Artan Protector 2.0 UnpackMe

[Gladiator]

Difficulty : 5
Language : Delphi
Platform : Windows x86/x64
OS Version : XP SP2 and above.
Packer / Protector : Artan Protector 2.0 UnpackMe with all options enabled with normal complexity.

Description :

Unpack the file and keep the application working.

ScreenShot :

Artan_2_UnPackMe.zip

Edited August 12, 2016 by Gladiator

[xoring]

Hello,

 

I am working on this unpackme ( first attempt). I am trying to reach the OEP. I have 2 potentially OEPs. 
The first one is '00406F60'.
The second is '005306DD'. Can anyone tell me if i am in the right direction?

Thank you

[mrexodia]

@xoring The code at 005306DD is a VMProtect 3 stub.

[xoring]

@mrexodia thanks for your comment. So i suppose i should keep looking.

[Gladiator]

On 11/18/2016 at 2:58 PM, mrexodia said:

@xoring The code at 005306DD is a VMProtect 3 stub.

It's because of in development process of artan code mutation engine we get some inspiration from vmprotect mutation core ( got some idea from vmprotect )

 

 

[evlncrn8]

you mean you used vmprotect in your protector ?

[Gladiator]

9 hours ago, evlncrn8 said:

you mean you used vmprotect in your protector ?

No

I have got some idea from vmprotect and re-write them in artan protector

[evlncrn8]

2 minutes ago, Gladiator said:

No

I have got some idea from vmprotect and re-write them in artan protector

The code at 005306DD is a VMProtect 3 stub.

explain that then

[Gladiator]

5 hours ago, evlncrn8 said:

The code at 005306DD is a VMProtect 3 stub.

explain that then

as i say before we re-write vmprotect mutation engine with 70% similarity so in some part of artan protector, signature will be similar to original vmprotector sign

 

[SmilingWolf]

?
(This was in a thread about Artan)

Edited November 24, 2016 by SmilingWolf

[evlncrn8]

from the website -> "No problems with antivirus software ( Not For Malware Development ! )."

you did scan that file you supplied on virustotal.com didnt you ?

and just so people are aware, lets link them to the other thread too -> https://forum.tuts4you.com/topic/34156-artan-win32-protector-now-international/?page=2#comment-184940

you still havent improved on your bullshitting claims m8.. nice try..

 

Edited November 24, 2016 by evlncrn8

[Gladiator]

22 minutes ago, SmilingWolf said:

(This was in a thread about Artan)

Yes, but is related to version 1.8

in version 2.0 ( current version ) we made try to write core similar to vmprotect engine

9 minutes ago, evlncrn8 said:

from the website -> "No problems with antivirus software ( Not For Malware Development ! )."

you did scan that file you supplied on virustotal.com didnt you ?

1.Yes i have test it with virustotal.com and other multi AV websites, except avira all anti-viruses shown clean status

2.in this section we are not going to talk about artan protector service quality and here i'm not giving answer , i put tag "unpackme" to test it's difficulty and make solution for your unpacking trick

13 minutes ago, evlncrn8 said:

and just so people are aware, lets link them to the other thread too -> https://forum.tuts4you.com/topic/34156-artan-win32-protector-now-international/?page=2#comment-184940

some people aware and some not , every software have positive and negative points, we produce anti false-alarms option that made a cost in file size, i think with today internet speed there is not great problem 

anyway

Please Talk in topic rule and send unpacked solution

 

Best Regards.

 

[SmilingWolf]

With all due respect, you've been claiming to have just "taken inspiration" from VMProtect well before creating that topic on ExETools

[Gladiator]

7 minutes ago, SmilingWolf said:

With all due respect, you've been claiming to have just "taken inspiration" from VMProtect well before creating that topic on ExETools

Thank you for courtesy and respect , my topic in exetools is about version 1.8 that we used engine exe as OEM Part from VMPsoft with written license

but in version 2.0 we have some inspiration , for example all of protectors used iat redirection ; are they same ? no they have one concept with several ways

we do it as i say , read and study about vmprotect engine and write similar one from 0 to 100, this is not rip and not copy-paste , this called localization

 

 

[evlncrn8]

"1.Yes i have test it with virustotal.com and other multi AV websites, except avira all anti-viruses shown clean status "

wow, then the virus total you use and the one i use must be very different...

https://www.virustotal.com/en/file/034f202f6744a44ae8afa53938515479c60049f8d8c5896316afe88b3ed34bf5/analysis/1480017820/

will you stop lying ?

