PDA

View Full Version : Unpacking PELocknt v2.04 (modified by Xoanino)...?


DGR
November 6th, 2001, 14:54
I'm a complete newbie at unpacking, but I have this program packed with the thing mentioned above. Now I'm running Windows2000 (and soon XP) and this packer doesn't work on 2k :/ Now I wanted to see if it's possible to unpack it, but since I only have win2k installed that would mean I also have to install Windows98.

So, is it possible to unpack this... has anyone done it in the past... does anyone have some tutorials/info I can read before attempting. (Basically I want to know if it's possible/done so that I don't start installing Windows98 for nothing, hell... can hardly believe I'm gonna install 98 just for this heh).

Tia and take care,

DGR

DakienDX
November 6th, 2001, 15:22
Hello DGR !

First of all, PELockNT works fine on Win95, Win98, WinNT4, WinNT5 ! I don't know what problems you've got on Win2000(perhaps running a debugger )

As far as I remember, unpacking PELockNT was a interesting, but also very long way.

If you want to, I can send you a unpacker by xOANINO for all versions.

DGR
November 6th, 2001, 16:58
Well, this is a version of PelockNT modified by Xoanino So his unpackers don't work (think I tried those) and maybe that's also the reason for it not working with win2k. Anywayz, I found a deprotected version of the file, running fine in win2k... so no need to install 98 again

Cheers for the help tho hehe

xoanino
November 9th, 2001, 06:21
Uahahahahhahahahahh Never thought to see a thread like this

You're trying to unpack Impact emulator, right ?

Anyway, let's see if i remember .... there's nothing trivial changed in pelocknt, just encryption keys of the various layers.....

If you have the source code to my unpacker (u should, coz i distributed it if i remember), try to change the keys to "SARA" (in hex) or "ARAS".... it should work that way.

And also the exe identifier tag, should be "SARA" or "ARAS", or the modified unpacker can't recognize the file.

As far as i remember, that should be the only changes needed.
Recompile the source and try.

peterg70
November 9th, 2001, 06:44
Hmm Impact Emulator.

Is that still around. I thought it was stopped from development??

Damn that was a good emulator just wished it had kept going in development.

A se la vita

DGR
November 9th, 2001, 12:03
Hehe, it was indeed the Impact emulator

Well, it was hard to find any nfo on unpacking pelocknt in general, let alone with the mods u added Xoanino but in the end appearantly it was quite easy. But yes, impact works fine now on 2k and that was the only reason for me wanting to unpack it.

Thanks for the reply tho Xoanino, I think I might unpack it for fun later newayz

Take care,

D.

^DAEMON^
November 16th, 2001, 08:41
nice to see xoanino is still alive! hmmm never tried pelocknt but anyway each protection can be broken.... maybe if there is no poly layer u don't need an debugger... just a disassembler!
disassemble - cut & paste -> emulate everything

^DAEMON^

DakienDX
November 16th, 2001, 10:38
Hello ^DAEMON^ !

If this task would be so easy, why should we use SoftICE?

"just a disassembler" - and an assembler, or do you calculate fifty xor, add, sub, ror, rol, ... in you hex-editor?

Nice avatar! I remember having seen it somewhere, but I don't know where at the moment.

^DAEMON^
November 16th, 2001, 15:25
hmmm just copy and paste that's enough, u can defeat EVERY protection this way (just emulate the shit)

worx perfectly for k-kryptor...

^DAEMON^

DakienDX
November 16th, 2001, 15:44
Hello ^DAEMON^ !

I don't know k-kryptor. Would you mind to tell me where I can find it and how to 'emulate' everything?
Why "just copy and paste"? I don't understand that. Perhaps I do if I find k-kryptor.

Btw: What do you mean by your signature?

---------------------------------
THE BIG PINK PUSSY IS BACK
---------------------------------

My signature is pink and you use my avatar. I know, everyone registered here can use it. But what do you want to say with that?

Unknown One
November 17th, 2001, 13:45
Hi

First I would like to greet Daemon and Xoanino for their great work on unpackers!

Now about the cut and paste stuff while coding unpackers. Someone asked before a year in UCF's channel about unpacker for the modified by Xoanino PELOCKnt. I got the file (it is the same Impact emulator) and began to analyze it.

I already wrote in this forum about using only disassembler to defeat protector and I made decrypting of the PELOCKnt layer (only) using w32dasm, hiew and my lovely tool MOW.

