Results 1 to 12 of 12

Thread: Another unknown

  1. #1
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750

    Another unknown

    Boy!

    I seem to find all the good ones - this one is labeled simply Borland Delphi 4.0-5.0 or unknown by every tool I have - it contains a squatload of sections including SFX and TLS and seems to fully unpack in memory, I'm able to find all imports with no thunks at several possible oep's but I'm having trouble finding the real one - the dump makes lots of references to madtools and other madxxxx stuff and lists a web site: http://www.madshi.net

    which includes security tools, but no mention of compression - it also lists coding tools and aids - here is a list of the sections -

    Anyone know this one?

    SiGiNT
    Attached Images Attached Images  
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  2. #2
    anorganix
    Guest
    madCollection is library-pack for Delphi, and by the look of the sections it is a Delphi app indeed.

    madCollection includes:
    Code:
    madExcept
    madCodeHook
    madKernel
    madSecurity
    madShell
    Maybe PM me with the target name so I can also have a look.
    Cheers mate!

    Last edited by anorganix; September 1st, 2006 at 03:15.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    anorganix
    Guest
    BTW, it you see something similar to this it's madExcept (exception handler) and it means that you haven't unpacked it correctly...

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,507
    Blog Entries
    15
    madshi is a detours type of library if i recall correctly

    could be used to hook and redirect functions

    i would guess that some one took a program and used that library to add some obfuscation

    or may be added some trampolines all over to some crypting decrypting function

    btw if you notice in your screen shot all your memory is mapped to 0x4000000
    as a contigous section

    not like 0x400000 pe header 0x401000 .code section etc

    try analysing its peheader (especially vsize , vaddress etc) offline to see for possible manipulations

    oops boy three posts before me in two minutes flat

  5. #5
    We are getting very close here to violating the Rule prohibiting posting of Code and identifying the target. Let's make sure we do not cross over that line.

    Regards
    JMI

  6. #6
    anorganix
    Guest
    JMI, if you are talking about "Maybe PM me with the target name so I can also have a look" don't worry, that's why I said <<PM>>. We have similar rules @ ARTeam so I know the issue...

    Regards.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    anorganix,

    I'll PM the target name to you over at our home site, you'll need a login, and I have that at work, unfortunately I managed to get this site blocked at work, (soon to be fixed).

    JMI,

    I took special pains not to even hint at the target, the madshi stuff bears no relationship other than the fact that the tools were used in coding this one.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  8. #8
    My comment was not aimed at any "individual", but was simply a "generic" warning, intended to hopefully preclude some of our less familiar members, or anyone really new from becoming overcome with the urge to post some code and a target name.

    It was just intended as "an ounce of prevention." I do know how to scold if someone had actually violated the Rule.

    Regards,
    JMI

  9. #9
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    JMI,

    Hopefully my large black box hiding any hint of the target name will give the right idea to those reading this thread, but I'm having second thoughts as to pursuing this one, the protection is unique and not likely to be encountered by many in the future, and this soft is essentially dead - it started as a project that was supposed to create a free utility for users of a certain software program, however, like several others with the same intent, the authors found a lot of interest for it and decided to pull it in favor of a "retail version" - in the meantime the software that it was supposed to enhance has incorporated most of the features it offers, I investigated it while trying to find an obscure "target", from a small company that used FlexLM for a tutorial I've been promising to write for months now, and it doesn't satisfy that requirement, unfortunately, curiousity and a certain amount of obssession took over and I started this thread.

    @ Anorganix - if you like I'll get you this one, but i doubt you could do anything with it unless you have the other soft installed, just let me know.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  10. #10
    Quote Originally Posted by sigint33
    Hopefully my large black box hiding any hint of the target name
    "any hint"? Look at that box again... or maybe the gamma on your monitor isn't set correctly

    Indeed, a very obscure app.

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,107
    Blog Entries
    5
    Quote Originally Posted by LLXX
    "any hint"? Look at that box again.
    Lol. When isn't black black?

    I was more surprised that any software actually used the madshi wrappers. I had seen them a long time ago, thought they were more of general interest, POC or a pet project. Something along the lines of Elicz' ApiHooks - interesting, make use of the concepts, but write what you need yourself.

    Looking at them again, I guess Delphi must be pretty limited if you can't use many of these API calls directly, without going to the extra trouble of learning to use someone elses wrappers on top of it.

    In any case, I hope the retail version of this sw isn't still using those madshi libraries, free for non-commercial use only, or is paying a suitable fee for their use.

    Kayaker

  12. #12
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    LLXX,

    Yup!

    Should have added one more box - or adjusted the tranlucency - or just adjusted the column width to eliminate it, oh well good intentions anyway.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

Similar Threads

  1. An unknown packer
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: December 9th, 2007, 09:31
  2. unknown armadillo
    By pico in forum Malware Analysis and Unpacking Forum
    Replies: 20
    Last Post: April 5th, 2005, 08:32
  3. Bad or unknown format
    By mong in forum OllyDbg Support Forums
    Replies: 4
    Last Post: February 18th, 2003, 16:30
  4. un unknown
    By Mostek in forum Malware Analysis and Unpacking Forum
    Replies: 25
    Last Post: January 4th, 2003, 10:45
  5. Help with unknown packer
    By Timmy in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 7th, 2000, 06:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •