Have a nice day!
Published by Tsehp
It happened as usual: I wasn't looking special for this kind of software neither for this kind of protection, but sometimes it happens. I hate these scrambled import tables and encrypted code. I doensn't lead anywhere. It's like a revenge on cracker (or some person who don't want to buy a protection). And this sarcastic clause: "HAVE A NICE DAY!" inside the executable.... I said: Let's have finally a nice day!
Turgid words are characteristic of dilettantism. Always. Believe. First look on this executable told me it won't be an easy task. First I saw the import table, second was the disassembling approach. The result was, that the executable is scrambled and the import table too. So next step was examine which packer or wrapper was used. Doing a bpm 54258a x on the entry point shows some home made protection: 0054258A call sub_542647 ;we start here 0054258F call sub_542824 00542594 cmp eax, 0 00542597 jnz short loc_5425A0 00542599 push 0 0054259B call sub_543B25 005425A0 005425A0 loc_5425A0: ; CODE XREF: Have:00542597j 005425A0 call ds:dword_541F49 005425A6 test eax, 80000000h 005425AB jz short loc_5425BB 005425AD push offset aCProgramFilesS ; "C:\\PROGRAM FILES\\SCANSOFT\\OMNIPAGEPRO11"... 005425B2 call sub_543B31 005425B7 or eax, eax 005425B9 jz short loc_542619 005425BB 005425BB loc_5425BB: ; CODE XREF: Have:005425ABj 005425BB push offset aCProgramFile_0 ; "C:\\PROGRAM FILES\\SCANSOFT\\OMNIPAGEPRO11"... 005425C0 call sub_543B31 005425C5 or eax, eax 005425C7 jz short loc_542630 005425C9 mov ds:dword_541CD4, eax 005425CE call ds:dword_541EC7 005425D4 mov ds:dword_541A72, eax 005425D9 push 0 005425DB call sub_543B19 005425E0 mov ds:dword_541A76, eax 005425E5 push offset aNewsecuritypro ; "NewSecurityProc" 005425EA push ds:dword_541CD4 005425F0 call sub_543B2B ;some security procedures 005425F5 cmp eax, 0 005425F8 jz short loc_542630 005425FA push ds:dword_541E16 00542600 push ds:dword_541A72 00542606 push offset unk_540000 0054260B push ds:dword_541A76 00542611 call eax ;finally check license and unwrap the exe 00542613 00542613 loc_542613: ; CODE XREF: Have:00542613j 00542613 jmp ds:off_540000 ;jump to original entry point (0x004EB405) First I was digging inside the 542611 call but it seemed useless (some 16 bit code that I last saw inside CDilla's Safecast). At the location 542613 is the executable completely restored and the imports are linked. You can dump at this location. So now do a ENTER jmp eip ENTER ENTER and hit F5. Run Procdump or some dumping tool (PEditor is good too) and save it to disc. Back to winice
+ and restore the original jump. Keep the target running. You might close you dumping tool and run Revirgin. Choose appropriate task (Omnipage.exe). Revirgin comes up to expectation with some found imports. Checking the disassembled dump you may see that the RVA (000FF000) and Lenght (000020E4) values are correct, but the OEP needs to be changed to 004EB405. Clicking on IAT Resolver we will get a demangled import table. You can check now the names for correctness.We will now append the import table section on the dumped executable. Size of the dumped exe is now 0x145FF0 so we will use 146000 for IT Generator. Now fill up the fields RVA (00146000) and Lenght (000020E4) to the right. Pressing on the generate! button, choosing the dumped executable and a name for import table (this is stored as a copy), the program will now append the import table and fix the PE header (be sure you have checked the Autofix sections + IT paste checkbox). And we're done. You can check the executable with IDA. Imports are now ok, the protection shell is apart and we have now a nice day...
I was looking at the PE header again. And I saw irony: "Have a nice day!" .tsehp