Jump to content
Tuts 4 You
  • -4
Sign in to follow this  
Gladiator

Artan Protector 2.0 UnpackMe

Question

Gladiator

Difficulty : 5
Language : Delphi
Platform : Windows x86/x64
OS Version : XP SP2 and above.
Packer / Protector : Artan Protector 2.0 UnpackMe with all options enabled with normal complexity.

Description :

Unpack the file and keep the application working.

ScreenShot :

2016-08-12_050117.png

Artan_2_UnPackMe.zip

Edited by Gladiator (see edit history)

Share this post


Link to post

24 answers to this question

Recommended Posts

  • 2
mrexodia

I can share some progress but I don't plan to unpack a (ripped/modified) VMProtect so don't expect too much.

First trick is fun, replacing the IAT entry of ExitProcess. It then jumps you into a gigantic linear part of code with opaque predicates. With x64dbg you can get to the more interesting parts with:

TraceIntoConditional !dis.isnop(cip) && dis.branchexec(cip)

Just don't bother with the 37000 useless instructions. You will land in some kind of decryption loop, skip that loop and again run the above trace command.

uFR0XLm.png

It will bring you to a more interesting part looking more like Delphi code. This will call LoadLibrary and GetProcAddress. Graphing this function (please don't try to graph at the opaque predicates part) shows you the code is simple and quickly points to the more interesting part:

BVpsB7P.png

At this point I got some random access violations possibly because of other breakpoints so I used a hardware breakpoint on the `call dword ptr ds:[ebp-40]`. The next section is really weird to debug since sometimes the protection of the code page appears to change to PAGE_NOACCESS. This is likely a bug in x64dbg since it sometimes happens randomly when the debuggee is paused. The code after uses SEH and unhandled exception filters, some time later it appears to call TLS callbacks (or initialize static variables). It also sets another exception handler (SEH):

dPS24NZ.png

The SEH uses simple anti debug, for instance this SEH_int1 function checks if the debug registers are zero (hardware breakpoint detection). If not it simply skips the INT1:

K1tQxWo.png

If you don't pass various checks like this it will call the function I called debugDetect (it runs an infinite loop):

Hm2KRDD.png

A simple conditional breakpoint helps bypassing these checks (simply skip the infinite loop and set CIP to the return address, there might be more hardcoded instances of this, see UnPackMe.exe:$F8F30E8). In combination with ScyllaHide you can normally debug this executable with this.

9gnc7FC.png

It might be a fun challenge to find all checks and bypass them by hand but I'll leave it at this for now.

Edited by mrexodia (see edit history)
  • Like 6

Share this post


Link to post
  • 1
evlncrn8

from the website -> "No problems with antivirus software ( Not For Malware Development ! )."

you did scan that file you supplied on virustotal.com didnt you ?

and just so people are aware, lets link them to the other thread too -> https://forum.tuts4you.com/topic/34156-artan-win32-protector-now-international/?page=2#comment-184940

you still havent improved on your bullshitting claims m8.. nice try..

 

Edited by evlncrn8 (see edit history)

Share this post


Link to post
  • 1
evlncrn8

"1.Yes i have test it with virustotal.com and other multi AV websites, except avira all anti-viruses shown clean status "

wow, then the virus total you use and the one i use must be very different...

https://www.virustotal.com/en/file/034f202f6744a44ae8afa53938515479c60049f8d8c5896316afe88b3ed34bf5/analysis/1480017820/

will you stop lying ?

"Please Talk in topic rule and send unpacked solution "

this, plus the "courtesy and respect" (both are earned btw, not given automagically), by the same token, how about you stop abusing the forum and users to try and get them to crack your (bullshit) product which you then use to try and improve it and then spout more sales blurb nonsense ?

S N A K E O I L

reinventing the wheel and trying to claim your method is revolutionary (when its based on the work of others) is not the way to make a product, especially when that wheel is a square

Edited by evlncrn8 (see edit history)

Share this post


Link to post
  • 1
evlncrn8

i specifically asked you if you scanned the file you uploaded in this thread with virustotal, you said you did and it was clean.. it was not... you lied

anti attach is also a lie, i also was able to attach with clean olly

you created this topic to strengthen the 'security' (yes, i used quotes) of your own snake oil product by trying to get people to crack it and tell you how, so you could then try and fix it... which is pretty pathetic

you have lied in this thread, and in the others, so please, seriously stop.. and downvoting my comments is not going to do a damn thing, have some balls and stand behind your product and its claims and stop lying

so for the topic and you claiming it was for security.. the anti attach is bullshit, the claims of the clean with anti virus is also bullshit... and thats staying on topic

Share this post


Link to post
  • 0
xoring

Hello,

 

I am working on this unpackme ( first attempt). I am trying to reach the OEP. I have 2 potentially OEPs. 
The first one is '00406F60'.
The second is '005306DD'. Can anyone tell me if i am in the right direction?

