Jump to content
Tuts 4 You

[unpackme] lARP64Pro 1.0.3...


Teddy Rogers

Recommended Posts

That's gonna be history then now :)

Sorry to disappoint you, but we are ready for x64. -> See attachment.

my dream is real now, I can correct lena151:

Sorry to disappoint you, but your import table is not correct :cupidarrow:

Well but there is still e.g. Enigma x64 or Themida x64, I don't even have an unpackme for that I haven't seen any crack yet.

Edited by Aguila
Link to comment
Share on other sites

... your import table is not correct :cupidarrow:

:lol: Hehe, I did this manually, so I repaired only the apis necessary for it to run. I didn't realize you were requesting for more of my 1-hour-a-day-hobby-time to make the full import table completely correct. But if you don't mind, I'm gonna join my family now.

Well but there is still e.g. Enigma x64 or Themida x64, I don't even have an unpackme for that I haven't seen any crack yet.

:lol: :lol: :lol: It's not because you haven't seen something solved that the knowledge isn't available ;) but ... it's your good right to doubt our abilities :lol: :lol:

lena151.

Link to comment
Share on other sites

It's not because you haven't seen something solved that the knowledge isn't available

I totally agree with you.

I'm actually not ready to handle x64 targets, but papers on it arrived years ago.

For example this guide http://ntcore.com/files/vista_x64.htm was written more than 5 years ago.

Well ntoskrnl is not one of all, he has been (and probably also is still so) the best ever italian reverser imho. This is proving that x64 is well known since years, the most important is to be interested in new targets and the most part of reversers are still not interested on it.

So, if one is not able to do one thing, this means only he is not able to do, and not that the thing is not possible.

Maybe sometimes knowledge has to be reached by oursleves and not reading papers from others, which is always a good thing, but sometimes not a solution.

Hope i'll have time in the future to study something about x64 world.

Link to comment
Share on other sites

Oh dear Lena !

you shouldn't have mentioned me :cupidarrow:

honestly I wish I could do a better image, this one makes me embarrassed :crazy:

I was checking the larp64 website but It seems off-line :(

If you need any help in the future then I'm ready.

regards.

Link to comment
Share on other sites

I just get "Unregistered Stack" when I run the binary?...

It means that your system is too obviously a cracker's system ;)

Example when this happens is if you have installed IDA as JIT debugger, etc :o

lena151.

Link to comment
Share on other sites

Got it, thanks Lena. I don't have time to look at this right now but it's on the todo list for mid-August. Take care :)

Edited by Loveless
Link to comment
Share on other sites

@lena151: Can make tutor for unpacking pespin x64 ? That help learn x64 unpacking

My tutorialing days are over but there is no learning required for 64bit unpacking! Anyone knowing the basics of 32bit unpacking is ready to go after a 5 minutes read about x64 registers and qwords.

Just jump in!

Success!

lena151.

Link to comment
Share on other sites

chickenbutt

Hehe, you are right, but perhaps not because of your protection.. Though I will admit it'll prolly take me a while. It's more that I'm steadily losing the capacity to spend continuous hours at cracking something. I had hoped this unpackme would spark my interest some more by taking up the challenge you pose, initially it did and got slightly cocky ;) but it didn't last.. Strangely it seems the days of cracking for me are passing, I seem to have lost the excitement. Though I had fun, I never spend more than 2 hours on this.. which isn't even enough to get the hang of x64.

Honestly I do not know if I will really take this up.. It wouldn't matter if you'd posted easier versions, it also kinda kills the legend. ;)

I've know exceptionally talented RCE people before who got tired of the big investment in time required. Usually they only become active if something interesting comes around outside of PE protectors.

I also believe the fact you have to use static analyses and trace tools to defeat this protector is the core factor in it going undefeated; someone extremely profecient in RCE would take at least a month to do this, weeks if they didn't have a job to go to. That along with the fact it's not used on valuable targets that get the attention of teams and lurkers..

Link to comment
Share on other sites

  • 4 months later...
  • 1 month later...

Well... as a operation environment X64 is great with many possibilities but for reversing i thing there are not so many "user friendly" reversing tools for the moment.

I try once to approach the X64 reversing but i got stuck on dis pleasant interface of the tools for reversing. So still on X86...

Edited by GIV
Link to comment
Share on other sites

  • 7 months later...

dont have a lot of time atm, but it doesnt run here (w7sp1x64 vm). Hangs indefinitely somewhere.


 


What have you done to get this dump? What is oep.dll for?


  • Like 1
Link to comment
Share on other sites

strange 


the oep.dll just has the oep code


can anyone help me find the problem where on his machine ?


 


Edit: found the problem


Edited by mm10121991
Link to comment
Share on other sites

  • 4 weeks later...

This is very easy to do via static reverse code engineering. Just fire up IDA x64 and trace manually. Though you must be patient because there is plenty of code rewriting and (not)cool code flow. You could probably write some IDC/python scripts for automating this once you learn how it works; Basically the main thing to keep track of is RSP. The very common code sequence is:


CODE
call redirector
JUNK_BYTES(usually 1-4 bytes)
CODE
ETC.

Those so-called "redirectors"(there are plenty of them) usually contain code which a) inc [RSP]  B) add [RSP], OFF c) conditional jump to other redirectors d) final inc [RSP] + retn


* [RSP] = return_address of call


I don't have idb handy so I can't show you some examples. Once when get to know the inner-workings you can do this almost automagically even though script will come handy.


Another helpful pointer I can give you is that there are explicit references to imports and there are some strings embedded inbetween code...


Of course static analysis is not something you'd do if you must get dumped file as soon as possible which is not case here so i though about studying the approach and obfuscation techniques...


Link to comment
Share on other sites

Yes that's true


you just need to bp those addresses



.ldata:0000000000496225 jmp qword ptr [rsp-8]
&
.ldata:000000000049676D retn
&
.ldata:000000000049659E jmp qword ptr [rsp-8]

and you can trace it very fast


 


but you need to take care of CRC


 


almost the only hard thing for me in this protector is a lot of CRC + IDA 6.1  does not handle well Hardware BPs


I Don't know why always I need to restart program to to activate HWBPs and to remove them I need also to restart program in IDA 6.1


so, I used a lot soft BPs


 


Other than that, there is nothing really interesting : some Antidebugging , some easy IAT redirections and some CCs replacing that should be deafeated easily and some of quite advanced IAT redirections that could be traced


There is also a little vm for atidebugging that also used in the advanced IAT redirection but can be skipped easily


 


So, waiting for another unpackme with max protection


Edited by mm10121991
Link to comment
Share on other sites

  • 1 year later...

Doh, looks like I arrived an year and three months late to the party :rudolph:
Attached: lots of things lol
The important ones:
The unpacked and de-nagged file;
x64_dbg scripts to do... things (Pilot.txt -> walk through the stub avoiding the traps; IATPilot.txt -> build an RVA <-> Import Address table to use with the Replace.asm/bin snippet (buggy, didn't take in account the isRETN WORD while writing them); ReplacePilot.txt -> prototype for Replace.asm; Revealer.txt -> used to look for references to the old IAT addresses so that I could fix them with DrunkPilot).
ASM snippets: Replace.asm/bin; DrunkPilot.asm/bin -> used to fix the CALL [qword] redirected by Simple IAT Redirection (that is, the VMless one)
VM.txt: Description of some (most?) of the VM handlers
lARP64 DeVirtualizer folder: what the name says -> throw at it a VM opcodes table and it should spit out some readable assembly in VMLog.txt. The ImageBase field is currently unused.
Strings folder: contains some text files with the names of the WindowNames/ClassNames/processes used during the Anti-Debug phase and some other misc strings.
*.dd64 file: x64_dbg database with a few comments and labeled jumpy calls.
Notes.txt: all of my notes in italian (might partially or integrally translate them if anyone is interested) with VAs and (usually) brief descriptions. Some make sense, some others were over-edited while debugging and might make me look schizophrenic :saddam:That's all folks!

lARP64Pro.cleaner.7z

Edited by SmilingWolf
  • Like 9
Link to comment
Share on other sites

Nice - someone finally did the x64 version.

 

Impressive SmilingWolf - looks like you enjoyed the project too :)

Yes indeed :)

I was interested to the trophy too - the free licensed copy I read was offered to who would have been able to unpack it... but... wait... OMFG I mixed up the informations from the lARP 2.0 topic and this one... Ahhahahahhahaa goddamnit I'm literally dying from the laughter because I tought there was a bounty on this one looooooool!!! I'm sorry, just gimme a sec to calm down :P

 

Ok, ok, back to serious now (a few minutes later and still smiling :P)

I was saying - in part I was interested to the nonexistent trophy, but there was much more involved: it was about stepping up after a couple years of lame cracking (activity that I generally respect, but not at level I was in all seriousness) and trying my hands on something though and new. 64bit Arma was a nice start to get acquainted with x64 reversing, but the 32bit version is so well documented it wasn't even a challenge to unpack and inline it adapting Mr. eXoDia's template.

Then came the undocumented PESpin x64. Really enjoyed reversing it, but it lacked the advancedness of the 32bit counterpart.

3 weeks ago I tried my hands on lARP 2.0 and I was like "Mein Gott, this is awesome", then I stumbled across this thread (and a similar one on ExeTools) where people observed that the main problem was the lack of proper and user-friendly tools. So I thought "It's 2014, I've solved almost all of the lARPs, I've got x64_dbg and Scylla, so why not?".

I regret nothing :D

In two weeks I traced trough an hell of a lot of obfuscated code learning how to see through it, met 13-14 different non-VMed Anti-Debugging tricks, discovered 2 Anti-Attach techniques, bypassed countless CRC checks and code en/decryption loops, analyzed a VM and defeated two different kinds of IAT redirection techniques... It was a wonderful journey and I learnt a lot.

 

Oh, and I discovered Sabaton while working on this baby, too :punk:

 

So, thanks to lena151 for the unpackmes, Mr. eXoDia et al. for the awesome debugger they're building, Aguila for Scylla and everyone I might have forgotten but who has in some way helped me. This is a result I'm really proud of and I don't know if I would have been able to get this far without all of you :)

Edited by SmilingWolf
  • Like 7
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...