thisistest Posted August 13, 2009 Posted August 13, 2009 http://www.safengine.com/download/unpack_tmd.rar WinLicense_2080 unpacking
lizhendong Posted August 16, 2009 Posted August 16, 2009 (edited) thanks ! Edited August 16, 2009 by lizhendong
hypa Posted August 18, 2009 Posted August 18, 2009 (edited) Okay I hate to do this(go blatantly off topic,) but are we ever going to see a TM/WL 2.1.0.0 full featured UnpackMe since they started water marking? Would someone have to sacrifice a license, or do a intermediate inline patch before posting it?Most people here don't have the time and/or skills to do this level of protector, but it's intriguing to see the more productive and skilled reverser do them and give feedback. There seems to be only two protectors from separate vendors that don't get instantly dumped, and this is one of them. Also the target I've been doing in the wild has stopped at 2.0.8.0 and doesn't use much more than VM macros and the trivial anti-debug with the IAT stuff. Edited August 18, 2009 by hiya
ZenLoren Posted August 27, 2009 Posted August 27, 2009 (edited) Hi All,I am working on this unpackingme themida protections & from this posting you'll learn how the themida reads export directory of a module & gets the functions names. You'll also know how where it checks for ntice.sys, plus more. Pls note i am not able to bypass hardware id checks & anti dumping routines. As & when i find i'll update you all.Let's follow set hardware breakpoint at 5DF2F6 & we'll land here.005DF2F6 pushad005DF2F7 clc005DF2F8 sub eax,eax 005DF2FA xor dword ptr ss:[ebp+A742559],ebx005DF300 mov dword ptr ss:[ebp+A740E01],eax 005DF306 mov edx,dword ptr ss:[esp+28]005DF30A jns 005DF319 005DF310 pushad005DF311 mov esi,0EF8D36C005DF316 push ebx005DF317 pop eax 005DF318 popad005DF319 mov dword ptr ss:[ebp+A74198D],eax 005DF31F pushad005DF320 jnb 005DF329 005DF326 movzx edx,bx005DF329 popad005DF32A mov esi,3C ; ESI = 3C Offset of PE Header to Begin005DF32F mov dword ptr ss:[ebp+A743001],edx005DF335 add esi,dword ptr ss:[esp+24] ; First time ESI = Kernel Image Base ESI=7C80003C005DF339 clc005DF33A lods word ptr ds:[esi] ; EAX=0100 Read Word to get start PE header005DF33C mov dword ptr ss:[ebp+A740451],ecx005DF342 add eax,dword ptr ss:[esp+24] ; EAX=7C8000E8 = PE Header005DF346 xor dword ptr ss:[ebp+A741011],esi005DF34C nop005DF34D jmp 005DF358 Keep press F7 to reach here005DF37A mov eax,dword ptr ds:[eax+78] ; EAX=0000262C Get RVA of Export Directory005DF394 add eax,dword ptr ss:[esp+28] ; EAX=7C80262C Points to kernel32.$$VProc_ImageExportDirectory 005DF3A7 mov eax,dword ptr ds:[eax+18] ; EAX=000003B5 i.e. Number of Fucntions Exported005DF3AA mov dword ptr ss:[ebp+A742369],edx005DF3B0 inc eax ; Incremented by 1 005DF3B1 add dword ptr ss:[ebp+A741185],edx005DF3B7 mov dword ptr ss:[ebp+A743F0E],eax ; eax=000003B6 saved ss:[005DF2EC]=000003B6005DF3BD pushad005DF3BE mov edi,dword ptr ss:[ebp+A741559]005DF3C4 mov dword ptr ss:[ebp+A74033D],eax ; eax=000003B6 saved ss:[005DB71B]=000003B6005DF3CA popad005DF3CB pop eax 005DF3CC or dword ptr ss:[ebp+A741ED9],ecx005DF3D2 mov esi,dword ptr ds:[eax+78]005DF3D5 pushad005DF3D6 mov edx,dword ptr ss:[ebp+A741E3D]005DF3DC mov edx,dword ptr ss:[ebp+A740855] ; EDX=D9DA1CE9 Get Encrypted DWORD of API to fetch the address005DF3E2 popad005DF3E3 add esi,1C005DF3E6 pushad005DF3E7 mov dword ptr ss:[ebp+A7407E1],ecx005DF3ED sub ecx,dword ptr ss:[ebp+A74111D]005DF3F3 popad005DF3F4 add esi,dword ptr ss:[esp+24] ; ESI points to First Function005DF41C lods dword ptr ds:[esi] ; 005DF430 add eax,dword ptr ss:[esp+24] ; EAX=7C802654005DF435 stos dword ptr es:[edi] ; Store it eax=7C802654 & es:[edi]=[005DD52B]=7C802654F7 slowly & we'll reach here005DF531 dec dword ptr ss:[ebp+A743F0E] ; ss:[ebp+A743F0E] = ss:[005DF2EC]=000003B6 