PDA

View Full Version : Can you help me with this dll?


sly2
May 18th, 2007, 08:51
Hi,

i try to unpack/decrypt an dll "sm.dll". i know its pack/crypted, but PEiD say "nothing found". i try to debug it with olly, but i cant set brakpoints... i try to debbug it throught software, that load it, but nothing work.
this dll is not from commercial software.

can anyone explain me how i can unpack/decrypt this please?

greets

Sly

LLXX
May 18th, 2007, 11:27
Read the FAQ! (http://www.woodmann.com/fravia/rce-faq.htm) You do NOT post commercial softwares in this forum!

blabberer
May 18th, 2007, 13:11
looks like a bot for a game

what do you want to do with this dll? its debug build

it uses a few tricks in initlaiztion routines checks for debugheap and isdebuggerpresent thats all otherwise its just easy enough to brute through it



softmod from wiki says is a term used to modify behaviour of some hardware like Xbox


Code:

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0006F8E4 10006A57 sm.10006E36 sm.10006A52 0006F904
0006F8E8 77F7572A Maybe sm.10006A4B ntdll.77F75727 0006F904
0006F908 77F5A10A ? ntdll.LdrpCallInitRoutine ntdll.77F5A105 0006F904
0006FA04 77F5AA2F ? ntdll.LdrpRunInitializeRoutines ntdll.77F5AA2A 0006FA00
0006FC98 77F55714 ? ntdll.LdrpLoadDll ntdll.77F5570F 0006FC94
0006FF2C 77E7D901 ? kernel32.LdrLoadDll kernel32.77E7D8FC 0006FF28
0006FF94 77E7D95E ? kernel32.LoadLibraryExW kernel32.77E7D959 0006FF90
0006FF98 7FFDEC00 FileName = "MSVCR80.dll"
0006FF9C 00000000 hFile = NULL
0006FFA0 00000000 Flags = 0
0006FFA4 77E7D990 ? kernel32.LoadLibraryExA kernel32.77E7D98B
0006FFA8 00081F17 FileName = "C:\Documents and Settings\\Desktop\sm\sm.dll"
0006FFAC 00000000 hFile = NULL
0006FFB0 00000000 Flags = 0
0006FFBC 004100B4 ? <JMP.&KERNEL32.LoadLibraryA> LOADDLL.004100AF
0006FFC0 00081F17 FileName = "C:\Documents and Settings\\Desktop\sm\sm.dll"


it needs few other accomplices to work ok

Code:

10006E36 PUSH EBP
10006E37 MOV EBP,ESP
10006E39 SUB ESP,10
10006E3C MOV EAX,DWORD PTR DS:[10024E10]
10006E41 AND DWORD PTR SS:[EBP-8],0
10006E45 AND DWORD PTR SS:[EBP-4],0
10006E49 PUSH EBX ; sm.<ModuleEntryPoint>
10006E4A PUSH EDI
10006E4B MOV EDI,BB40E64E
10006E50 CMP EAX,EDI
10006E52 MOV EBX,FFFF0000
10006E57 JE SHORT sm.10006E66
10006E59 TEST EBX,EAX ; sm.1004F8D0
10006E5B JE SHORT sm.10006E66
10006E5D NOT EAX ; sm.1004F8D0
10006E5F MOV DWORD PTR DS:[10024E14],EAX ; sm.1004F8D0
10006E64 JMP SHORT sm.10006EC6
10006E66 PUSH ESI
10006E67 LEA EAX,DWORD PTR SS:[EBP-8]
10006E6A PUSH EAX ; /pFileTime = sm.1004F8D0
10006E6B CALL DWORD PTR DS:[10008044] ; \GetSystemTimeAsFileTime
10006E71 MOV ESI,DWORD PTR SS:[EBP-4]
10006E74 XOR ESI,DWORD PTR SS:[EBP-8]
10006E77 CALL DWORD PTR DS:[10008048] ; [GetCurrentProcessId
10006E7D XOR ESI,EAX ; sm.1004F8D0
10006E7F CALL DWORD PTR DS:[1000804C] ; [GetCurrentThreadId
10006E85 XOR ESI,EAX ; sm.1004F8D0
10006E87 CALL DWORD PTR DS:[1000800C] ; [GetTickCount
10006E8D XOR ESI,EAX ; sm.1004F8D0
10006E8F LEA EAX,DWORD PTR SS:[EBP-10]
10006E92 PUSH EAX ; /pPerformanceCount = sm.1004F8D0
10006E93 CALL DWORD PTR DS:[10008058] ; \QueryPerformanceCounter
10006E99 MOV EAX,DWORD PTR SS:[EBP-C] ; sm.<ModuleEntryPoint>
10006E9C XOR EAX,DWORD PTR SS:[EBP-10]
10006E9F XOR ESI,EAX ; sm.1004F8D0
10006EA1 CMP ESI,EDI
10006EA3 JNZ SHORT sm.10006EAC
10006EA5 MOV ESI,BB40E64F
10006EAA JMP SHORT sm.10006EB7
10006EAC TEST EBX,ESI
10006EAE JNZ SHORT sm.10006EB7
10006EB0 MOV EAX,ESI
10006EB2 SHL EAX,10
10006EB5 OR ESI,EAX ; sm.1004F8D0
10006EB7 MOV DWORD PTR DS:[10024E10],ESI
10006EBD NOT ESI
10006EBF MOV DWORD PTR DS:[10024E14],ESI
10006EC5 POP ESI ; sm.10006A57
10006EC6 POP EDI ; sm.10006A57
10006EC7 POP EBX ; sm.10006A57
10006EC8 LEAVE
10006EC9 RETN


sly2
May 18th, 2007, 14:23
@blabberer:
Thanks for your explanation!!
yes, this is a bot for a game (NOT for the XBOX!!!), it need the softmod2.dll to work.
Although im a neewbie on cracking, i will give my best

if you'll help me to understand how it works, please write me a PM

@LLXX:
could you tell me please, where i can buy software which includes this dll?
cause i dont know any ... i know that this is NOT part of any commercial software...

greets

Sly

blurcode
May 20th, 2007, 13:20
sly2,
go to http://www.0x33.org/ and pay 10$ to buy it.

blabberer
May 22nd, 2007, 00:55
Quote:

if you'll help me to understand how it works, please write me a PM


it simply is a part of a package

all it has are two exports

sm.s
and sm.t

the sm.s is a function that is called in initialisation routine
which creates an smlog.txt and looks for sm.txt

if sm.txt file is not there it simply exits after showing a messagebox to that effect

as to get there all you need to evade is one puny isdebuggerpresent and one debugheap check

yes they are obfuscated and im not going to tell you how you find where it uses them (its kinda novel it uses unaligned bytes to fetch that dword)

ill hint though (try using hw breakpoints)

i just checked this once because you said in your post that you cant set breakpoints on this in ollydbg i was just interested in finding out if thats the case

i confirmed ollydbg has no problems setting breakpoints on this you should know where to place breakpoints thats all

also loading this in ollydbg via loaddll may have a bottleneck as i see it has tls callbacks which dont work on LoadLibrary() method

so it might have a few more tricks up in its sleeve if you are trying to play with this dll along side an exe which has this linked at compile time