Thank you

  • Like 1

Share this post


Link to post
  • 0
mrexodia

@xoring The code at 005306DD is a VMProtect 3 stub.

  • Like 2

Share this post


Link to post
  • 0
xoring

@mrexodia thanks for your comment. So i suppose i should keep looking. :)

  • Like 1

Share this post


Link to post
  • 0
Gladiator
On 11/18/2016 at 2:58 PM, mrexodia said:

@xoring The code at 005306DD is a VMProtect 3 stub.

It's because of in development process of artan code mutation engine we get some inspiration from vmprotect mutation core ( got some idea from vmprotect )

 

 

Share this post


Link to post
  • 0
evlncrn8

you mean you used vmprotect in your protector ?

Share this post


Link to post
  • 0
Gladiator
9 hours ago, evlncrn8 said:

you mean you used vmprotect in your protector ?

No

I have got some idea from vmprotect and re-write them in artan protector

Share this post


Link to post
  • 0
evlncrn8
2 minutes ago, Gladiator said:

No

I have got some idea from vmprotect and re-write them in artan protector

The code at 005306DD is a VMProtect 3 stub.

explain that then

Share this post


Link to post
  • 0
Gladiator
5 hours ago, evlncrn8 said:

The code at 005306DD is a VMProtect 3 stub.

explain that then

as i say before we re-write vmprotect mutation engine with 70% similarity so in some part of artan protector, signature will be similar to original vmprotector sign

 

Share this post


Link to post
  • 0
SmilingWolf

what.png

?
(This was in a thread about Artan)

Edited by SmilingWolf (see edit history)
  • Like 1

Share this post


Link to post
  • 0
Gladiator
22 minutes ago, SmilingWolf said:

(This was in a thread about Artan)

Yes, but is related to version 1.8

in version 2.0 ( current version ) we made try to write core similar to vmprotect engine

9 minutes ago, evlncrn8 said:

from the website -> "No problems with antivirus software ( Not For Malware Development ! )."

you did scan that file you supplied on virustotal.com didnt you ?

1.Yes i have test it with virustotal.com and other multi AV websites, except avira all anti-viruses shown clean status

2.in this section we are not going to talk about artan protector service quality and here i'm not giving answer , i put tag "unpackme" to test it's difficulty and make solution for your unpacking trick

13 minutes ago, evlncrn8 said:

and just so people are aware, lets link them to the other thread too -> https://forum.tuts4you.com/topic/34156-artan-win32-protector-now-international/?page=2#comment-184940

some people aware and some not , every software have positive and negative points, we produce anti false-alarms option that made a cost in file size, i think with today internet speed there is not great problem 

anyway

Please Talk in topic rule and send unpacked solution

 

Best Regards.

 

Share this post


Link to post
  • 0
SmilingWolf

With all due respect, you've been claiming to have just "taken inspiration" from VMProtect well before creating that topic on ExETools

  • Like 1

Share this post


Link to post
  • 0
Gladiator
7 minutes ago, SmilingWolf said:

With all due respect, you've been claiming to have just "taken inspiration" from VMProtect well before creating that topic on ExETools

Thank you for courtesy and respect , my topic in exetools is about version 1.8 that we used engine exe as OEM Part from VMPsoft with written license

but in version 2.0 we have some inspiration , for example all of protectors used iat redirection ; are they same ? no they have one concept with several ways

we do it as i say , read and study about vmprotect engine and write similar one from 0 to 100, this is not rip and not copy-paste , this called localization

 

 

Share this post


Link to post
  • 0
Gladiator
5 hours ago, evlncrn8 said:

"1.Yes i have test it with virustotal.com and other multi AV websites, except avira all anti-viruses shown clean status "

wow, then the virus total you use and the one i use must be very different...

https://www.virustotal.com/en/file/034f202f6744a44ae8afa53938515479c60049f8d8c5896316afe88b3ed34bf5/analysis/1480017820/

do you think i put all options that my customers using it public ? anti false-alarm is an option that only available in purchased version , as you can see i said all options with normal complexity ....

On 8/10/2016 at 8:13 PM, Gladiator said:

Packer / Protector : Artan Protector 2.0 UnpackMe with all options enabled with normal complexity.

 

5 hours ago, evlncrn8 said:

"Please Talk in topic rule and send unpacked solution "

this, plus the "courtesy and respect" (both are earned btw, not given automagically), by the same token, how about you stop abusing the forum and users to try and get them to crack your (bullshit) product which you then use to try and improve it and then spout more sales blurb nonsense ?

S N A K E O I L

reinventing the wheel and trying to claim your method is revolutionary (when its based on the work of others) is not the way to make a product, especially when that wheel is a square

What do you think is respectable, but considering that only a small part of this product from other similar products inspired , You can not do it all undermined
In any case, I've created this topic only for security testing, so if you have the ability to test it , it will be welcome your comments  otherwise I will not reply to you personal opinion.

 

Share this post


Link to post
  • 0
Gladiator

Ok every thing is bullshit , stop talking and show your ability in unpacking file [ we are in unpackmes section ] ... ; otherwise please do not spam !!!

if you want criticize ; here is not right place

but if you are really decided to send spam post, ok do it whatever you want, i don't care , i'm here just for talking about best solution for unpackme.

 

Edited by Gladiator (see edit history)

Share this post


Link to post
  • 0
evlncrn8

show my ability ? i dont have to prove a thing to you at all, nor am i going to do any work for you so you can 'strengthen' your snake oil.. hasnt that point sunk in yet? and i really hope noone will,

Share this post


Link to post
  • 0
Teddy Rogers

Okay everyone, lets get the topic back on track. I think enough views have been aired now we can concentrate on the unpackme...

Ted.

  • Like 1

Share this post


Link to post
  • 0
xoring

Hello all again,

I haven't make any progress. I can see some anti debug techniques in the following address. Except that, i can't find the OEP. Hope someone can provide some guidance.:)

 

0FC21F94    55              PUSH EBP

 

  • Like 1

Share this post


Link to post
  • 0
mrexodia
On 11/24/2016 at 10:00 PM, Gladiator said:

this is not rip and not copy-paste , this called localization

I had a friend in university who did this with a paper, it is (and was treated as) plagiarism, appropriate action was taken. I don't care if you rip VMProtect, but after stepping handlers (see the command below) I can say it's so similar that I would call it equal (although I didn't see these particular obfuscation patterns in the samples I have and your transformation engine only emits linear disassembly VMProtect 3.x also has some (trivial) brancing around to make it annoying).

TraceIntoConditional cip==edi

 

  • Like 1

Share this post


Link to post
  • 0
Gladiator

!

Edited by Gladiator
Deleted ... (see edit history)

Share this post


Link to post
  • 0
Gladiator
6 hours ago, mrexodia said:

I had a friend in university who did this with a paper, it is (and was treated as) plagiarism, appropriate action was taken. I don't care if you rip VMProtect, but after stepping handlers (see the command below) I can say it's so similar that I would call it equal (although I didn't see these particular obfuscation patterns in the samples I have and your transformation engine only emits linear disassembly VMProtect 3.x also has some (trivial) brancing around to make it annoying).


TraceIntoConditional cip==edi

 

as i said before we try to make similar engine to vmprotect by hard-study about it's engine from old version ( easy ) to newer versions ( hard to understand )

7 hours ago, mrexodia said:

I can share some progress but I don't plan to unpack a (ripped/modified) VMProtect so don't expect too much.

First trick is fun, replacing the IAT entry of ExitProcess. It then jumps you into a gigantic linear part of code with opaque predicates. With x64dbg you can get to the more interesting parts with:


TraceIntoConditional !dis.isnop(cip) && dis.branchexec(cip)

Just don't bother with the 37000 useless instructions. You will land in some kind of decryption loop, skip that loop and again run the above trace command.

uFR0XLm.png

It will bring you to a more interesting part looking more like Delphi code. This will call LoadLibrary and GetProcAddress. Graphing this function (please don't try to graph at the opaque predicates part) shows you the code is simple and quickly points to the more interesting part:

BVpsB7P.png

At this point I got some random access violations possibly because of other breakpoints so I used a hardware breakpoint on the `call dword ptr ds:[ebp-40]`. The next section is really weird to debug since sometimes the protection of the code page appears to change to PAGE_NOACCESS. This is likely a bug in x64dbg since it sometimes happens randomly when the debuggee is paused. The code after uses SEH and unhandled exception filters, some time later it appears to call TLS callbacks (or initialize static variables). It also sets another exception handler (SEH):

dPS24NZ.png

The SEH uses simple anti debug, for instance this SEH_int1 function checks if the debug registers are zero (hardware breakpoint detection). If not it simply skips the INT1:

K1tQxWo.png

If you don't pass various checks like this it will call the function I called debugDetect (it runs an infinite loop):

Hm2KRDD.png

A simple conditional breakpoint helps bypassing these checks (simply skip the infinite loop and set CIP to the return address, there might be more hardcoded instances of this, see UnPackMe.exe:$F8F30E8). In combination with ScyllaHide you can normally debug this executable with this.

9gnc7FC.png

It might be a fun challenge to find all checks and bypass them by hand but I'll leave it at this for now.

Thanks for take care with unpackme in practical view

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...