Saved @ 5DF3B7 see above005DF537 cmp dword ptr ss:[ebp+A743F0E],0 ; Have we finished with all functions ? obviously not005DF53E jnz short 005DF550 005DF540 mov dword ptr ss:[esp+1C],0005DF548 lea esi,dword ptr ss:[ebp+A744394]005DF54E jmp esi 005DF550 push esi 005DF551 lods dword ptr ds:[esi]005DF552 add eax,dword ptr ss:[esp+28] ; EAX=7C804B73 ASCII "ActivateActCtx"005DF556 xchg eax,edi 005DF557 mov ebx,edi 005DF559 mov al,byte ptr ss:[ebp+A741A25] ; Here Take First Byte of the Function Name we are searching for 'L' i.e. Hex 0x4C005DF55F test al,al 005DF561 je short 005DF567 005DF563 cmp al,byte ptr ds:[edi] ; Compare byte with function name in EDI which is "ActivateActCtx" byte 'A'005DF565 jnz short 005DF5B3 ; Not equal and jump is taken which Pop esi & add esi by 4 to loop 005DF531So basically what it does is Get a Byte of function name & check with the required 'L' in this case. If byte match successful we'll reach below005DF567 push edi ; So we'll put a break point here F2 & F9 to reach here Save function name on stack005DF568 xor al,al ; 005DF56A scas byte ptr es:[edi]005DF56B jnz short 005DF56A 005DF56D pop esi 005DF56E sub edi,ebx ; Fuction length in EDI005DF570 push edx005DF571 cld005DF572 xor ecx,ecx ; 005DF574 dec ecx005DF575 mov edx,ecx005DF577 xor eax,eax 005DF579 xor ebx,ebx005DF57B lods byte ptr ds:[esi] ; load byte in EAX005DF57C xor al,cl005DF57E mov cl,ch005DF580 mov ch,dl005DF582 mov dl,dh005DF584 mov dh,8005DF586 shr bx,1005DF589 rcr ax,1005DF58C jnb short 005DF597 005DF58E xor ax,5041005DF592 xor bx,5449005DF597 dec dh ; dh=counter005DF599 jnz short 005DF586 005DF59B xor ecx,eax 005DF59D xor edx,ebx005DF59F dec edi 005DF5A0 jnz short 005DF577 005DF5A2 not edx005DF5A4 not ecx005DF5A6 mov eax,edx005DF5A8 rol eax,10005DF5AB mov ax,cx005DF5AE pop edx 005DF5AF cmp edx,eax ; Encrypted Compare EDX=D9DA1CE9 loaded @ 005DF3DC see up with EAX=D4DA1FC7005DF5B1 je short 005DF5C2 ; if equal take this JE 005DF5B3 pop esi 005DF5B4 add esi,4 ; Increment ESI by 4 Get next functions005DF5B7 inc dword ptr ss:[ebp+A74198D] 005DF5BD jmp 005DF531 ; Loop 5DF531 005DF5C2 pop esi ; ESI=LoadLibrayA005DF661 add eax,dword ptr ss:[esp+24] EAX=7C801D77 = LoadLibrayA005DF69D mov dword ptr ss:[esp+1C],eax Save it on stack005DF772 mov byte ptr ss:[ebp+A741A25],0 ; ss:[005DCE03]=4C ('L') Clear it so that we can put another function byteVM stuff i need to dig into it.00643510 push 0A7A82B200643515 jmp 005F5F39 0064351A push 0A7A83570064351F jmp 005F5F39 00643524 push 0A7A84D500643529 jmp 005F5F39 0064352E push 0A7A872000643533 jmp 005F5F39 00643538 push 0A7A87AC0064353D jmp 005F5F39 00643542 push 0A7A88F100643547 jmp 005F5F39 0064354C push 0A7A89A4 00643551 jmp 005F5F39 00643556 push 0A7A8D480064355B jmp 005F5F39 00643560 push 0A7A8E5B00643565 jmp 005F5F39 0064356A push 0A7A8F910064356F jmp 005F5F39 00643574 push 0A7A901100643579 jmp 005F5F39Clear all Hardware Breakpoint & Reload the program Now set Hardware Breakpoint @ 5DF5C2 & let the program run We'll the function names getting checked.Keep them running & we'll get an Error at 6591C1 so we'll put an hardare breakpoint there as well & make it runWe we land at 6591C1 i just nop it & let the program excute. We break again at 5DF5C2 & see some more functions Make it run pressin F9 & the program terminates becuase we have to bypass the Hardware ID checks which i need to dig.Clear all hardware break point & reload the program Set hardware breakpoint @ 66CEE70066CEE1 push dword ptr ss:[ebp+A7D07EB] ; ntice.sys ; Iceext.sys ; Syser.sys ; HanOlly.sys ; extrem.sys0066CEE7 call dword ptr ss:[ebp+A7D07EF] ; kernel32.lstrcmpiAWhat i guess is it check if iceext.sys or syser.sys or HanOlly.sys or extrem.sys is found or not.It checks with almost all drivers of system.Any way breakpoint on 66CF7F to come out after all checking.0066D0F1 call dword ptr ss:[ebp+A741F99] ; Kernel32.dll ???? need to dig005F4A2B jmp dword ptr ds:[edi+eax*4] Don't understand yet ZwTerminateProcess terminates our processSo now you all know what i know about this target. Will update with when i find more for this target. Cheers Lorens! Edited August 28, 2009 by ZenLoren
qingyang2005 Posted August 28, 2009 Posted August 28, 2009 ask only things about unpackme plz.Thank you very much .
ZenLoren Posted August 29, 2009 Posted August 29, 2009 (edited) Hi All, One question to all here does anybody benifit from this type of posting ? If yes let us all know. I need to know who all are working on this target. Frankly reading 3 pages there was nothing an individual can learn from this new unpackme. Comeon Guys throw your findings & comments we are here to learn + share Some more findings. This time how we reach EAX=5DF2F6 & where it loads the bytes of function name. 0068364F lea eax,dword ptr ss:[ebp+A7E707C] ; EAX = GDI32.dll Mobule Name00683655 nop00683656 push eax ; Save on stack00683657 nop 00683658 call dword ptr ss:[ebp+A7429B5] ; kernel32.LoadLibraryA0068365E mov dword ptr ss:[ebp+A7E7131],eax ; Save Address on stack00683664 lea esi,dword ptr ss:[ebp+A7E7086] ; Get Function Name0068366A push eax ; 0068366B mov dword ptr ss:[esp],esi ; Save on stack0068366E push dword ptr ss:[ebp+A7E7131] ; 00683674 call dword ptr ss:[ebp+A742C95] ; kernel32.GetProcAddress0068367A mov dword ptr ss:[ebp+A7E7135],eax ; Save Address of Funcation Name00683680 lea esi,dword ptr ss:[ebp+A7E7097] ; Get another function name00683686 push eax ; WinLicen.0068244700683687 mov dword ptr ss:[esp],esi ; WinLicen.00688F6E0068368A push dword ptr ss:[ebp+A7E7131]00683690 call dword ptr ss:[ebp+A742C95] ; kernel32.GetProcAddress00683696 mov dword ptr ss:[ebp+A7E7139],eax ; Save it So we see some routine for GDI32.dll & their function name getting saved. Now below It will fetch for Ecrypted function 006836EE mov byte ptr ss:[ebp+A741A25],52 ; Byte 'R' i.e. 0x52006836F5 push 2CAFAC1B006836FA add dword ptr ss:[esp],6A99B6D800683701 push dword ptr ss:[ebp+A7404B1] ; USER32.77D4000000683707 lea eax,dword ptr ss:[ebp+A743F18]0068370D call eax EAX = 005DF2F6 SEE above post where we have set our Hardware Break point0068370F mov dword ptr ss:[ebp+A7E70E1],eax ; Save it00683715 mov byte ptr ss:[ebp+A741A25],43 : Preare for next function this time with byte 'C'0068371C call 00683725 ; WinLicen.00683725006839F7 mov dword ptr ss:[ebp+A7E7121],eax ; 006839FD jmp 006840AC ; Finish with User32.dll & jmp How did find above code i set Hardware BreakPoint @ 00659D45 i guess its some type of return from VM real Code. Return 2-4 times on this breakpoint & youll land at 68364F One more finding @ 66BEC7 it get drivers name ntice.sys, iceext.sys ..... Ok one more thing found :00661E6B cmp edx, eax ; Encrypted Compare at another location You need to check 005DF5AF in above posting:00661E6D jz short loc_661E7E:00661E6F:00661E6F loc_661E6F: ; CODE XREF: :00661E21j:00661E6F pop esi:00661E70 add esi, 4:00661E73 inc dword ptr [ebp+0A74198Dh] ;:00661E79 jmp loc_661DD2 ; Loop:00661E7E ; :00661E7E pop esi ; Function Name More when i find something new Cheers, Lorens Edited August 29, 2009 by ZenLoren
quosego Posted August 29, 2009 Posted August 29, 2009 Very interesting ZenLoren. Definitely useful also if you wish to unpack this one an understanding of the import routines is important since there's a faulty HWID trigger in there.. Which should not be that hard to find and kill now, once you get passed the actual checks. Try to find the actual decisions before the messagebox and check the VM there to bypass the HWID.