"Please Talk in topic rule and send unpacked solution "

this, plus the "courtesy and respect" (both are earned btw, not given automagically), by the same token, how about you stop abusing the forum and users to try and get them to crack your (bullshit) product which you then use to try and improve it and then spout more sales blurb nonsense ?

S N A K E O I L

reinventing the wheel and trying to claim your method is revolutionary (when its based on the work of others) is not the way to make a product, especially when that wheel is a square

Edited November 24, 2016 by evlncrn8

[Gladiator]

5 hours ago, evlncrn8 said:

"1.Yes i have test it with virustotal.com and other multi AV websites, except avira all anti-viruses shown clean status "

wow, then the virus total you use and the one i use must be very different...

https://www.virustotal.com/en/file/034f202f6744a44ae8afa53938515479c60049f8d8c5896316afe88b3ed34bf5/analysis/1480017820/

do you think i put all options that my customers using it public ? anti false-alarm is an option that only available in purchased version , as you can see i said all options with normal complexity ....

On 8/10/2016 at 8:13 PM, Gladiator said:

Packer / Protector : Artan Protector 2.0 UnpackMe with all options enabled with normal complexity.

 

5 hours ago, evlncrn8 said:

"Please Talk in topic rule and send unpacked solution "

this, plus the "courtesy and respect" (both are earned btw, not given automagically), by the same token, how about you stop abusing the forum and users to try and get them to crack your (bullshit) product which you then use to try and improve it and then spout more sales blurb nonsense ?

S N A K E O I L

reinventing the wheel and trying to claim your method is revolutionary (when its based on the work of others) is not the way to make a product, especially when that wheel is a square

What do you think is respectable, but considering that only a small part of this product from other similar products inspired , You can not do it all undermined
In any case, I've created this topic only for security testing, so if you have the ability to test it , it will be welcome your comments  otherwise I will not reply to you personal opinion.

 

[evlncrn8]

i specifically asked you if you scanned the file you uploaded in this thread with virustotal, you said you did and it was clean.. it was not... you lied

anti attach is also a lie, i also was able to attach with clean olly

you created this topic to strengthen the 'security' (yes, i used quotes) of your own snake oil product by trying to get people to crack it and tell you how, so you could then try and fix it... which is pretty pathetic

you have lied in this thread, and in the others, so please, seriously stop.. and downvoting my comments is not going to do a damn thing, have some balls and stand behind your product and its claims and stop lying

so for the topic and you claiming it was for security.. the anti attach is bullshit, the claims of the clean with anti virus is also bullshit... and thats staying on topic

[Gladiator]

Ok every thing is bullshit , stop talking and show your ability in unpacking file [ we are in unpackmes section ] ... ; otherwise please do not spam !!!

if you want criticize ; here is not right place

but if you are really decided to send spam post, ok do it whatever you want, i don't care , i'm here just for talking about best solution for unpackme.

 

Edited November 25, 2016 by Gladiator

[evlncrn8]

show my ability ? i dont have to prove a thing to you at all, nor am i going to do any work for you so you can 'strengthen' your snake oil.. hasnt that point sunk in yet? and i really hope noone will,

[Teddy Rogers]

Okay everyone, lets get the topic back on track. I think enough views have been aired now we can concentrate on the unpackme...

Ted.

[xoring]

Hello all again,

I haven't make any progress. I can see some anti debug techniques in the following address. Except that, i can't find the OEP. Hope someone can provide some guidance.:)

 

0FC21F94    55              PUSH EBP

 

[mrexodia]

I can share some progress but I don't plan to unpack a (ripped/modified) VMProtect so don't expect too much.

First trick is fun, replacing the IAT entry of ExitProcess. It then jumps you into a gigantic linear part of code with opaque predicates. With x64dbg you can get to the more interesting parts with:

TraceIntoConditional !dis.isnop(cip) && dis.branchexec(cip)

Just don't bother with the 37000 useless instructions. You will land in some kind of decryption loop, skip that loop and again run the above trace command.

It will bring you to a more interesting part looking more like Delphi code. This will call LoadLibrary and GetProcAddress. Graphing this function (please don't try to graph at the opaque predicates part) shows you the code is simple and quickly points to the more interesting part:

At this point I got some random access violations possibly because of other breakpoints so I used a hardware breakpoint on the `call dword ptr ds:[ebp-40]`. The next section is really weird to debug since sometimes the protection of the code page appears to change to PAGE_NOACCESS. This is likely a bug in x64dbg since it sometimes happens randomly when the debuggee is paused. The code after uses SEH and unhandled exception filters, some time later it appears to call TLS callbacks (or initialize static variables). It also sets another exception handler (SEH):

The SEH uses simple anti debug, for instance this SEH_int1 function checks if the debug registers are zero (hardware breakpoint detection). If not it simply skips the INT1:

If you don't pass various checks like this it will call the function I called debugDetect (it runs an infinite loop):

A simple conditional breakpoint helps bypassing these checks (simply skip the infinite loop and set CIP to the return address, there might be more hardcoded instances of this, see UnPackMe.exe:$F8F30E8). In combination with ScyllaHide you can normally debug this executable with this.

It might be a fun challenge to find all checks and bypass them by hand but I'll leave it at this for now.

Edited November 26, 2016 by mrexodia

[mrexodia]

On 11/24/2016 at 10:00 PM, Gladiator said:

this is not rip and not copy-paste , this called localization

I had a friend in university who did this with a paper, it is (and was treated as) plagiarism, appropriate action was taken. I don't care if you rip VMProtect, but after stepping handlers (see the command below) I can say it's so similar that I would call it equal (although I didn't see these particular obfuscation patterns in the samples I have and your transformation engine only emits linear disassembly VMProtect 3.x also has some (trivial) brancing around to make it annoying).

TraceIntoConditional cip==edi

 

[Gladiator]

!

Edited November 26, 2016 by Gladiator
Deleted ...

[Gladiator]

6 hours ago, mrexodia said:

I had a friend in university who did this with a paper, it is (and was treated as) plagiarism, appropriate action was taken. I don't care if you rip VMProtect, but after stepping handlers (see the command below) I can say it's so similar that I would call it equal (although I didn't see these particular obfuscation patterns in the samples I have and your transformation engine only emits linear disassembly VMProtect 3.x also has some (trivial) brancing around to make it annoying).

TraceIntoConditional cip==edi

 

as i said before we try to make similar engine to vmprotect by hard-study about it's engine from old version ( easy ) to newer versions ( hard to understand )

7 hours ago, mrexodia said:

I can share some progress but I don't plan to unpack a (ripped/modified) VMProtect so don't expect too much.

First trick is fun, replacing the IAT entry of ExitProcess. It then jumps you into a gigantic linear part of code with opaque predicates. With x64dbg you can get to the more interesting parts with:

TraceIntoConditional !dis.isnop(cip) && dis.branchexec(cip)

Just don't bother with the 37000 useless instructions. You will land in some kind of decryption loop, skip that loop and again run the above trace command.

It will bring you to a more interesting part looking more like Delphi code. This will call LoadLibrary and GetProcAddress. Graphing this function (please don't try to graph at the opaque predicates part) shows you the code is simple and quickly points to the more interesting part:

At this point I got some random access violations possibly because of other breakpoints so I used a hardware breakpoint on the `call dword ptr ds:[ebp-40]`. The next section is really weird to debug since sometimes the protection of the code page appears to change to PAGE_NOACCESS. This is likely a bug in x64dbg since it sometimes happens randomly when the debuggee is paused. The code after uses SEH and unhandled exception filters, some time later it appears to call TLS callbacks (or initialize static variables). It also sets another exception handler (SEH):

The SEH uses simple anti debug, for instance this SEH_int1 function checks if the debug registers are zero (hardware breakpoint detection). If not it simply skips the INT1:

If you don't pass various checks like this it will call the function I called debugDetect (it runs an infinite loop):

A simple conditional breakpoint helps bypassing these checks (simply skip the infinite loop and set CIP to the return address, there might be more hardcoded instances of this, see UnPackMe.exe:$F8F30E8). In combination with ScyllaHide you can normally debug this executable with this.

It might be a fun challenge to find all checks and bypass them by hand but I'll leave it at this for now.

Thanks for take care with unpackme in practical view