GIV Posted April 8, 2014 Posted April 8, 2014 Thank LCF-AT. I'm looking forward to a SE Ultra Unpacker LOL Offtopic: Everybody wants a free meal. Isn't it?
Z3r0n3 Posted April 8, 2014 Posted April 8, 2014 Hi Lostin and all others, maybe you're right so far and a tutorial would be more interesting for people who want to know more details how to handle the protection manually also if my tutorial styles are not so good. Ok guys so I think this I will do.Little video tutorial + some small different basic scripts. Ok so thank you again so far guys for your opinions and till later. greetz Nice to hear that, nothing better than manual work.
Nooby Posted April 14, 2014 Posted April 14, 2014 (edited) I look forward to both turtorial and script. You may think that I would make changes against them, but generally no, IAT related stuff haven't changed since years back. I'm pretty sure the current import protection is properly implemented and there is limited ways it could be done otherwise without major drawbacks. That said, let me know if you have better ideas. I do believe in the wisdom of our community. Edited April 14, 2014 by Nooby 2
Dragon Palace Posted April 15, 2014 Posted April 15, 2014 anyone knows Nooby is Safengine Shielden author here?
SmilingWolf Posted April 15, 2014 Posted April 15, 2014 (edited) anyone knows Nooby is Safengine Shielden author here? https://forum.tuts4you.com/topic/18546-safengine-formally-noobyprotect/ I guess the "Nooby" part of the name makes it quite clear (besides, he always talks in the first person when describing or talking about SafeEngine) And he's got my esteem for still being an active part of the RE community as of these days. Some people don't contribute anymore when they get involved in some commercial activity. Edited April 15, 2014 by SmilingWolf
kgh0701 Posted April 15, 2014 Posted April 15, 2014 (edited) oh , i see , so Nooby is Safengine Shielden author ? Edited April 15, 2014 by kgh0701
converse Posted April 15, 2014 Posted April 15, 2014 oh , i see , so Nooby is Safengine Shielden author ? YES!!!
Nooby Posted April 21, 2014 Posted April 21, 2014 Here I give everyone an idea of unpacking to most of the targets found here. I'm trying to be as generic and simple as possible, so bear with me skipping some specific cases. Our goal here is to run the target without executing its shell code, in most cases the shell code unpackes the program code & data and then locate import functions(IAT related), few with additional resource handling. So what we need to do is:1. Dump the unpacked target2. Fix its import function calls / rebuild IAT In most cases the target will not contain any shell SDK calls or have many VMed code which do require a running shell, so that's all it takes to unpack the target. Talking about import protections, if you find it difficult to understand, I suggest that you pick ONE specific program like calc.exe or notepad.exe and try to protect it. Soon you will figure out that there is not many ways to do that, you can:1. Use random locations for each function address2. Replace call [iAT] instructions and retrieve API during runtime And that pretty much covers every different methods you can see in many protectors. For #1, if you found it hard or inefficient to scan entire code section and locate all those locations, you should analyze the shell code and find the part that retrieves & fills API addresses. Make a log or something like what I did in my previous IAT fix scripts. For #2, you will need to scan the code section and identify these calls, then make a run trace to each of them, discover their corresponding API addresses. This is most likely what you will see in SE scripts. You may ask, is it really that simple like ... Yes! Keep in mind that any additional code adding to a simple call [iAT] will have significant performance impact on the program, so there cannot be many tricks, even the code must be simple. For case #1, the address filling process can loop many thousand times, for case #2, think of a typical message loop. So you won't see any heavy VM there, have a cup of tea and find proper ways to handle them. Why is unpacking all about IAT fixing? Because IAT is the only thing a protector can do with "blind" targets. Unless you are dealing with a protector designed for the sole purpose of protecting that one single program, or it can't just randomly pick some places and insert extra code there. Some protectors feature resource anti dump and stuff, but that either depends on API hooking or resource tree manipulation. Considering there is usually not many resources in UnpackMEs, you can always find & dump them manually. 5 1
bart_ Posted December 5, 2014 Posted December 5, 2014 (edited) Hi Lostin and all others, maybe you're right so far and a tutorial would be more interesting for people who want to know more details how to handle the protection manually also if my tutorial styles are not so good. Ok guys so I think this I will do.Little video tutorial + some small different basic scripts. Ok so thank you again so far guys for your opinions and till later. greetz LCF-AT please PM me (your inbox is full). Edited December 5, 2014 by bart_
LCF-AT Posted December 5, 2014 Posted December 5, 2014 Hi Homer, whats up?I know my PM box is full and I am too lazy to check & delete some.So whats your question? greetz 3
m0rpheus Posted December 6, 2014 Posted December 6, 2014 For me there is no good opinion, scripts we implement helps us to inspire thinking how these scripts are created and these tools same as scripts.Everything that u talented guys do inspire good brains around, hoping that we can create tools like these but for those that misuse it let them use it, it does not matter because for a society to exist there needs both good and evil. greetzz m0rpheus.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now