ZenLoren Posted August 30, 2009 Posted August 30, 2009 Hi quosego, First accept my compliments "You are one of the Smart RE Learner" If any of your close friend is there beside you tell him/her to pat on your back on my behalf. Good Work! Thank you for your comments. I am already searching for the routine & I feel i have manually trace many many VM call going in & coming out. Finding the check is like niddle in haystack VM routines > Try to find the actual decisions before the messagebox and check the VM there to bypass the HWID. I don't get any messagebox when i trace through Olly program just exist. At this current moment i am clue less. Lame request from my side Offset hint pls because this is not the end. I have to find Anti Dumping routines so it dumps well for all of us big task, rebuilding IAT & in the end it should excute properly finally share it to the world so that others can handle upcoming versions Cheers Lorens!
EvOlUtIoN Posted August 30, 2009 Author Posted August 30, 2009 zenloren, you don't have to trace VM very much...you have onbly to do it in a smart way, also compare this target with an older one can be a good idea.
hypa Posted August 30, 2009 Posted August 30, 2009 (edited) One question to all here does anybody benifit from this type of posting ? If yes let us all know. I need to know who all are working on this target. Frankly reading 3 pages there was nothing an individual can learn from this new unpackme. - ZenLorenSorry to say guys but my methods will stay private, oreans has proven it's resilience once more.This time enough to keep this out of the public for a while. - quosegoOnly ~4 people here can do it and they all share that perspective.It could also be that release teams watch ARTeam, Woodmann, and Tuts4you and the later versions of TM/WL and EXECryptor are the only ones not being inline patched in the wild. Most 'reversers' who do stuff for release teams do so off other peoples efforts.Also since this will be my last post here, and likely deleted. I'm 1/3 of the Americans just in this thread alone on these forums, the other two are using flags from another country or those are proxy gateways....it is what it is. Edited August 30, 2009 by hiya
quosego Posted August 30, 2009 Posted August 30, 2009 (edited) One question to all here does anybody benifit from this type of posting ? If yes let us all know. I need to know who all are working on this target. Frankly reading 3 pages there was nothing an individual can learn from this new unpackme. - ZenLorenSorry to say guys but my methods will stay private, oreans has proven it's resilience once more.This time enough to keep this out of the public for a while. - quosegoOnly ~4 people here can do it and they all share that perspective. It could also be that release teams watch ARTeam, Woodmann, and Tuts4you and the later versions of TM/WL and EXECryptor are the only ones not being inline patched in the wild. Most 'reversers' who do stuff for release teams do so off other peoples efforts. Also since this will be my last post here, and likely deleted. I'm 1/3 of the Americans just in this thread alone on these forums, the other two are using flags from another country or those are proxy gateways....it is what it is. Why would your post be deleted?? I see no obscene language or any insults. No crack request or anything else.. Also WL/TM is often inlined by SnD and execryptor often inlined by {res}. If other release teams wish to learn from that no problem.. Those patches hold all the info to circumvent WL licensing. The is_registered dwords have been documented and some antidumps as well.. Patching the TM/WL crc is a piece of cake as well.. It is beyond me why not many people actually put the pieces together.. Especially 0day, they should have the skill. I'd be glad to help people on the way, but most simply never get beyond the gimme script to do it wtf omg etc. stage.. As for ZenLorens, I've got no problems helping him. He's one of the few who are actually motivated enough to do it old school, how it should be. Seems there are simply not many of those. @ZenLorens, everything is decided using the cmp ecx,eax VM handler. To find it search in VM for cmp ecx,eax pushfd. Edited August 30, 2009 by quosego
