[unpackme] HSN.C3r protector 1.00 UnpackMe

[quosego]

Well antidebug worked fine on my win7. No simple plugins just made it run..

[Ronar22]

Tested today on win xp sp2 with the configurations above and the antidebug worked well however it can be bypassed using the above config. plus this script

Mov [10001],1,1
Mov [10780],00000000
Mov [10B40],00000000

Edited December 12, 2010 by Ronar22

[LCF-AT]

Hi,

@ HSN.C3r

"It seems this Anti debug is not compatible with some Operating Systems"

Yes it seems so.

So your new file does nothing if you want to start it [doubleclick].

Normaly it should run.

Also testet on XP SP2.

EDIT: Hhmmmm,ok!Just set your unpackme to Win98 com.mode in the registercard and then it runs.

greetz

Edited December 12, 2010 by LCF-AT

[Apuromafo]

sub_1)now i see that is a dword and not a bytes is difficult analizate

setup:

ollydbg 1.1 original ollydbg.de

strong od-> updated normal configuration

starting

places to study:

dword 0) 0047B992 26:890439 MOV DWORD PTR ES:[ECX+EDI],EAX

eax=00284F68
0047CFFC->decipher place [0047CFFC]=2FCEE7DF
key ebx:0D0596789
encriptation template:
00475A01   03C3             ADD EAX,EBX
end loop:
0046FA90   0F85 F9CB0000    JNZ Copia_de.0047C68F
[b]0046FA96   E9 F31D0000      JMP Copia_de.0047188E[/b]
size ecx:0000E550

dword 1) 004850B7 26:890439 MOV DWORD PTR ES:[ECX+EDI],EAX

key ebx->90998752
encriptation template:
00489E1D   03C3             ADD EAX,EBX
0048B54C->decipher place [0048B54C]=700C0A16ending loop
0047DAD6   0F85 3F010000    JNZ Copia_de.0047DC1B
[b]0047DADC   E9 DA6C0000      JMP Copia_de.004847BB[/b]

dword 2) here are.. my olly not handle good the values for

00497860 26:890439 MOV DWORD PTR ES:[ECX+EDI],EAX

ebx->74AE8661  
eax write:133E17EB
method:
0048D972   33C3             XOR EAX,EBX

place that decript :0048B54C size:0000E604

->using script in this point

var addr
var dir1_key1_ebx
var dir1_eax
mov dir1_eax,133E17EB
mov dir1_key1_ebx,74AE8661
mov addr, 00497860
bphws addr,"x"
eob lbl0
run
lbl0:
bphwc addr
MOV R_EDI,edi
MOV R_EDX,edx
MOV R_EBL,ebx
MOV R_ECX,ecx
eval "{DESENCRIPTADOR} sobre: DIRECCION {R_EDI} tamaño {R_EDX} key {R_EBL}"
LOG $RESULT
cmp R_ECX,0
jne patch
MOV eax,133E17EB
patch:
mov ebx,dir1_key1_ebx
JMP RET
RET:
ret

4)004BE06E 26:890439 MOV DWORD PTR ES:[ECX+EDI],EAX

now other code..

var addr
var dir1_key1_ebx
var dir1_eax
mov dir1_eax,6B4B3868
mov dir1_key1_ebx,C38EE6B3
mov addr, 004BE06E 
bphws addr,"x"
eob lbl0
run
lbl0:
bphwc addr
MOV R_EDI,edi
MOV R_EDX,edx
MOV R_EBL,ebx
MOV R_ECX,ecx
eval "{DESENCRIPTADOR} sobre: DIRECCION {R_EDI} tamaño {R_EDX} key {R_EBL}"
LOG $RESULT
cmp R_ECX,0
jne patch
MOV eax,6B4B3868
patch:
mov ebx,dir1_key1_ebx
JMP RET
RET:
ret

this was when was try to desencript..searching with xor with 1617669 /17669c58 and searching more repeated.. (hours)

004CBEBC->desencr
004CBEC9   16               PUSH SS
004CBECA   17               POP SS                                   ; Modification of segment register
004CBECB   66:9C            PUSHFW
004CBECD   58               POP EAX

now can get some values.

here you null all before code

005710E1 C70401 00000000 MOV DWORD PTR DS:[ECX+EAX],0

and search the new method for iat

XOR EAX,4E2F390A

and can get with the scrtip the iat

wow nice method @Ronar22 :

BPHWCALL
GPA "VirtualAlloc", "kernel32.dll"
BP $RESULT
RUN
BC $RESULT
FINDMEM #8937E94966FEFFE89E84FFFF#
MOV [$RESULT+1],#07#
BPHWS 405bc8, "x"
Run
ret

//005FEA97 8937 MOV DWORD PTR DS:[EDI],ESI

to

//005FEA97 MOV DWORD PTR DS:[EDI],EAX

////

now searching the antidebug (createthread)

00579014 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>

ECX=00032947 (decimal 207175.)

DS:[ESI]=[0058594C]=79 ('y')

ES:[EDI]=[00390000]=00

see this

0012FF98 0012FFBC ASCII "JYX"

maybe some stub to compress?..

sub_2)ataching near oep, work fine, and script are similar that othe but as alwais, you parth of code was of stuff are cero.. (you before oep was clear all code of packer)

sub_3)generic unpacker tport with oep->work in atach mode. but iat must be solved in other way and too work when save the ok iat, work fine

sub_4) nice antidebug list, maybe if have time to analizate or write first must think a time for maybe 1.0.0+1+2, maybe must check some more.

nice

Greetings Apuromafo

Edited January 1, 2011 by Apuromafo

[Apakekdah]

Only version 1.0 can be run on my os

[Apuromafo]

when was decoded, call to

Createthread

0012FFA0   0057BED5  /CALL to CreateThread from 0057BED1
0012FFA4   00000000  |pSecurity = NULL
0012FFA8   00000000  |StackSize = 0
0012FFAC   003B01E1  |ThreadFunction =[b] 003B01E1[/b]
0012FFB0   00000000  |pThreadParm = NULL
0012FFB4   00000000  |CreationFlags = 0
0012FFB8   0012FFBC  \pThreadId = 0012FFBC

if you force to ret18 in my case, and not execute, not have antidebug check and can unpack too..

but in generally entering to this zone of createthread:

start:

003B01E1 55 PUSH EBP

search

MOV DWORD PTR SS:[EBP+C],EAX

when see eax has a decoded value and was trying to use for search the debugger

003E00B4 COND: 0070F650 "LoadLibraryA"

003E00B4 COND: 0070F650 "¾Ê`¾Ù¶H=5fcA"

003E00B4 COND: 0070F650 "user32.dll"

003E00B4 COND: 0070F650 "xo¥5655515"

003E00B4 COND: 0070F650 "VirtualAlloc"

003E00B4 COND: 0070F650 "¾Ê`¾ÙÊ@!Ê@%Ê"

003E00B4 COND: 0070F650 "VirtualFree"

003E00B4 COND: 0070F650 "¾Ê`¾ÙÊ@%Ê@9"

003E00B4 COND: 0070F650 "GetForegroundWindow"

003E00B4 COND: 0070F650 "¡$5556ËJÊ'ö¥¥¥¥¥"

77BD0000 Module C:\MFO\system32\version.dll

003E00B4 COND: 0070F650 "¡$5556ËJÊ'ö¥¥¥¥¥"

003E00B4 COND: 0070F650 "GetWindow"

003E00B4 COND: 0070F650 "¾Ê`¾Ù¾x=Ý"

003E00B4 COND: 0070F650 "IsWindowVisible"

003E00B4 COND: 0070F650 "_9]­ñKÝzôÊʾx="

003E00B4 COND: 0070F650 "GetWindowTextA"

003E00B4 COND: 0070F650 "_9]¥KݼQËʾH"

003E00B4 COND: 0070F650 "lstrlenA"

003E00B4 COND: 0070F650 "_=]5‹µIÝ"

003E00B4 COND: 0070F650 "CharUpperBuffA"

003E00B4 COND: 0070F650 "¾Ê`¾Ù´Ù9755”4"

003E00B4 COND: 0070F650 "GetWindowThreadProcessId"

773A0000 Module C:\MFO\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

003E00B4 COND: 0070F650 "GetWindowThreadProcessId"

003E00B4 COND: 0070F650 "¾Ê`¾ÙcÊ@=Ý

555¾Å°ÃA݉ÎÊ"

003E00B4 COND: 0070F650 "CreateToolhelp32Snapshot"

003E00B4 COND: 0070F650 "¾Ê`¾Ù¶Ù9c¾@9°Ã@2ÝÙ~ÏʾŸ"

003E00B4 COND: 0070F650 "Module32First"

003E00B4 COND: 0070F650 "¾Ê`¾Ù´Ù155”ù"

003E00B4 COND: 0070F650 "OpenProcess"

003E00B4 COND: 0070F650 "¾Ê`¾Ù¶Ù¾p%"

003E00B4 COND: 0070F650 "TerminateProcess"

003E00B4 COND: 0070F650 "¾Ê`¾Ù¶H=5@<_3Ý‘A"

003E00B4 COND: 0070F650 "ExitProcess"

003E00B4 COND: 0070F650 "¾Ê`¾Ù_Ê]…ÆÝ"

77F40000 Module C:\MFO\system32\shlwapi.dll

003E00B4 COND: 0070F650 "¾Ê`¾Ù_Ê]…ÆÝ"

003E00B4 COND: 0070F650 "lstrcat"

003E00B4 COND: 0070F650 "_=]íx¶I"

003E00B4 COND: 0070F650 "Module32Next"

003E00B4 COND: 0070F650 "¾Ê`¾Ù´Ù155”"

003E00B4 COND: 0070F650 "RtlZeroMemory"

003E00B4 COND: 0070F650 "{aqyygAYoPGZ"

003E00B4 COND: 0070F650 "Sleep"

now ,without the desencriptation(xor method/add)

LoadLibraryA
user32.dll"
VirtualAlloc"
VirtualFree"
GetForegroundWindow"
GetWindow"
IsWindowVisible"
GetWindowTextA"
lstrlenA"
CharUpperBuffA"
GetWindowThreadProcessId"
CreateToolhelp32Snapshot"
Module32First"
OpenProcess"
TerminateProcess"
ExitProcess"
lstrcat"
Module32Next"
RtlZeroMemory"
Sleep"

now the second part is the blacklist if find..close the app and terminate process

OLLY
DBG
DEBUG
[MPU
[CPU
[*C.P.U*
PHANTOM
POISON
MAIN THREAD
DEDE
LORDPE
YODA
IMPORT REC
IMPORTS FIXER
FILE MON
PEID
PEVIEW
REGISTRY MON
W32DASM
API MON
PROCESS VIEW
IDA
OLLYPHANTOM
STRONGOD
POISON
ANALYZETHIS
CODERIPPER
HIDEOD
PEDUMPER
REALIGN
OLLY
PHANTOM
STRONGOD
POISON

when analize all modules start to oep..but the theme is

how bypass this proteccion?

1) nulling the createthread with a ret/ret18 in my pc

2) nulling the call when call to all this but can crash if are recalled (moving 0 value, exeption and crash)

example 2)

search " ADD EAX,0FFFCD888" or add eax,const

the jumping go to a call null the call

003C45CF 90 NOP

003C45D0 90 NOP

003C45D1 90 NOP

003C45D2 90 NOP

003C45D3 90 NOP

and now can unpack at oep..and restore the iat..dump and fix, and now unpacked..but if pass a time..crash..is better null the createthread and solved..hsn unpacked

nice

gretings Apuromafo

Edited January 15, 2011 by Apuromafo