Jump to content
Tuts 4 You

[Unpackme] Safengine Shielden v2.3.7.0


Reasen

Recommended Posts


only was to see the unpacked from man of the war, there is not restored the stolen oep, there not have permiss in header sections(for that say error), when fix the permiss, will see there will try to run some code outside of exe, or maybe there are some stolen code from   apis in resources

Near oep is a delphi:

CPU Disasm
Address   Hex dump          Command                                  Comments
0044E215    8BEC            MOV EBP,ESP
0044E217    83C4 F0         ADD ESP,-10
0044E21A    B8 8CE04400     MOV EAX,44E08C
0044E21F    E8 587EFBFF     CALL 0040607C
0044E224    A1 4CFF4400     MOV EAX,DWORD PTR DS:[44FF4C]
0044E229    8B00            MOV EAX,DWORD PTR DS:[EAX]
0044E22B    E8 08E6FFFF     CALL 0044C838
0044E230    8B0D 28004500   MOV ECX,DWORD PTR DS:[450028]
0044E236    A1 4CFF4400     MOV EAX,DWORD PTR DS:[44FF4C]
0044E23B    8B00            MOV EAX,DWORD PTR DS:[EAX]
0044E23D    8B15 ACDE4400   MOV EDX,DWORD PTR DS:[44DEAC]
0044E243    E8 08E6FFFF     CALL 0044C850
0044E248    A1 4CFF4400     MOV EAX,DWORD PTR DS:[44FF4C]
0044E24D    8B00            MOV EAX,DWORD PTR DS:[EAX]
0044E24F    E8 7CE6FFFF     CALL 0044C8D0
0044E254    E8 8F5EFBFF     CALL 004040E8
0044E259    8D40 00         LEA EAX,[EAX]


there are apis without resolution in splicies code:
CPU Disasm
Address   Hex dump          Command                                  Comments
005198B9    68 078C2A02     PUSH 22A8C07

maybe by struct is GetModuleHandleA, when fix as that api, run normal, but will land here antidump:
CPU Disasm
Address   Hex dump          Command                                  Comments
00401D54    3B05 14164500   CMP EAX,DWORD PTR DS:[451614]
00401D5A    75 09           JNE SHORT 00401D65
00401D5C    8B50 04         MOV EDX,DWORD PTR DS:[EAX+4]
00401D5F    8915 14164500   MOV DWORD PTR DS:[451614],EDX
00401D65    8B50 04         MOV EDX,DWORD PTR DS:[EAX+4]
00401D68    891424          MOV DWORD PTR SS:[ESP],EDX
00401D6B    8B50 08         MOV EDX,DWORD PTR DS:[EAX+8]
00401D6E    81FA 00100000   CMP EDX,1000


where must validy the pe header...maybe have more..but not was checked for unpack...

best regards Apuromafo

 

Edited by Apuromafo
  • Like 2
Link to comment

The OEP:

Quote

0044E214   55               PUSH EBP
0044E215   8BEC             MOV EBP,ESP
0044E217   83C4 F0          ADD ESP,-0x10
0044E21A   B8 8CE04400      MOV EAX,UnpackMe.0044E08C
0044E21F   E8 587EFBFF      CALL UnpackMe.0040607C
0044E224   A1 4CFF4400      MOV EAX,DWORD PTR DS:[0x44FF4C]
0044E229   8B00             MOV EAX,DWORD PTR DS:[EAX]
0044E22B   E8 08E6FFFF      CALL UnpackMe.0044C838
0044E230   8B0D 28004500    MOV ECX,DWORD PTR DS:[0x450028]          ; UnpackMe.00451B64
0044E236   A1 4CFF4400      MOV EAX,DWORD PTR DS:[0x44FF4C]
0044E23B   8B00             MOV EAX,DWORD PTR DS:[EAX]
0044E23D   8B15 ACDE4400    MOV EDX,DWORD PTR DS:[0x44DEAC]          ; UnpackMe.0044DEF8
0044E243   E8 08E6FFFF      CALL UnpackMe.0044C850
0044E248   A1 4CFF4400      MOV EAX,DWORD PTR DS:[0x44FF4C]
0044E24D   8B00             MOV EAX,DWORD PTR DS:[EAX]
0044E24F   E8 7CE6FFFF      CALL UnpackMe.0044C8D0
0044E254   E8 8F5EFBFF      CALL UnpackMe.004040E8

I guess the only thing to fix is the imports.

  • Like 1
Link to comment

Oep:

Code set memory write breakpoint 

Run, Decode.  Can Get Oep.

Fix  imports:  Oep >> Step into and step over.

Shielden protection program for the input table to obtain the current encryption API's DLL base by LoadLibraryA
Then the API stack, the base stack and call a Anti GetProcAddress to obtain Api address
Write an address to the execution entry

With Api to obtain GetModuleHandle Simulation  API 

With Api to obtain GetProcAddress  Get Api address

00518615    E8 00000000                     CALL    0051861A                  GetModuleHandle

0051861A    E9 DB120000                     JMP     005198FA

Simulation of the API stack is stored in the EAX

005198CF    50                                       PUSH    EAX
005198D0    E8 5B26F5FF                      CALL    0046BF30
005198D5  ^ E9 3BEDFFFF                     JMP     00518615

The current value is the redirection of the API 

00DDB199    8BFF                            MOV     EDI,EDI
00DDB19B    55                              PUSH    EBP
00DDB19C    8BEC                            MOV     EBP,ESP
00DDB19E    837D 08 00                      CMP     DWORD PTR SS:[EBP+0x8],0x0
00DDB1A2    74 18                           JE      SHORT 00DDB1BC
00DDB1A4    FF75 08                         PUSH    DWORD PTR SS:[EBP+0x8]
00DDB1A7    E8 C0290000                     CALL    00DDDB6C
00DDB1AC    85C0                            TEST    EAX,EAX
00DDB1AE    74 08                           JE      SHORT 00DDB1B8
00DDB1B0    FF70 04                         PUSH    DWORD PTR DS:[EAX+0x4]
00DDB1B3    E8 7D2D0000                     CALL    00DDDF35
00DDB1B8    5D                              POP     EBP
00DDB1B9    C2 0400                         RETN    0x4

=======================

7C80B741 >  8BFF                            MOV     EDI,EDI
7C80B743    55                              PUSH    EBP
7C80B744    8BEC                            MOV     EBP,ESP
7C80B746    837D 08 00                      CMP     DWORD PTR SS:[EBP+0x8],0x0
7C80B74A    74 18                           JE      SHORT 7C80B764
7C80B74C    FF75 08                         PUSH    DWORD PTR SS:[EBP+0x8]
7C80B74F    E8 C0290000                     CALL    7C80E114
7C80B754    85C0                            TEST    EAX,EAX
7C80B756    74 08                           JE      SHORT 7C80B760
7C80B758    FF70 04                         PUSH    DWORD PTR DS:[EAX+0x4]
7C80B75B    E8 7D2D0000                     CALL    GetModuleHandleW
7C80B760    5D                              POP     EBP
7C80B761    C2 0400                         RETN    0x4
 

Res:

Direct move, then point it to.

Cross-platform:

Generally can Cross-Platform .  If the above can not be Cross-platform.

Sedate  section  is set to Writeable can be written to save

==========================

Best regards 

Sound.

Edited by Sound
  • Like 4
  • Confused 1
Link to comment
  • 4 months later...
On 28.12.2015 at 11:15 AM, Sound said:

With Api to obtain GetProcAddress  Get Api address

00518615    E8 00000000                     CALL    0051861A                  GetModuleHandle

How did you find this address? It is very interesting, tell me

Link to comment
On 2016/5/5 at 2:59 AM, converse said:

How did you find this address? It is very interesting, tell me

use  set into and seover  in ollydbg., 

 

Best regards

Sound

Link to comment
7 minutes ago, Sound said:

use  set into and seover  in ollydbg., 

 

Best regards

Sound

a little more please
down the F7 I did not find the call, or I did not too long did it?

Link to comment
23 hours ago, converse said:

a little more please
down the F7 I did not find the call, or I did not too long did it?

 

distinguish VM CALL and APICALL

Use F7 and F8 you will find this place.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...