Results 1 to 10 of 10

Thread: Identify the target

  1. #1
    Mfriend
    Guest

    Identify the target

    Hi

    I'm quite new to RE ( about ~1/2 year ) and have found a very intersting target. Advanced Softice detection ( frogice, ntall, icedump, various anti-debugging tricks, aso.
    I'm pretty sure that the programmer ( some shareware author ) does not protect his software with "custom" tricks ( except CRC checking )

    - after some manual unpacking strings like "yoda" appeared in the dumped exe=> he uses more than one packer.
    But the real interesting part follows:
    The target is one single exe ~ 1 Mb size. Dumped process is 60 Kb. This 60 kbyte ( I'm not finished with all the packer layers ) appears to be only some Loader/Unpacker for the real software which is encrypted in the 1 Mb exe file ( after the process image ).

    Guessing OEP for each layer is quite hard for me.. are there any other "generic" ways to recognize an OEP ?
    ( the only one I know of, and which appears on this board too is:
    POPAD
    RET )
    Well, and building up IT... I don't really know when I'm correct.. for some reason the target quits itselfe without any error - even with a complete messed IT.. ( perhaps I've missed some CRC/size check )

    Now - does anyone of the grand-crackers have an idea which protection this could be ? Reminds me somehow of "Himan 2" (securom v2. + "special tricks") where some dlls and other program parts are built up in memory by the encrypted executable.

    I have spent nearly an hour ( maybe too less )into looking for tutorials which explains how to crack multiple protected targets. Does anyone know of some resources I should look into, before I start asking questions here ?
    I have to admit.. I prefere to find it out by myself.. but this finding out has cost me nearly 2 weeks by now - and I really don't know if I'm on the right track ( unwrapping layer by layer ).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Mfriend
    Guest
    update:

    a few further layers removed - I have also found a reason why IT didn't need any modification - All the packers ( so far ) have used the same functions which has used the first packer. ( yes I could have checked that in the first place ).
    It's like a matroschka - you open a doll - and there is another doll in there..

    Does noone recognize the protection ? ( Loader which loads an encrypted part in the same exe )
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    The only protection I've seen which has an exe size of, say, a few meg, but when dumped, only outputs about 60kb has been a lame exe cryptor written in Delphi (forget the name). You didn't need to find the OEP or anything though as it decrypted the main part of the app to a temp directory on your hd and executed it from there. Of course, it deleted it afterwards.

    So my advice would be to use filemon and check that this is not happening - if the program is decrypting into memory, you can normally dump the entire memory range including the decrypted and crypted parts of the prog.

  4. #4
    Mfriend
    Guest
    No, filemon hasn't catched any suspicious file-access.

    And the loader ( it must be some loader ) confuses me a lot... mainly because it keeps detecting softice...

    another newbie question: how to hide current 4.2.7. Softice on W2k ?

    ntall fails
    nticeset fails ( tried to update pntice.ini, but without success )

    I have found several topics on this forum but nothing helping me much..



    SplAj says somewhere he has posted an "EliCZ macro set" ... but I've never found it.

    Maybe I should try to hide softice by my own first, before I start to crack right away ... but on the other hand.. why invent the wheel again ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Mfriend
    Guest
    addon:
    I have found out so far:

    -The loader process overwrites itselfe with the decrypted process which is hidden after the stored process image in the executable.
    ( process image size changes )

    -loader is heavy guarded by packers ( anti-debugging, anti-dumping )


    Where I'm stuck right now:

    this anti-softice tricks....

    so I change tactic and will try to patch my softice installation to remain undetected. This could take a few days...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    This sounds interesting, may i know what you are playing with ?

  7. #7
    Mfriend
    Guest
    uhm.. how embarrassingly...
    after hiding si ( thanks SplAj for his nice tut I ve found ) there was no problem dumping the real process image.

    now this was too easy :|

    since the target runs only on w2k ( squidge and I discovered ) the 2 weeks I ve spent on that weren't worth it.

    but Ive learned how to hide softice on w2k/xp..


    @squidge: thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Mfriend
    Guest
    the target was a reception client for highspeed networks ( called FFR Fast File Receiver ) by WizzCast ( the author's nick )

    The "project" seems to be dead ... ( hp is down about 3 weeks now )

    well.. anyway I look for a new target.. which is worth writing a tut about it...

    Happy reversing,
    mystical friend
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Mfriend:

    Just a word for anyone looking to hide softice.

    In addition to +Spl/\j's walk-through there was a patch for hiding DS 2.7 by nikolatesla20 in a thread titled "Driver Studio *2.7* anti detect patches" dated 10-23-2002 in the TOT Forum. It made all the patches for everything except int 1 detection. In that thread I also posted a link to the +Spl/\j walk-through. Nikolatesla20 also posted a previous patch for DS 2.6.

    There is also a multipage thread from 09-23-2002, titled "Avoiding INT1 detection of SoftICE under WinXP" which discusses how to avoid even this detection method. There is a "Detect" program posted by +Spl/\j which will show you if your patches are working.

    These were all posted within the last 90 days (except the +Spl/\j walk-through) and could have been located with rather simple searches and/or simply looking back through the listings on the TOT Forum.

    Regards.
    JMI

  10. #10
    Mfriend
    Guest
    of course you are right - a little bit more searching would have spared me to ask about si hiding on w2k/xp/nt.

    I do hate it too, if the same questions are asked over and over again -

    thankyou to point me to the int1 threads.

    mf
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 6
    Last Post: January 24th, 2011, 13:45
  2. FlexNet 11.1 target
    By EB00 in forum The Newbie Forum
    Replies: 4
    Last Post: January 8th, 2010, 17:45
  3. Identify an address in the source code
    By aureliuh in forum The Newbie Forum
    Replies: 11
    Last Post: April 28th, 2007, 09:09
  4. Identify Processor on Smart Card
    By bellesdad in forum The Newbie Forum
    Replies: 6
    Last Post: August 29th, 2004, 18:53
  5. another target...??
    By SpekkeL! in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: January 14th, 2001, 09:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •