Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: pelock anti SI detection

  1. #1
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Lightbulb pelock anti SI detection

    hello again

    I'm gonna paste some asm here so I *hope* i'm in the right forum

    Now, Evaluator disclosed some infos that IceDump left Colonel32 memory w-i-d-e-o-p-e-n ....naughty naughty tsk tsk. is it true... is the nemesis here.......

    How to detect Icedump is loaded in Win9x O/S .....

    Just run latest PElock 1.05 Demo and you'll see

    how does it know.... you have /protect on but the bastard still knows you are using SoftICE !!!! (btw this Bart is not Bart, the other is Bart , Evaluator)

    heres how :-


    TASM ASM


    .386p
    .MODEL FLAT,STDCALL
    locals
    jumps
    UNICODE=0
    include w32.inc
    include PELOCK.INC
    extrn GetProcAddress :PROC


    .data

    msg1 db "PELock 1.05 check 'IceDump' test",0
    msg2 db "SEH triggered ok....Did NOT detect IceDump.... ",0
    msg3 db "*** I C E D U M P *** D E T E C T E D ",0
    mark db 0
    iKern db "Kernel32",0
    iExit db "ExitProcess",0

    .code

    Start:

    xor eax,eax ;zero to EAX for setting xhandler
    push offset SEH_handler ;address our new SEH handler
    push dword ptr fs:[eax] ;save previous handler address
    mov dword ptr fs:[eax],esp ;set our new xhandler
    call GetModuleHandle, offset iKern
    call GetProcAddress , EAX, offset iExit ; get 'ExitProcess' memory location
    add dword ptr [eax],00 ;try and write to it....SEH if no IceDump else

    push eax ;just ExitProcess...should NEVER GET HERE !!!]
    call MessageBoxA,0, offset msg3, offset msg1,0
    ret ; this will ret into ExitProcess and your gone !!!

    ;DEMO_START This is how EASY pelock programming-in-source-code is (see pelock.inc)

    ;place here some ' registered user only ' bit of code blah blah blah

    ;DEMO_END but i disabled it ( for my example
    ; and included a bit of home made crypto

    iNop: db 05Eh,06Ah,087h,0C4h,07Fh,02Eh,03Dh,04Eh ; for phun.......


    pop dword ptr fs:[0] ;set previous handler
    add esp,4 ;clear stack
    cmp mark, 1
    jnz jump

    call MessageBoxA,0, offset msg2, offset msg1,0
    call ExitProcess, -1 ;end program

    jump:

    call MessageBoxA,0, offset msg3, offset msg1,0
    call ExitProcess, -1 ;end program

    ;+++++++++++++++++++++

    SEH_handler:

    mov eax, [esp+04] ;set EAX to address with exception #
    mov ecx, [esp+0Ch] ;read to ECX address start of context structure
    mov dword ptr [ecx+0b8h], offset iNop ;return EIP
    mov eax, [eax] ;read exception number
    sub eax, 0C0000005 ;ACCESS_VIOLATION error value
    jnz SEH_handler_end ;if it isn't Exception Breakpoint jump (not our exception call)
    inc mark ;set mark because xhandler ran
    xor dword ptr [iNop+4],0DEADBEEFh ;decrypt running code with DeadBeef+ShitFace ...hmmm
    xor dword ptr [iNop+0],05417FACEh

    SEH_handler_end:

    ret ;back to program ..we hope


    ends
    end Start
    Attached Files Attached Files
    Last edited by +SplAj; December 31st, 2002 at 14:21.
    Carve my name into your arm :)

  2. #2
    decrypt running code with DeadBeef+ShitFace ...

    BWAHAHAHAHAHAHHAHAHAAA


    Later, Woodmann

  3. #3
    hmm so who am i?

    or [ExitProcess],0 can be easily defeated by setting bpm ExitProcess + superbpm

  4. #4
    Gosh:

    "DEADBEEF" and "BEEFABAD" for years were part of the decryption code on PACE copy protection for the MAC some years ago. Found it in most of my MAC early music software. Haven't had time to check if they have changed their strips on the newer stuff for the MAC.

    And Bart: Obviously you are the "other one." You, of all people, should be able to tell the difference.

    Regards.
    JMI

  5. #5
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Talking barttttttt

    hi bart the real bart

    PElock 1.05 is my first find for this trick in a commercial protector.

    Seemed too much of a coincidence.........it was NOT in v1.04.

    I just made a SI macro that set EAX to 0 , poke EIP back to the offending line, X, and SEH caries on as normal. Actually in this case the real code that is RET to is some 4928 lines back. If you follow the SEH you'll get to SUB DWORD PTR [EAX+B8],00004928

    hmmm that a boring infos for N Y day....

    cya
    Carve my name into your arm :)

  6. #6
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    svkp-protector

    Hajo,

    svkp-protector claims to be the first who can trap icedump..,
    H'mm i protected good old notepad and deprotected it without
    to much problems, the svkp.exe file itself seems to be more difficult..
    It has some anti-trace routines and icedump detection.(protect on will not be triggered)
    Maybe (talking about icedump detection) this is also a nice target
    to play with..(i can't see how they detect icedump there my knowledge is poor in these fs,seh,drx's bla bla beef..)

    Happy new year,

    Spekk.

  7. #7
    Hwoarang
    Guest

    hum

    I am having trouble getting Pelock.exe run on Win2k with Sice loaded, even if I managed to make it run on Win9x.
    Also it's very weird how my Win2k reboots whenever I set a bp on a api..(maybe I should disable the BCHK interface?)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Angry trouble....

    yes hwo

    BIG troubles...... try bpm exitprocess rw and see how he uses the old trick of API protection... no BPX on API allowed (CC check)

    Also he (t'other bart) uses INT1 fault of SINGLE_STEP error instead of expected STATUS_ACCESS_VIOLATION with SI running......so SEH steps through to RET MessageBox..FluckOfCracker....instead of redirecting to real flow......

    i'm sure not many ppl will run pelock 1.05 on Win2K/XP

    (and WinXP with SP1 is a real MF challenge for the nerves !!!)

    anyway have phun and keep D FS:0 / D CS:[FS:0+4] checking the SEH. The year has only just started....

    Spl/\j
    Carve my name into your arm :)

  9. #9
    If i remember correctly, PElock uses int1 and UnhandledException API check on win2k

    So simply patch IDT to remove int1 check and then do this
    bpm UnhandledExceptionFilter
    then change the value in eax from "CC" to "55"

    That is all :>

  10. #10
    Hwoarang
    Guest

    ...

    I know of both int1 and UnhandledExceptionFilter check..I was able to run previous versions of Pelock on WIn2k with Sice...but the new one seems to use some new trick
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    r4g3
    Guest

    Re: trouble....

    for ( int i = 0; i < 0xFFFFFFFF; i++ )
    {
    cout << "(and WinXP with SP1 is a real MF challenge for the nerves !!!)"
    }
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    did you saw that update.exe from XP SP1 is full of encrypted code and asm snippets eg.:

    010079E2 pusha
    010079E3 pushf
    010079E4 call sub_100AAB4
    010079E9 push eax
    010079EA lea edx, ds:0FEFB881h
    010079F0 lea ecx, ds:19905CF5h
    010079F6 sub esp, 8
    010079F9 mov [esp+30h+var_30], edx
    010079FC push ecx
    010079FD shl eax, 10h
    01007A00 or eax, 0Ch
    01007A03 sub [esp+34h+var_30], 0EEF3E64h
    01007A0B pop ebx
    01007A0C mov [esp+30h+var_2C], eax
    01007A10 jmp short sub_1007A3C


    0100955C mov [ebp+var_1A8], edx
    01009562 lea ecx, ds:10F1C526h
    01009568 add ecx, [ebp+var_1C8]
    0100956E sub ecx, [ebp-1ACh]
    01009574 sub ecx, 0FF12FAAh
    0100957A jmp ecx
    0100957C ;
    0100957C lea ecx, ds:0DC096DAh
    01009582 sub ecx, [ebp-1A8h]
    01009588 add ecx, [ebp-1C4h]
    0100958E sub ecx, 0CC00144h
    01009594 jmp ecx

    010276AB pushf
    010276AC pusha
    010276AD push offset unk_1027967
    010276B2 push 1
    010276B7 call sub_1007A3C
    010276BC add esp, 4
    010276BF jmp eax

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    "Hi, BTW +SplAj"! :)

    I assume, u have xmas-LIBian-vacations & remember this MB..

    So letz broke IceDump!?
    (RRREALLLY easy-peesy!)

    But before start, I need little help. (Maybe NOT_THAT_bart can help me?)

    ..I found one resouce_Crackme. & I try play with it using RSRC_editors.
    So I removed many thingz, for example all contents of 2nd tab.
    But I can't remove this 2nd("Project") tab.

    So my question is:
    RSRC_editors sux or this 2nd tab must be disabled from program code?
    Attached Files Attached Files

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    Hi Eval

    I had a look at it and saw what you did. (this is a crackme?) Unfortunately tab windows are inserted into code as children of a "SysTabControl32" parent dialog with TCM_INSERTITEM, so even if you delete the controls, or even the whole child dialog resource, the "tab" will still show. If you delete the SendMessage call that does it it might work. It might look something like this...

    Code:
    tci		 TC_ITEM <>	; Tab Control struct
    strTab1Text	 db "PELock",0
    strTab2Text	 db "Project",0
    
    ; ----------------------------------------------------------
    ; Add Tabs to Tab control, fill TC_ITEM struct
    ; ----------------------------------------------------------
    
    mov tci.imask, (TCIF_TEXT or TCIF_IMAGE)
    	
    mov tci.pszText, OFFSET strTab1Text	; 1st Tab control
    mov tci.cchTextMax, SIZEOF strTab1Text
    mov tci.iImage, 0
    		
    invoke SendMessage, hTabDlg, TCM_INSERTITEM, 0, OFFSET tci
    
    mov tci.pszText, OFFSET strTab2Text	; 2nd Tab control
    mov tci.cchTextMax, sizeof strTab2Text
    mov tci.iImage, 1
    
    invoke SendMessage, hTabDlg, TCM_INSERTITEM, 1, OFFSET tci
    Kayaker

  15. #15
    tgodd
    Guest
    You will find something close to that in alladins Hardlock driver.
    BEEFBABE and CAFEBABE.

    regards,

    tgodd
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. need help on unpacking pelock 1.0x
    By doduhdew in forum The Newbie Forum
    Replies: 6
    Last Post: June 12th, 2007, 14:38
  2. linux anti anti debugging tut
    By 0xf001 in forum Linux RCE
    Replies: 13
    Last Post: January 21st, 2005, 19:48
  3. Ollydbg w/ anti olly detection
    By StealthMan in forum OllyDbg Support Forums
    Replies: 7
    Last Post: September 13th, 2003, 19:55
  4. Replies: 10
    Last Post: May 24th, 2003, 14:12
  5. Replies: 5
    Last Post: January 10th, 2003, 01:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •