
November 22nd, 2001, 08:45
Quote:
Originally posted by evaluator
WOW, Tsehp!
I check K-Kriptor &&
this is crasy one!
It crashes ICEDUMP's tracer!
And your RVtracer also!
It firs emulates part KERNEL export instruction
and then jumps to this instruction!
I have downloaded "UnSafedisc" from
www.programmerstools.com (in august)


I'll surely have work in the future when I'll be finished with dp-teunlock.

TheOwl doesn't answer me about dp-teunlock...
But he's surely reading those threads regularly so it will surely be updated pretty soon.

It's great to find such protections before having to deal with them inside aspr or vbox.

btw, can't access protools.cjb.net since yesterday, can u ?
are there "replacement" servers for suddendischarge or other alternatives to protools ?

cia,

^DAEMON^
November 22nd, 2001, 10:24
hi tsehp, seems that they are down! also codersdomain
the only one active is exetools.com
sad but true!


^DAEMON^

tsehp
November 22nd, 2001, 16:53
I asked woodmann if he's ok to help them a little. We'll see.

dp-teunlock : on w2k, my tracer crashes at f0639f , just because here the code is unvalid (bad decrypted)
you maybe have used a trick to detect it, and then a bad key is used to decrypt those instructions...
almost the same than dp-borg2 , but maybe not with the int1 called in signle step mode that was calling the seh and generating the key to decrypt the code further.

I'm getting closer.... Nice tricks

evaluator
November 22nd, 2001, 20:41
Yeah!
K-Kryptor is TERRIBLE!
But I'm also!
Daemon, check me file if all is ok, please.
Unfortunately I have not "safedisc"-protected
files and can't check if all is OK.

So I traced into program and wrote
"IT.TXT" for RV. Then RV created for me "IT.BIN",
I paste BIN in DUMP &&& then I BUILD NEW
JUMP TABLE.

EnjoE guys with latest art of
MASTRUBATO DEPROTETO 8)

p.s.
not FindCloseChangeNotification but
CloseHandle must be in my IT.

^DAEMON^
November 23rd, 2001, 03:33
some nice k-kryptor stuff for the weekend

grrr filesize too big - error i'll add it to another location on the board
and paste the url afterwards here

^DAEMON^

^DAEMON^
November 23rd, 2001, 04:45
k-kryptor.k4+my k-unkryptor.k4

^DAEMON^
November 23rd, 2001, 04:49
k-kryptor.k5+ my k-unkryptor.k5

evaluator
November 23rd, 2001, 05:35
Hi,Daemon!
This versions of K-Kryptor are from good old time!
They don't know about CODE MANGLING and WIN-EXPORT RIPPING!
This EXPORT RIPPING is terrible~:0! Since yesterday I'm shocked!
As I presumed, this type of protectors (also probably your DP)
can't handle RDATA-like sections, only IDATA can, OK?

Tsehp, Daemon!
Let's close this thread, because it is too big.
We simple can continue in new thread...
{;called: "We was talking about Mojo;}

Tsehp!
1. Seems, you again waste time on dp-untelock...Forget it!
I think, it probably contains bug. Reason: Latest DP-Borg not crashes!

2. If would you like, let's make vendetta-thread: "PROTECTOR'S DEADFIELD"
in PROJECT AREA.

^DAEMON^
November 23rd, 2001, 06:00
evaluator,

hmmm a new thread would be great!
hmmmm dp-teunlock has NO BUG!
i assume that it's crashing somewhere inside the tracer!
dp-borg doesn't have this feature any longer!
therefore it loads much faster

loading a 1 mb exe with my protector took about 1.5minutes in beta 6.0!

and yeah the stuff is pretty old BUT! take a look @ it!!!

^DAEMON^

^DAEMON^
November 23rd, 2001, 06:51
disassembly of poxylok

it's a rar file renamed to zip, k ????

^DAEMON^
November 23rd, 2001, 06:52
binary file of the import loader of poxylok

^DAEMON^
November 23rd, 2001, 06:53
hiya all,

1. ähmm i !REALLY! don't know WHY IAM DOING THIS HERE !!!!
i didn't want to give these files out... anyway those files are pretty old
already, so hopefully risc and noodle don't get angry! and guys take a look
@ this shit here!

2. u can't compare those versions of k-kryptor to those
today exist, anyway it was a really nice game for me (unpackers)

i've included a nearly complete disassembly of poxylok which is actually
protected by k-kryptor.k9 (beta9)

3. i don't rel. the other stuff i've done! (sorry


4. decrypted.bin is the "decrypted & unpacked" import loader of poxylok...
take a look here

^DAEMON^ - 22.11.01

(k-unkryptor.k9 has got around +2000 lines of code ;-)

PS: RISC please don't be angry with me!

evaluator
November 23rd, 2001, 18:41
OK, today I MASTRUBATO DEPROTETO also "SafediscV2.30.31Dumper".
Daemon, submit another files protected
with your newest beta.

I will eat...

BTW, tutor needed?8-0

tsehp
November 23rd, 2001, 19:00
Quote:
Originally posted by ^DAEMON^
evaluator,

hmmm a new thread would be great!
hmmmm dp-teunlock has NO BUG!
i assume that it's crashing somewhere inside the tracer!
dp-borg doesn't have this feature any longer!
therefore it loads much faster

loading a 1 mb exe with my protector took about 1.5minutes in beta 6.0!

and yeah the stuff is pretty old BUT! take a look @ it!!!

^DAEMON^


sure dp-teunlock have no bug, but I have to finish this one, as icedump manages to trace it on w9x, and I want the same result on w2k, just to finish all possible known emulations...

I think I've located the trick, I'll see ya on the new thread.

evaluator
November 24th, 2001, 04:11
Daemon!
Can you submit here following files
"deprotected" with your "k-unkryptor.k9":
1. "SafediscV2.30.31Dumper"
2. "SafediscV2.30.31Rebuider"
Simple I want compare with my work.

^DAEMON^
November 26th, 2001, 03:04
hi evaluator
as long as i don't get the whole k-kryptor.k9 i won't do anything!
anyway i had a great weekend! i've tested icedump 6.0.2.4 this weekend... and found already several "BUGS"

new /tracex detection
and
new icedump detection

etc.....
ähmmm where do u wanna post the new thread, tsehp ???

^DAEMON^

tsehp
November 26th, 2001, 13:06
well do it there it's not a problem.

dp-teunlock should be traced as they are no new tricks.
But you use drX to contain the key, used to decrypt the code later, and rv is actually crushing the drX just at the first seh's instruction (called by the int 6)

that's why it's crashing, I'm actually figuring out why the debug registers from context_record contains bizarre values under rv

regards.

^DAEMON^
November 27th, 2001, 02:41
hmmm but dp-borg is getting traced correct ??? strange....
maybe i'll post a new version earlier than u have thought
(i've implemented the new tricks yesterday)

is this rv tracer available to the public ???
(need to download and search for bugs )

^DAEMON^

tsehp
November 27th, 2001, 18:14
I was talking about dp-borg two weeks ago.
The actual rv tracer is downloadable at home page, but only version 1.2 beta 9 public version.
When I have time to finish dp-teunlock the beta build 10 will be available with several new features.

cheers,

tsehp

evaluator
November 28th, 2001, 04:19
Tsehp!
You wrote:
"When I have time to finish dp-teunlock the beta build 10 will be available with several new features."

So you fixed also "PELOCKnt v2.04",
or you forgot it?

tsehp
November 28th, 2001, 04:55
Did I say I was working on PELOCK ?

^DAEMON^
November 28th, 2001, 05:11
hehe, strange that no one gave me more tips on anti-debugging ))
just don't know why....

arg 2 days to go till EXAM!
grrrr
^DAEMON^

evaluator
November 29th, 2001, 05:26
Daemon!

GENERALLISSIMO tip for anti-debuging & protecting:

_F_O_R_G_E_T_ _I_T_!_

^DAEMON^
November 29th, 2001, 05:33
hehehehe yeah, maybe....
anyway iam closing the doors SOON...!

^DAEMON^

^DAEMON^
November 29th, 2001, 10:56
good god, the fear of the test tomorrow is killing me.....
can't touch the keyboard any longer.... cold sweat!!!!!

shit can't sleep tonight
help me!!!!!!!
^DAEMON^

tsehp
November 29th, 2001, 14:07
And last night my 2 months old kid had a terrible nightmare and...

for godsake, create a related thread on off topic section, on this place we stick to rce talking.

thanks a lot.