ZenLoren Posted September 1, 2009 Posted September 1, 2009 (edited) Hi All, From today our real work for this protection starts. Till know we have just scratched the surface & understood how thing works inside how it extracts apiname, where it loads .sys files checking etc etc.. If you were victim of program getting closed without showing any MessageBox below small script will explain you why it does it. Once you excute below script it will cry with a MessageBox overwriting your Clipboard content with some numbers EvOlUtIoN: > you have only to do it in a smart way, also compare this target with an older one can be a good idea. Thank you for your kind advice, see below script i am learning smart ways. I will try to use smart ways now! hiya: > Only ~4 people here can do it and they all share that perspective. Great to know that at least 4 people can finish it. Sooner or later it will be more. Initiating process has been made. > Most 'reversers' who do stuff for release teams do so off other peoples efforts. Leave them aside, don't waste energy thinking of them who cares? quosego: > everything is decided using the cmp ecx,eax VM handler Thanks for your tuts which you have released. i'll be reading it today. Hope i manage easily this target for your above hints The target has just loaded, now i'll dig cmp ecx, eax & post my findings soon. Cheers, Lorens /* Script made by while studying Themida Winlicense Targets ver 2.0.8.0 http://forum.tuts4you.com/index.php?showtopic=20020What's the use? Nothing for the time being. If you load this target & don't see the MessageBox Pop it will help you understand why it did not. While learning wanted to narrow down the target so that we can focus on more important things. My concern was why it was closing before reaching reaching the MessageBox.Finally came to know that it was able to find some of the tools of RE's & was silently routed me to ExitThread. Shameless advt. by Lorens */var save_edx // save EDX in this variablevar save_esi // save ESI in this variablevar sys_names /* sys_names will have address where when the program runs points to ntice.sys, iceext.sys */bphws 661E7E, "x" // set hardware Breackpoint on execution @ 661E7Ebphws 6591c1, "x" // set hardware Breackpoint on execution @ 6591C1bphws 5DF5C2, "x" // bphws 66BECB, "x" // EAX=ntice.sys estoL1:cmp edx, 8E726969 jz 1st_time // ExitThread cmp eip, 6591c1 // check if eip=6591C1 becuase we have to nop it for executionjz nopitcmp eip, 66BECBjz change_sys_namesmov save_edx, edx // Loging EDXlog save_edxmov save_esi, esi // Logging ESIlog save_esiestoJmp L11st_time:mov save_edx, edxlog save_edxmov save_esi, esilog save_esiestojmp L1nopit:mov [eip], 9090 // nop itesto // let the program continuejmp L1change_sys_names: mov sys_names, eax /* EAX is point to ntice.sys when you reach first time, next time you reach it will point to iceext.sys, keep breaking here & see what all it calls. They have not left anything it will search for ntice.sys | iceext.sys | Syser.sys | HanOlly.sys | extrem.sys | FRDTSC.SYS | Filem | | REGMON | regsys | sysregm | PROCMON | */mov sys_names, sys_names // points to EAXmov [sys_names], 31313131 // Patch it with 1111esto // Let it continueJmp L1END:ret Edited September 1, 2009 by ZenLoren
