Results 1 to 13 of 13

Thread: Loader making

  1. #1

    Smile Loader making

    Just trying to make a loader for a target packed with enigma. I cracked the application without unpacking it but not able to make loader for it.

    Sections are encrypted. Only when i put bp on getmodulehandleA api then section get decrypt and i can easily make patches.

    So is it possible to make loader in this kind of condition.

    Because if the section are not encrypted ..i make a loader easily but it get decrypt after putting bp on that api.

    any suggestions?

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    search!
    for example, i remember Nico's work on crackme..

  3. #3
    i would suggest reading yates paper on creating loaders , link is at bottom of page
    http://www.reversing.dk/

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    For lazy bastards like me there are already made loader generators. Search the web for them. Also, go through Lena's video tutorials, she shows how to use the unpacker code segment to implement your own patches (Not a loader per se, but it works. . .

  5. #5
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    that is a brilliant!! the videos are great and the generators aren't that bad..
    but implementing code patching in the unpacker code segment is a excellent approach..
    especially for dumping,patching and so forth..the way I can see to do this "genericly" to packed programs that run the stub first, is to create the process suspended OpenThread GetContext change Selector to cause a GENERAL_PAGE_FAULT on Execution, do some fancy stuff with the error handler at fs:[0] to handle the GPF, SetContext ResumeProcess, this should pick up Execution of either thread or TLS or w/e this Break on Execution should yield to us the Fake OEP, we then just need to analyze the Unpacking routine find the decrypt with a little help from Branch checking and a Disasmbler we could make it auto patch the unpacking code sizeof(AlreadyRunCode) is all patchable and and reusable and it has done its job. :] from that vantage point you can analyze and patch as much code as you want..

    regards BanMe
    Last edited by BanMe; July 13th, 2009 at 02:13.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  6. #6
    you guys are not getting exactly what i want. to make loader i know very well. but this situation is different. I have seen lena's tutorial. Easy to make because there is no encryption or decryption process. As i said above packed with enigma. Supose i want to patch

    va address 40201A and byte is there 35 and i want to change it to 36 ... easy by loader if there is no decryption process.

    but if the program is not in running state. the bytes at this VA 40201a are 00 .....which decrypt into 35 when i put bp on GetModuleHandleA So how to make loader in this condition. i tried to make loader like lena tutorial by adding byte to 35 to 36 and run ..it was giving error..... So now is there any help which i can expect ?

  7. #7
    Why bother with a loader? Can't you just unpack it and then patch it on disk?

  8. #8

    Smile

    ya i know by reading couple of tutorials i can unpack it. But in future enigma is growing day by day and unpacking becoming harder..so it would be good if i should have another option ....like without unpacking the target just crack that one by patching few bytes with the help of loader

  9. #9

    here

    http://www.reverse-engineering.info/PE_Information/Crackers_Guide_To_Program_Flow.pdf

    was the link i was thinking about
    http://www.reversing.dk/

  10. #10
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Uhhmm. I think I get your problem. You need to make a loader that knows how long to wait and make sure the program is already decrypted before applying the patches. . .Right ?
    The loader should hook, either the code of enigma before the jmp to the OEP of the protected code, or hook an API that is called by the decrypted code and the decrypted code only, but it is called after the decryption takes place (obviously) but before the code to be patched is run.
    Variations on the theme include a hook in the loader code that is called frequently, examines the bytes to be patched, and detects when they get decrypted, then proceeds to patch. Or may be I still do not understand the question. Try harder to explain what you really need to do

  11. #11
    you are right Naides. Thanks God. now someone knows what i exactly want. To make simple loader by dup is easy just a 5 min job but this condition is little different.

  12. #12
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    i don't understand. if you can trace it to the oep, why bother creating a loader at all? why not just dump the memory, fix the IT and the OEP, and be done with it?

  13. #13

    Smile

    yes i know by reading tutorials i can do but this time i am here for loader next time i will come with unpack issue with enigma if it would be the latest or vmprotect. Because couple of application i can crack without unpacking so there is no need to go in the forum and ask the same question how to unpack this and how to unpack that. If i can crak target without unpacking then i think its big achievement.

Similar Threads

  1. Replies: 3
    Last Post: January 16th, 2014, 13:48
  2. need help extracting files, making sense of results
    By cgmark in forum The Newbie Forum
    Replies: 7
    Last Post: May 29th, 2009, 14:31
  3. Need help making a keygen.
    By ljre24 in forum The Newbie Forum
    Replies: 2
    Last Post: January 6th, 2007, 20:25
  4. How about making a RE LiveCD?
    By Aquatic in forum Linux RCE
    Replies: 0
    Last Post: April 11th, 2006, 16:15
  5. help making ntice break on exception.
    By tinman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: February 10th, 2003, 12:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •