[unpackme] UnPackMe Safengine v2.2.1

[Conquest]

Hi,

don't care about the HWBP stuff if you don't need it.

Did you already debug the protection a little more?

 

 

 

I have the oep already by looking at the stack. but i think i will learn better if i dissect the code instead of blindly going round and round. But the problem i am facing is with memory/hwbps . I can understand the fault of hwbps but even memory bps arent working for me.

[LCF-AT]

Hi,

ok so then start to dissect the code till you find the reason and solution.So I think that you don't want to know it how to do it right?And you don't want to hear the solution or Dr.Conquest?

Anyway,so here a small preview video where you can see that its working. [No fear so you can't see the solution so that you can still dissect the code by yourself till you find it].

greetz

Shielden DRx Context Patch Preview.rar

[Conquest]

Hi,

ok so then start to dissect the code till you find the reason and solution.So I think that you don't want to know it how to do it right?And you don't want to hear the solution or Dr.Conquest?

Anyway,so here a small preview video where you can see that its working. [No fear so you can't see the solution so that you can still dissect the code by yourself till you find it].

greetz

 

You got it the wrong way,LCF-AT. I wasnt trying to defy your solution or something. I was just curious to find out why it isnt working . Fortunately the link provided by kuazi GA  helped me a lot to find out the reasons(actually it almost explained everything.).

[LCF-AT]

Hi Conquest,

so if you got already working why then you ask again yesterday?

Anyway,so if you have it then all is ok for you now.

greetz

[Conquest]

Hi Conquest,

so if you got already working why then you ask again yesterday?

Anyway,so if you have it then all is ok for you now.

greetz

I forgot that there is site called google which can translate. So after i wrote those lines, I was able to read the post from pediy. Anyway thank you for your tricks. They are really helpful to quick unpack . Beg your pardon if i have offended you somehow

[converse]

hi LCF-AT

why you made a tutorial in quite a different file, not on the unpackme? Personally I was wondering bypass antidebuggings on the newest version of the tread.

[kuazi GA]

 

hi kuazi GA

thanks of course, but I do not understand Chinese, you can translate it into English or write the most important thing here

thank you

 

My English sucks.suck

a very tiny script fornicationAnti.txt.rar

1. Load the  Shielden2030.Sample.exe

First stop in KiUserExceptionDispatcher, execute the script. 

Then you R/W 401020

sp:Environment :  WinXP-SP3  

You must set a good first line 1 ShadowMemBase values.

Edited September 22, 2013 by kuazi GA

[Conquest]

My English sucks.suck

a very tiny script ****Anti.txt.rar

1. Load the  Shielden2030.Sample.exe

First stop in KiUserExceptionDispatcher, execute the script. 

Then you R/W 401020

sp:Environment :  WinXP-SP3  

 

Can you upload the executable posted in the pediy thread http://bbs.pediy.com/showthread.php?t=130066&highlight=Safengine <, since i am not member of it i cant download it .

 

[converse]

@kuazi GA

Thank you, but I did not work

could you make a video of what you wrote and show anti-debugging plugins settings?

thanks in advance

 

@ Conquest

attach the wrong file with Chinese Forum

Shielden2030.Sample.rar

[Asian Dragon]

Hello all

I have 1 program is compressed safe Shielden 2.0.1. It is a completely free program. I just want people to help unpack it.
thank you

[52koukou]

Hi LCF-AT

 

Can you record a video to teach us how to unpack it?  And I was your crazy fan!

 

with respect

[LCF-AT]

Hi,

so I use my own script and my MultiASM tracer code. So on the board I did already post some details about API / IAT fixings so just have a look around so I don't remember where I did post it [on any Safe/NoobyProtect topic].

So I don't know whether I do any tutorials about so a friend asked me not to release a unpacker for this protection.

greetz

[converse]

So I don't know whether I do any tutorials about so a friend asked me not to release a unpacker for this protection.

greetz

 

Hi LCF_AT

Your friend is the author of protection (Nooby)?

That is a script to extract from you not to wait?

even if the script laid out antidebuggings to be able to unpacked itself

thank you

[HACKAL]

@Asian Dragon, @52koukou : It's a hard protection. However can be unpacked, as LCF-AT demonstrate, and also another great unpacker here, i don´t remember his name in this moment, but if you trace the post related with NP or SE, you can see it. Now, you can find some tutorials about Unpacking SafEngine in a chinese forum(do your homework ), tutorials were made by cektop and the language obviously it's chinese. Don't Know if cektop use older versions of Nooby Protect. But if you pay attention about his tutorials, you'll be in the right way to kill this B#TCH .

 

@LCF-AT: With the major respect to you. I'm not really agree with your position about not to release a Unpacker for NP or SE, but as you said, it's for a friend request(¿maybe the author of the software?). All Protections (as far as i know) have been exposed here for learning, e.g. Themida has been unpacked a lot of times. The same way, Execryptor, VProtect, VMProtect, who are some of the most strongers. (As somebody said in other forum) Maybe NoobyProtect or SafEngine it's just a black cat in a dark room. Don't Know if it's pretty fair "protect" this Program from study, and "Reverse and dissect" the others, well it's just my opinion.

 

Respectfully and Best Regards.

 

p.D.: Sorry about my poor english

[LCF-AT]

@ converse

No its not Nooby. So I also had never something to do or a talk with Nooby if I remember right.

@ HACKAL

So I think the most of us can't handle the Chinese language so this should be the problem. I also can see that many created stuff [tools / tutorials etc] will mostly not released in a english language or on english talking boards etc.So I think if the world language is already English then we all should use it to be international so that also everybody can benefit of diffrent tools / tuts etc you know.So I also don't create any tutorials in the German language since many years. English is also a easy language and easier to lern than other languages and this is a big advantage for all.Of course its just my opinion.

So maybe you are right with your viewpoint about this protection so I will think a little about it.Thanks for your opinion and respect to you and all others too of course.

greetz

[kuazi GA]

@ converse

I'm sorry! If I have time later I made a tutorial!
In fact, not difficult if you are debugging words over NP

 

  PS  Only SE, NP no tutorial! Express regret 

 

 

[kuazi GA]

On 2013/9/20 at AM2点18分, converse said:

喜夸子嘎

 

当然谢谢，但是我不懂中文，你可以把它翻译成英文或者在这里写下最重要的事情

 

 

谢谢

 

Allowing Safengine Shielden 2.0.3.0 to be debugged.  by sessiondiy

 

Tested Environment:
XP SP2 ' SP3
Original OD + StrongOD 0.4.1.716

This shell seems to be very popular recently. The most common post is "unable to set breakpoints".
Although the methods used by the shell are not original, they are very damaging if used well.
If we can't set breakpoints when studying a shell, we can only fly around on it,
this is not acceptable, it can't be studied.

Later, I will provide an attachment (a Crackme), which will have 8 threads when it runs normally.
Apart from the Main Thread, all the others are Anti-debugging.

At this time, it is just possible to confirm that your OD can be executed by pressing F9 without any breakpoints.
Otherwise, please check your OD first.

The principle may be understood by looking at the content below.

Start

How to deal with it after loading with OD? First, we set a soft break at the first instruction of KiUserExceptionDispatcher by pressing F2, and run by pressing F9.

The first time it breaks, at this time: [ESP+8]=80000003
At this time, the module has been shadowed in, and the Anti Thread has not been created yet.

The second time it breaks, at this time: [ESP+8]=80000004
Look at the CPU window and note down the four values of Dr0~3.
Look at the Stack window and note down the value of [ESP+14]. The value for this sample is 42F765.

These 5 values are specific to this case.

Reload OD...
Break and stop at the first time KiUserExceptionDispatcher, don't move.
After completing the following five items, you can debug at will.

(1)
Find the Shadow of CreateThread in memory:
Ruin it. Please change the first instruction to ret 18, such as:

shadow_CreateThread

00D1FB55   8BFF          mov   edi, edi      ; change to ret 18

00D1FB57   55               push  ebp

00D1FB58   8BEC          mov   ebp, esp

00D1FB5A   FF75 1C      push  dword ptr [ebp+1C]

00D1FB5D   FF75 18      push  dword ptr [ebp+18]

00D1FB60   FF75 14      push  dword ptr [ebp+14]

00D1FB63   FF75 10      push  dword ptr [ebp+10]

00D1FB66   FF75 0C      push  dword ptr [ebp+C]

00D1FB69   FF75 08      push  dword ptr [ebp+8]

00D1FB6C   6A FF        push  -1

00D1FB6E   E8 D9FDFFFF  call  00D1F94C

00D1FB73   5D           pop   ebp

00D1FB74   C2 1800      ret   18

The reason should not need to be explained. Each anti-debugging option takes up a thread.
I was inspired by nevsayno's post that there is one thread for each option)

(2)
Find the Shadow of GetThreadContext in memory (same segment as above):

Shadow_GetThreadContext

00D488DD     8BFF            mov     edi, edi

00D488DF     55              push    ebp

00D488E0     8BEC            mov     ebp, esp

00D488E2     FF75 0C         push    dword ptr [ebp+C]

00D488E5     FF75 08         push    dword ptr [ebp+8]

00D488E8     FF15 EA0ED100   call    [D10EEA]

00D488EE     85C0            test    eax, eax

00D488F0     0F8C 57B60000   jl      00D53F4D

00D488F6     33C0            xor     eax, eax

00D488F8     40              inc     eax

00D488F9     5D              pop     ebp

00D488FA     C2 0800         ret     8      ;jmp 00E41F90

00D488FD     90              nop

00D488FE     90              nop

00D488FF     90              nop

00D48900     90              nop

00D48901     90              nop

 Change the ret 8 above to jump to a useless place and add the following code:

 

00E41F90     50                           push   eax

00E41F91     8B4424 0C         mov    eax, [esp+C]

00E41F95     8038 10              cmp    byte ptr [eax], 10

00E41F98     75 16                     jnz    short 00E41FB0

00E41F9A     33D2                    xor    edx, edx

00E41F9C     8950 04              mov    [eax+4], edx   ;clr Dr0~3

00E41F9F     8950 08               mov    [eax+8], edx

00E41FA2     8950 0C              mov    [eax+C], edx

00E41FA5     8950 10               mov    [eax+10], edx

00E41FA8     52                           push   edx

00E41FA9     6A 04                   push   4                ;Index

00E41FAB     E8 457C9C7B   call       kernel32.TlsSetValue

00E41FB0     58                         pop    eax

00E41FB1     C2 0800             ret    8

eason:
The shell always checks if the TlsValue is equal to the sum of Dr0+Dr1+Dr2+Dr3.
When the shell wants to obtain the value of Drx, it clears it to 0 and sets TlsValue to 0.

As for the correct Index for SetTlsValue, there are many methods to determine it.
For example, you can break on the Shadow of SetTlsValue.
In my case, the Index used for XP SP2 is 4, and for XP SP3 it is 6.

Note: Since this sample only calls Shadow_GetThreadContext when there is an Anti Debugger,
you can directly overwrite it if you don't want to use the serial connection for the new code.

(3)
Find the Shadow of SetThreadContext in memory:
Change the beginning to:

mov al, 1
ret 8

Reason:
If we don't disable this function, our own hard breakpoints for debugging might be stolen.

 

4)
Previously, we noted a value of 42F765, which is actually the VM's ds:[imm] instruction:.

vm.ds:[imm]

-----------------------------------------------------------------

0042F763    8B01      mov   eax, [ecx]      ;jmp 00534FC5

0042F765    8D1C33    lea   ebx, [ebx+esi]

0042F768  ^ 7E B9     jle   short 0042F723

0042F76A  ^ 7F CB     jg    short 0042F737

We need to hook it and jump to a useless location to write the following code:
The four cmp instructions here are the Dr0~3 values we recorded at the beginning.

00534FC5 81F9 C4754000 cmp ecx, 004075C4
00534FCB 74 18                   je short 00534FE5
00534FCD 81F9 49754000 cmp ecx, 00407549
00534FD3 74 10                   je short 00534FE5
00534FD5 81F9 B4744000  cmp ecx, 004074B4
00534FDB 74 08                   je short 00534FE5
00534FDD 81F9 AF744000  cmp ecx, 004074AF
00534FE3 75 09                  jnz short 00534FEE
00534FE5 9C                       pushfd ;/
00534FE6 66:810C24 0001 or word ptr [esp], 100 ;manually generate 80000004 exception
00534FEC 9D                      popfd ;
00534FED 90                      nop
00534FEE 8B01                   mov eax, [ecx] ;restore original instruction
00534FF0 8D1C33              lea ebx, [ebx+esi] ;restore original instruction
00534FF3 ^ E9 70A7EFFF  jmp 0042F768 ;jump back

Reason:
The shell always sets those four values to Dr0~3 and sets Dr7 to 33335555h.
This means that whenever those four locations are read, an 80000004 exception will be generated.
When the shell intentionally reads them, it won't work if the 80000004 exception doesn't occur.
It's like the shell setting hard breakpoints for itself to debug.

When you break in OD with breakpoints set, before any action that transfers control back to the target,
OD will reset the values set by the user (if not used, they will be set to zero) to Dr0~3,
causing the shell not to break at that point. This is why people say that once you break, no matter what breakpoint,
you won't be able to run normally.

The 7 threads we deleted at the beginning also occupy Drx in the same way.

 

(5)

Modifying the VM's rdtsc instruction

   rdtsc

   sub  ebp, 8

  mov  [ebp+0], edx

  mov  [ebp+4], eax

The original rdtsc instruction in the VM is as follows:

00437C98 8D2424  lea esp, [esp] ; change to xor eax, eax / nop
00437C9B 895500  mov [ebp], edx

 

We can replace the garbage instruction lea esp, [esp] with xor eax, eax / nop (since the original instruction occupies 3 bytes).

Reason:
The shell always uses rdtsc.eax to generate random numbers for memory verification. We have already modified the ds:[imm] instruction, and we may set a lot of software breakpoints (CC) in the future. By modifying the rdtsc instruction, the shell will only verify the first small block.

[Additional]
If you find it difficult to locate vm.rdtsc, you can use any fakerdtsc.sys available on the market. However, to avoid being detected by the shell, please look for the following opcodes:

00415E0A 9C  pushfd
00415E0B 810C24 00010000 or dword ptr [esp], 100
00415E12 9D  popfd
00415E13 0F31 rdtsc <- nop it

By nopping out this rdtsc instruction, you can achieve the same effect.

You can complete the above 5 steps, and then you can debug the shell, software, and cloud as easily as debugging Notepad. You can fully analyze this shell.