ZenLoren Posted September 2, 2009 Posted September 2, 2009 Hi All,Just wanted to ask if we have the number i.e. HWID of the machine which on which it was protected & if we FEED the program with same Number will it accept it ? Any body tried or thought of it ?EvOlUtIoN:Can you provide me with your machine HWID ? ????-????-????-????-????-????-????-????Cheers, Lorens
EvOlUtIoN Posted September 2, 2009 Author Posted September 2, 2009 It is useless for various reasons, one is that key is not for my machine. And the other is that a key is not really needed,
quosego Posted September 2, 2009 Posted September 2, 2009 Just wanted to ask if we have the number i.e. HWID of the machine which on which it was protected & if we FEED the program with same Number will it accept it ? Any body tried or thought of it ?I'm convinced it can be done, but not easily.. Since I've attempted this from the start in older versions. Never succeeded, you can't just copy over the hardware ID where it is stored. There's a secondary calculation in VM I've never found. q.
ZenLoren Posted September 2, 2009 Posted September 2, 2009 Hi quosego,Thanks for clarification, I have digged out a routine where it decrypts & stores Machine ID & then for display it copies to another location for MessageBox i guess.See below for this target.Load the attached script & Put a Break Point on Line no. 47Let the script run & you'll be here at a Break Point 6D175E, yes i have read your tutorial & was trying to find routines for {Variable_1} & {Variable_2}, I have not managed to find it yet, but its has has benefited me to find some interesting routines. Set a Break Point on 6B1562 ie. below & Let the program run F9 we land here soonFirst time we land here 6B1562 Call EAX ; EAX=6B1110 ; this routins checks whichs type license it is, SND.dat files etc etc..Pres F9 few time so that we reach our break-point again6B1562 Call EAX ; EAX=6AF63D Now we trace with F7006AF63D push ebp006AF63E mov ebp,esp006AF640 pushad006AF641 mov ecx,8 ; ECX=8 2 dwords at a time006AF646 mov edi,dword ptr ss:[ebp+C] ; EDX=6EEDF9 will store here generated Machine ID006AF649 mov ebx,dword ptr ss:[ebp+8] ; EBX=105A6BFF 006AF64C jmp 006AF65F ; Will take the jump006AF651 rol ebx,4 ; some maths begins006AF654 mov eax,ebx ; 006AF656 and al,0F006AF658 call 006AF66F ; 006AF65D stos byte ptr es:[edi] ; first bytes of Machine ID stored006AF65E dec ecx006AF65F or ecx,ecx ; is ECX=0 006AF661 jnz 006AF651 ; 006AF667 mov al,0006AF669 stos byte ptr es:[edi]006AF66A popad006AF66B leave006AF66C retn 8We'll break 4 times here & we get Machine ID & if we see content at start of EDI=6EEDF9 we see our Machine ID stored. Later on the program overwrites the above code & copies the ID & makes a presentable format i mean ????-????-????-????-????-????-????.Here if we put the original ID what can be the output will it accept or not ? I have one more questions if the program goes to this stage does it know I have not able to Find & Patch the {Varible_1} & {Variable_2} that you discuss in your tuts ?ORThis is part of the flow & the Variable_1 and Variable_2 compares will come later? Awaiting for your valuable input.EvOlUtIoN:Thank you for your input at well.Cheers, Lorenslog2-script.txt
Loveless Posted September 2, 2009 Posted September 2, 2009 (edited) Just because you're American doesn't mean you can't RE. It helps to get a job involving REing, so you're legally covered FBI: Y U DISASM TEH THEMIDAZ!?!?!? ME: IT WAS FOR WEH WORKS!!!!111 ach, he deleted his post. Edited September 2, 2009 by Loveless
ZenLoren Posted September 7, 2009 Posted September 7, 2009 (edited) Hi All, I have read & searched tuts by Deathway, Quosego, extremely good, some good posting as well but still not able to make or find the checks so that i can go ahead with the unpackings. Got stuck. Any body ready to throw your knowledge here? What's found?, there is an interesting posting in this thread by sfs See below 006B16DF TO PUSH 0A81731A006C138A TO PUSH 0A828F790071FE83 TO PUSH 0A88A9910074C2AC ?? I'll try to explain what that means but what it does & how its found is still not understood. Buts its interesting. ---> 006B16DF TO PUSH 0A81731A will not terminate the app..006B16DF push 0A816B60 <--- here assign the value of 6B16F8006B16E4 jmp 005F5F39 006B16E9 push 0A8171CC006B16EE jmp 005F5F39 006B16F3 push 0A81731A <--- assigning this push to 06B16DF006B16F8 jmp 005F5F39 ---> 006C138A TO PUSH 0A828F79 006C138A push 0A826E5D <--- here assign the value of 6C13F8006C138F jmp 005E3B27 006C13F8 push 0A828F79 <--- assigning this push to 6C138A006C13FD jmp 005E3B27 ---> 0071FE83 TO PUSH 0A88A9910071FE83 push 0A8857E7 <--- here assign the value of 71FF4B0071FE88 jmp 005F5F390071FF4B push 0A88A991 <--- assigning this push to 71FE830071FF50 jmp 005F5F39 So what it does is assigning the Last Value of Push Jump at the known locations. Now how it is found & how does it benefit is still NOT known to me. Also after applying the patches the programs does not execute. 00746C70 push 0A8AF726 ; Shows MessageBox with your HardwareID00746C75 jmp 005F5F39 00746C7A push 0A8AF877 : Close the Program00746C7F jmp 005F5F39 Is this the Is_Register DWORDS @ 5D5BA7 B9 A5 86 85 ? More till i get ahead of this massgebox. Cheers, Lorens Edited September 7, 2009 by ZenLoren
EvOlUtIoN Posted September 8, 2009 Author Posted September 8, 2009 To execute it you need more...not much more indeed.
ZenLoren Posted September 9, 2009 Posted September 9, 2009 EvOlUtIoN> To execute it you need more...not much more indeed.Could not understand what you saying here.Is this the Is_Register DWORDS @ 5D5BA7 B9 A5 86 85 ? Cheers, Lorens
quosego Posted September 9, 2009 Posted September 9, 2009 006046E0 3BC8 CMP ECX,EAX EAX 1AE21EEA ECX 26A001C9 EDX 005DB537 WinLicen.005DB537 EAX 46C571D2 ECX 46C571D2 EDX 005DE3E3 WinLicen.005DE3E3 Hmm 5D5BA7 doesn't seem to be a is_registered location.
ZenLoren Posted September 9, 2009 Posted September 9, 2009 (edited) Hi quosego, Please accept a Big Thank You from my side You made my day showing all the needed things. You guys rocks ! Thank you for your thorough research and clear writing. Now, I can proceed further. Cheers, Lorens Edited September 9, 2009 by ZenLoren
EvOlUtIoN Posted September 9, 2009 Author Posted September 9, 2009 (edited) Now you have solution in your hands...To be honest the help was too much...you won't learn much by this way. Edited September 9, 2009 by EvOlUtIoN
What Posted September 10, 2009 Posted September 10, 2009 To be honest the help was too much...you won't learn much by this way.Well, at least Loren is trying, the help could also learn to figuring out why if one were to build upon it.
ZenLoren Posted September 10, 2009 Posted September 10, 2009 EvOlUtIoN, > To be honest the help was too much... ok agree, but at some point we require pointers to go ahead, thats exactly what quosego has done. Also as we all know VMs pose a challenge because they severely dilute the value of existing tools VM parsing / dispatching code over and over again we see and return to the same code again & again very tedious & slow moving process. > you won't learn much by this way. I am already learning & shareing as well Also this is just an surface scratch there will be more things to come, dump properly, find VM entry, find anti-dump, crc's plus many goodies, and whats this they are copying whole file elsewhere in the process address space executing there the code, i'll go back to work for more stay tunned. Thanks once again quosego to help me move forward. Cheers, Lorens
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now