PELOCKnt (as most protectors) uses a lot of fake jumps to make tracing longer and annoying so I removed them everytime I removed an internal encryption layer using MOW by Stonehead (an modified version where I added some more macros used in newer protectors: EB02CD20 for example :-)

After MOWing the file I ripped the first layer to my program (it is DOS asm code which loads last section of the file, processes it and writes back to the file :-). Then ran my program on the crypted file (always working with copy of it). These steps are done until all startup internal decryption layers were ripped.

After ripping the last internal layer I used again MOW to get the whole protector layer cleaned (of course manual cleaning with MOW is required for some fake jumps

Analyzing the rest of the protector part (after the internal decryption layers) took me some time but I found the changed encryption keys (as Xoanino already wrote) and changed them in his great unpacker. After simple recompiling and running it on the Impact emulator I got it decrypted (still compressed with PE-PACK 0.99 - greets to ANAKiN for his best implementation of aPLib - it still beats most packers using even the latest version of this compression library).

The rest of unpacking is easy :-)

BTW the PELOCKnt 2.04 works under win2k I did all unpacking job under this OS and tested if the file works of course.

If anyone is interested I can send him my DOS source and some text files with the ripped parts of the modified PELOCKnt.

The part where Daemon talks about cut'n'paste and emulating is interesting when fighting with protectors which use SEH in their decryption code. Emulating means replacing all instructions that cause exception with a call of the ripped exception handler (Hi, Daemon :-)

I think that's enough about unpacking without using debugger. If there are any questions you can contact me at unknone@mail.com or on IRC.

Best regards
Unknown One/[TMG]

^DAEMON^
November 19th, 2001, 08:12
Hi dakien, i just took the avatar coz i think it's a nice one

the big pink pussy has nothin to do with you - just my quit message normally used in efnet.....

cut & paste is best u can do!
(hi UNO i'll come back SOON!)

k-kryptor can be found on all latest programs done by risc
like unsafedisc or poxylok.... u can find em everywhere....
just download em and try to break the protection u'll like it!

^DAEMON^

Unknown One
November 20th, 2001, 08:15
Some people asked be about tutorial on ungeneric unpacking and using disassembler only for cut and paste approach of coding unpackers.

There is a short example using disassembly of PELOCKnt 2.04 unmodified version (same for the modified Impact emulator). The source code given below is used on the modified PELOCKnt and works only for it because it reads part from the file at constant offset - no PE header analyze is done.

Tools used:
HIEW, TASM, MOW (with few macros added by myself - read at the end about them), text editor, hex calculator

1) Open in hiew the target file (PELOCKNT.EXE). Press enter twice until you get the disassembly view. Press F8 to show PE header and F5 to go to the entry point. You will see next code:

.00057000: EB03 jmps .000057005 -------- (1)
.00057002: CD20C71EEB03 VxDcall 03EB.1EC7
.00057008: CD20EA9CEB02 VxDjmp 02EB.1CEA
.0005700E: EB01 jmps .000057011 -------- (2)
.00057010: EB01 jmps .000057013 -------- (3)
.00057012: EB60 jmps .000057074 -------- (4)
.00057014: EB03 jmps .000057019 -------- (5)
.....

It's full of shits, isn't it? Better to go to the next step

2) Run MOW on the target file. Open the file PELOCKNT.NOP with hiew and go again to the entry point as done in 1). You will see next better looking code:

.00057000: 90 nop
.00057001: 90 nop
.00057002: 90 nop
.00057003: 90 nop
.00057004: 90 nop
.00057005: 1E push ds
.00057006: 90 nop
.00057007: 90 nop
.00057008: 90 nop
.00057009: 90 nop
.0005700A: 90 nop
.0005700B: 9C pushfd
.0005700C: 90 nop
.0005700D: 90 nop
.0005700E: 90 nop
.0005700F: 90 nop
.00057010: 90 nop
.00057011: 90 nop
.00057012: 90 nop
.00057013: 60 pushad

Now scroll down until you reach the first internal decryption layer. You will recognize it very easy (as in most protectors

(I removed most NOPs because they are waste of space)

