[unpackme] Larp V2.0 Pro Ed.

[vinnie]

Figured out my bsod... firewall was causing it.

Now, I still can't get anywhere... I figured to bp GetProcAddress before , but I can't get it to go even that far. It just runs around in the loops/obfuscation forever and never starts to load any API's or anything.

:/

I finally tried Whats' hints and found that for some reason SND Olly will not break on GetProcAddress. I finally got the thing to break on GetProcAddress with the new Olly SABRE GOLD and now I can see the antidebugging APIs (OutputDebugStringA, UnhandledExceptionFilter, ProcessNextW, etc). The thing I don't understand is why I get further without any of the hiding plugins activated? If I turn the plugins on then I get stuck in loop much earlier. Is it checking for patches being made to these APIs?

[Teddy Rogers]

Maybe it is checking for anti-debugging tricks?

Ted.

[vinnie]

Maybe it is checking for anti-debugging tricks?

Ted.

LOL..And the nobel prize for stating the obvious goes to......Ted. :biggrin:

I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.

[Teddy Rogers]

LOL..And the nobel prize for stating the obvious goes to......Ted. :biggrin:

Lol! I won a prize...

Ted.

[syk071c]

[What]

I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.

Did you check the settings, they probably differ from each other. I can do it manually with a unmodded olly and olly ollyadanced, with only Flexible breakpoints checked, not anti debugger checked (have a odbgscript for that 1). Also with a unmodded, no nothing, ollydbg v2 (which was lame because there is no memory bp yet, that or I am blind). I hope this helps a little more.

Edited April 6, 2008 by What

[vinnie]

I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.

Did you check the settings, they probably differ from each other. I can do it manually with a unmodded olly and olly ollyadanced, with only Flexible breakpoints checked, not anti debugger checked (have a odbgscript for that 1). Also with a unmodded, no nothing, ollydbg v2 (which was lame because there is no memory bp yet, that or I am blind). I hope this helps a little more.

I did quickly skim through the settings but didn't notice anything different. I will have a closer look. Thanks What.

i tried it and you were right. All it needed was the flexible BP.

Edited April 6, 2008 by vinnie

[sdy100]

I will give you some hint

1.load ollydbg 2.0

2.go to OutputDebugStringA

3.change lilke this

before

7C859F78 OutputDebugStringA 68 34020000 push 234

7C859F7D 68 A0A2857C push kernel32.7C85A2A0

after

7C859F78 OutputDebugStringA 31C0 xor eax,eax

7C859F7A C2 0400 retn 4

4. run

Edited April 11, 2008 by sdy100

[Loki]

I will give you some hint

1.load ollydbg 2.0

2.go to OutputDebugStringA

3.change lilke this

before

7C859F78 OutputDebugStringA 68 34020000 push 234

7C859F7D 68 A0A2857C push kernel32.7C85A2A0

after

7C859F78 OutputDebugStringA 31C0 xor eax,eax

7C859F7A C2 0400 retn 4

4. run

It might take a little more than that

[ahmadmansoor]

I note that Mr.sdy100 .....as if lena after she study Olly 1.X very carfully ..... I think she discover some weakness in this Ver of olly ...so if u try u load any target protected with this protector it make Olly go in infinity Loop ....

but if u open the target with Olly 2.0 Or IDA it will pass this infinity loop as if the weakness point in this ver has fixed .....

[What]

Ollydbg 2 is kinda lame right now so I think I will stick to running it under Olly 1.10. :tongue:

[syk071c]

xor eax,eax

retn 4

things such as this are checked..

a lot of the anti debug tricks are findable by tracing through.. if you have the patience and the time...

time has been quite limited to me lately...

[What]

@syk071c, Have you seen the updated larp, which can be found on armageddon, or whatever it is called, if you dont trace through you'll never figure it out.

[sdy100]

more hint

"INT 2D Debugger Detection" it does't work olldbg 2.0

[ahmadmansoor]

U mean sofice my dear friend :biggrin: ...

I think it is our puzzle of the week :tongue: .................we must find a solution for this or we will die .....

Oooooo i like that ....more puzzle boys ......hehe

more hint

"INT 2D Debugger Detection" it does't work olldbg 2.0

[syk071c]

Haven't seen the updated larp on armageddon.. but i probably am quite curious now.. ah yes the int2d's yes they were quite a pain to find too

i can say a hell of a lot of anti-debug used doesn't rely on api's so you must trace..

[vinnie]

@What,

Can I IMPLORE you to do a tut on this protector.....please........prettyplease........with sugar on top?

I have got the thing running in Olly just fine now with a script I made with the hints you provided but what I don't get is how the protection works. Like why will it run if you set BPs on GetProcAddress and ZwContinue and bypass a few debug APIs.

I can understand everyones' reluctance to shed light on the protector cause you guys use it to protect your releases but maybe the tut shouldn't be on "how to unpack Larp" but more on the antidebugging used in the protector. Would make good reading.

Also now that I have got the Pro version running I am trying the standard version and I am getting stuck on the GetTickCount. I have read the info on this and it says to modify EAX after API call but it didn't work for me there. In the Pro version I didn't even worry about this API and it still runned. Any help there What? Thanks for your info on this so far. I learned alot...e.g Like there is a lot more ways to antidebugging that I have no knowledge about.

Edited April 13, 2008 by vinnie

[lena151]

@Vinnie: pm me the anti-debug you don't understand. ASA I find the time, I'll code it and send you the source. I guess that will be the best solution and also best for your understanding. Also, some of the tricks are machine specific, hence it may very well be that if someone sends you a walkthrough ... it may not even work on your machine ... .

Hope this will help you out.

lena151.

[SunBeam]

Vinnie, trust me, I would love to know the inner working of lARP, but I am honestly fed up with reading tutorials. I like this protector because it's not "documented" and that makes it something unique (see EXECryptor and Themida, there's nothing left to study about them, other than the VM, which involves time and understanding of code). Here's my idea, and I believe this will work, as Lena might've overlooked it..

In incipient stages, lARP had a bug with its custom named section. If you changed the name of that section, application ran and crashed in memory. Alas, you could attach and dump it (IAT was intact, no stolen OEP, etc..). That bug got fixed, BUT.. There's a huge big hole on the same side-line. Maybe that hint helps you

Also, I began studying the "VM" lol. Here's another hint - Hacker Disassembler - and oh it helps a lot

Other than that, I never got to open it in Olly