.00057038: E800000000 call .00005703D -------- (1)
.0005703D: 90 nop
.00057041: 90 nop
.00057042: 5E pop esi
.00057043: 90 nop
.00057047: 90 nop
.00057048: 0F014EF4 sidt [esi][-000C]
.0005704C: 90 nop
.00057053: 90 nop
.00057054: 83C65F add esi,05F ;"_"
.00057057: 90 nop
.0005705B: 90 nop
.0005705C: 8BFE mov edi,esi
.0005705E: 90 nop
.00057061: 90 nop
.00057062: B90B260000 mov ecx,00000260B
.00057067: 90 nop
.0005706D: 90 nop
.0005706E: B487 mov ah,087 ;"К"
.00057070: 90 nop
.00057077: 90 nop
.00057078: AC lodsb
.00057079: 90 nop
.0005707F: 90 nop
.00057080: 32C4 xor al,ah
.00057082: 90 nop
.00057085: 90 nop
.00057086: 32C1 xor al,cl
.00057088: 90 nop
.0005708D: AA stosb
.0005708E: 90 nop
.00057091: 90 nop
.00057092: 49 dec ecx
.00057093: 90 nop
.00057099: 90 nop
.0005709A: 75D4 jne .000057070 -------- (1)
.0005708B: 90 nop

Now I will copy all that code with remove all NOPs and you will see that it is really easy to understand it (all hex opcodes are remove too and some labels are added):

.00057038:call .00005703D ; Call next line to get delta offset
.0005703D:nop
.00057042op esi ; ESI contains the delta offset
.00057048:sidt [esi][-000C] ; Maybe a/d trick? Who cares
.00057054:add esi,05F ;"_" ; ESI points to the area to decrypt
.0005705C:mov edi,esi ; EDI too
.00057062:mov ecx,00000260B ; Lenght of decrypt area
.0005706E:mov ah,087 ; Decrypt key
label_1:
.00057070:nop
.00057078:lodsb
.00057080:xor al,ah
.00057086:xor al,cl
.0005708D:stosb
.00057092:dec ecx
.0005709A:jne .000057070 -------- (1) ; jmp label_1

3) Now rip all that code in your assembler program (because it is really easy to it in asm). My example is DOS code. It opens the input file, moves file pointer to the pelock layer (because file size is bigger than one segment and I didnt wanted to waste my time with intersegment loader), reads 4000h bytes (pelocknt layer) into buffer and does the decryption (look at the end the whole piece of code). This is how looks decryption of the first layer which is copied and pasted into my source

mov ah,3fh
mov cx,4000h
lea dx,buffer
int 21h
mov read_len,ax

lea bp,buffer
cld
;======= Layer 1
lea si, [bp+009ch]
mov edi, esi
mov ecx, 0000260Bh
mov ah, byte ptr [bp+006fh] ; get the decryption key from the pelocknt layer
u1:
lodsb
xor al, ah
xor al, cl
stosb
dec cx
jne u1

After that the buffer is written at it's place in the file so you will have the ability to analyze it again.

4) Open with hiew again the file with the decrypted first layer and go to entry point, scroll a bit to find the code after the first layer. You will find again a code full of shits. Run MOW on it and analyze again with hiew. You will find the second decryption layer and just copy'n'paste it into your source

5) Repeat all previous steps until you get the whole pelocknt layer decrypted. Run MOW on it and disassemble it with your favourite disassembler (IDA should work without any problems on the file but w32dasm needs some modifications to be done to the PE header to get it to work - delete all sections before the PELOCKnt one and set it's section characteristics to e0000020h).

After disassembling and analyzing you will find all nice anti-debugging tricks that mister Marquis De Soiree used (sorry that I explained how to get into that too easy).

Now the full source code of the program that decrypts the PELOCKnt layer of Impact emulator:

.model tiny
.code
.386

crlf equ 0dh,0ah

org 100h
start proc
jmp begin

mess_01 db 'Modified PELOCK-NT 2.04 decryptor v1.00',crlf,'$'

f_name db 'DDD.EXE',00h
f_handle dw ?
read_len dw ?

begin: mov ah,09h
lea dx,mess_01
int 21h

mov ax,3d02h
lea dx,f_name
int 21h
jnc open_ok ; If not error - continue
jmp exit

open_ok:
xchg ax,bx ; BX is file handle
mov f_handle,bx ; Save it
mov ax,4200h ; SetFilePointer
mov cx,0002h ; Hardcoded position of PELOCK-NT layer
mov dx,3000h ;
int 21h ; Do it

mov ah,3fh
mov cx,4000h
lea dx,buffer
int 21h
mov read_len,ax

lea bp,buffer
cld
;======= Layer 1
lea si, [bp+009ch]
mov edi, esi
mov ecx, 0000260Bh
mov ah, byte ptr [bp+006fh]
u1:
lodsb
xor al, ah
xor al, cl
stosb
dec cx
jne u1


;======= Layer 2
lea si,[bp+0124h]
mov edi, esi
mov ecx, 00002583h
mov ah, byte ptr [bp+00f9h]
u2:
lodsb
xor al, ah
xor ah, cl
stosb
dec cx
jne u2

;======= Layer 3
lea si, [bp+0232h]
mov edi, esi
mov ecx, 00002475h
mov ah, byte ptr [bp+0207h]

u3:
lodsb
xor al, ah
xor ah, cl
stosb
dec cx
jne u3

;======= Layer 4
lea si, [bp+02dah]
mov edi, esi
mov ecx, 000023CDh
mov ah, byte ptr [bp+0296h]
u4:
lodsb
xor al, ah
mov bh, cl
and cl, 07h
ror al, cl
mov cl, bh
xor ah, cl
stosb
loop u4

;======= Get checksum


write_file:
mov ax,4200h ; SetFilePointer
mov bx,f_handle
mov cx,0002h ; Hardcoded position of PELOCK-NT layer
mov dx,3000h ;
int 21h ; Do it

mov ah,40h ; Write decrypted part
mov cx,read_len ;
lea dx,buffer ;
int 21h ;

mov ah,3eh
int 21h

exit:
mov ax,4c00h
int 21h
start endp

buffer label byte

end start

=========================================
Now about the macros I added to MOW:

EB03 - jump over next useless code
CD20?? - disassembled as VxDcall

These 5 bytes can be patched with NOPs

Adding a macro in MOW is easy:
SetM(440, #$EB+#$03+#$CD+#$20, 'ллллл');

Recompile it and you can use it on PELOCKnt.
Maybe there are some other macros I missed now (I lost the modified MOW source ) but you can find them when MOWing with the original version and looking with hiew.



That's all. Hope you will understand it.

Greetings to Xoanino, DAEMON, tE!, all friends in TMG, UG, UCF

Cheers
Unknown One/[TMG]

^DAEMON^
November 21st, 2001, 07:28
hey uno! hmmmm did ego talk to u already coz of the project ????

i'll be back soon, on irc!
^DAEMON^

xoanino
November 22nd, 2001, 09:58
Hi,
is this k-kryptor technique the same as Yado's krypton 3 (he calls his technique "k-exceution", so i presume its something similar) ?

Ehehehe ... well, if its that, i and another guy of the scene were developing a crypter using that "technology" (we called it "windowed execution" already 2.5 yrs ago. Then i spoke to yado about it on one of our usual chats on IRC, and krypton3 was born.

If this k-krypter is something similar, i presume it uses its own pager which executes blocks of memory, after descrambling/decrunching them... all driven by a more or less advanced SEH which catch page faults and loads the correct next page to be executed. Of course in this way, a cracker can't find the whole decrypted section/sections in memory once for all, but just the small part which is being executed at the moment. So if these new crypters works this way, well .... seems i had a good intuition, at least.

Anyway, i'd really like to see how those things are implemented ... since i never had the time/will to finish my own crypter. Maybe the other guy is still working of it, don't know. I left that project long ago after very little coding. No, i won't say who he his, but i doubt he reads this board, anyway.

I never attempted to analyze krypton3, or this k-kryptor, or anything else of the new "stuff"..... basically coz you folks tends to abuse with irritating and obfuscating code, fake jumps, etc.... and i get very very bored already in the beginning. I think you've the idea Usually, i tend to spend lot more time to "deobfuscate" the code in an IDA-readable form than to analyze the "real" part of the protection.

That's why i've, more or less, left.

To finish, in my opinion : use less obfuscating code, and spend more time on the "core" of the protection. In this way you can attract even old lazy people like me to "analyze" your (good) works.

Bye all! i'm glad to see someone remembers me sometimes

xOANINO

DakienDX
November 23rd, 2001, 10:40
Quote:
Originally posted by ^DAEMON^
Hi dakien, i just took the avatar coz i think it's a nice one

the big pink pussy has nothin to do with you - just my quit message normally used in efnet.....

cut & paste is best u can do!
(hi UNO i'll come back SOON!)

k-kryptor can be found on all latest programs done by risc
like unsafedisc or poxylok.... u can find em everywhere....
just download em and try to break the protection u'll like it!

^DAEMON^


Hello ^DAEMON^ !

OK. Apology accepted. I was confused a little bit when scrolling some posts and seeing my avatar all over the place.

Sorry for replying so late, but I wasn't home the last days.

^DAEMON^
November 26th, 2001, 06:30
no problem

^DAEMON^