Can you help me with this dll? [Archive] - RCE Messageboard's Regroupment

View Full Version : Can you help me with this dll?

sly2

May 18th, 2007, 08:51

Hi,

i try to unpack/decrypt an dll "sm.dll". i know its pack/crypted, but PEiD say "nothing found". i try to debug it with olly, but i cant set brakpoints... i try to debbug it throught software, that load it, but nothing work.
this dll is not from commercial software.

can anyone explain me how i can unpack/decrypt this please?

greets

Sly

LLXX

May 18th, 2007, 11:27

Read the FAQ! (http://www.woodmann.com/fravia/rce-faq.htm) You do NOT post commercial softwares in this forum!

blabberer

May 18th, 2007, 13:11

looks like a bot for a game

what do you want to do with this dll? its debug build

it uses a few tricks in initlaiztion routines checks for debugheap and isdebuggerpresent thats all otherwise its just easy enough to brute through it

softmod from wiki says is a term used to modify behaviour of some hardware like Xbox

Code:



Call stack of main thread

Address    Stack      Procedure / arguments                                                     Called from                   Frame

0006F8E4   10006A57   sm.10006E36                                                               sm.10006A52                   0006F904

0006F8E8   77F7572A   Maybe sm.10006A4B                                                         ntdll.77F75727                0006F904

0006F908   77F5A10A   ? ntdll.LdrpCallInitRoutine                                               ntdll.77F5A105                0006F904

0006FA04   77F5AA2F   ? ntdll.LdrpRunInitializeRoutines                                         ntdll.77F5AA2A                0006FA00

0006FC98   77F55714   ? ntdll.LdrpLoadDll                                                       ntdll.77F5570F                0006FC94

0006FF2C   77E7D901   ? kernel32.LdrLoadDll                                                     kernel32.77E7D8FC             0006FF28

0006FF94   77E7D95E   ? kernel32.LoadLibraryExW                                                 kernel32.77E7D959             0006FF90

0006FF98   7FFDEC00     FileName = "MSVCR80.dll"

0006FF9C   00000000     hFile = NULL

0006FFA0   00000000     Flags = 0

0006FFA4   77E7D990   ? kernel32.LoadLibraryExA                                                 kernel32.77E7D98B

0006FFA8   00081F17     FileName = "C:\Documents and Settings\\Desktop\sm\sm.dll"

0006FFAC   00000000     hFile = NULL

0006FFB0   00000000     Flags = 0

0006FFBC   004100B4   ? <JMP.&KERNEL32.LoadLibraryA>                                            LOADDLL.004100AF

0006FFC0   00081F17     FileName = "C:\Documents and Settings\\Desktop\sm\sm.dll"

it needs few other accomplices to work ok

Code:



10006E36  PUSH EBP

10006E37  MOV EBP,ESP

10006E39  SUB ESP,10

10006E3C  MOV EAX,DWORD PTR DS:[10024E10]

10006E41  AND DWORD PTR SS:[EBP-8],0

10006E45  AND DWORD PTR SS:[EBP-4],0

10006E49  PUSH EBX                                               ;  sm.<ModuleEntryPoint>

10006E4A  PUSH EDI

10006E4B  MOV EDI,BB40E64E

10006E50  CMP EAX,EDI

10006E52  MOV EBX,FFFF0000

10006E57  JE SHORT sm.10006E66

10006E59  TEST EBX,EAX                                           ;  sm.1004F8D0

10006E5B  JE SHORT sm.10006E66

10006E5D  NOT EAX                                                ;  sm.1004F8D0

10006E5F  MOV DWORD PTR DS:[10024E14],EAX                        ;  sm.1004F8D0

10006E64  JMP SHORT sm.10006EC6

10006E66  PUSH ESI

10006E67  LEA EAX,DWORD PTR SS:[EBP-8]

10006E6A  PUSH EAX                                               ; /pFileTime = sm.1004F8D0

10006E6B  CALL DWORD PTR DS:[10008044]                           ; \GetSystemTimeAsFileTime

10006E71  MOV ESI,DWORD PTR SS:[EBP-4]

10006E74  XOR ESI,DWORD PTR SS:[EBP-8]

10006E77  CALL DWORD PTR DS:[10008048]                           ; [GetCurrentProcessId

10006E7D  XOR ESI,EAX                                            ;  sm.1004F8D0

10006E7F  CALL DWORD PTR DS:[1000804C]                           ; [GetCurrentThreadId

10006E85  XOR ESI,EAX                                            ;  sm.1004F8D0

10006E87  CALL DWORD PTR DS:[1000800C]                           ; [GetTickCount

10006E8D  XOR ESI,EAX                                            ;  sm.1004F8D0

10006E8F  LEA EAX,DWORD PTR SS:[EBP-10]

10006E92  PUSH EAX                                               ; /pPerformanceCount = sm.1004F8D0

10006E93  CALL DWORD PTR DS:[10008058]                           ; \QueryPerformanceCounter

10006E99  MOV EAX,DWORD PTR SS:[EBP-C]                           ;  sm.<ModuleEntryPoint>

10006E9C  XOR EAX,DWORD PTR SS:[EBP-10]

10006E9F  XOR ESI,EAX                                            ;  sm.1004F8D0

10006EA1  CMP ESI,EDI

10006EA3  JNZ SHORT sm.10006EAC

10006EA5  MOV ESI,BB40E64F

10006EAA  JMP SHORT sm.10006EB7

10006EAC  TEST EBX,ESI

10006EAE  JNZ SHORT sm.10006EB7

10006EB0  MOV EAX,ESI

10006EB2  SHL EAX,10

10006EB5  OR ESI,EAX                                             ;  sm.1004F8D0

10006EB7  MOV DWORD PTR DS:[10024E10],ESI

10006EBD  NOT ESI

10006EBF  MOV DWORD PTR DS:[10024E14],ESI

10006EC5  POP ESI                                                ;  sm.10006A57

10006EC6  POP EDI                                                ;  sm.10006A57

10006EC7  POP EBX                                                ;  sm.10006A57

10006EC8  LEAVE

10006EC9  RETN

sly2

May 18th, 2007, 14:23

@blabberer:
Thanks for your explanation!!
yes, this is a bot for a game (NOT for the XBOX!!!), it need the softmod2.dll to work.
Although im a neewbie on cracking, i will give my best

if you'll help me to understand how it works, please write me a PM

@LLXX:
could you tell me please, where i can buy software which includes this dll?
cause i dont know any ... i know that this is NOT part of any commercial software...

greets

Sly

blurcode

May 20th, 2007, 13:20

sly2,
go to http://www.0x33.org/ and pay 10$ to buy it.

blabberer

May 22nd, 2007, 00:55

Quote:

if you'll help me to understand how it works, please write me a PM

it simply is a part of a package

all it has are two exports

sm.s
and sm.t

the sm.s is a function that is called in initialisation routine
which creates an smlog.txt and looks for sm.txt

if sm.txt file is not there it simply exits after showing a messagebox to that effect

as to get there all you need to evade is one puny isdebuggerpresent and one debugheap check

yes they are obfuscated and im not going to tell you how you find where it uses them (its kinda novel it uses unaligned bytes to fetch that dword)

ill hint though (try using hw breakpoints)

i just checked this once because you said in your post that you cant set breakpoints on this in ollydbg i was just interested in finding out if thats the case

i confirmed ollydbg has no problems setting breakpoints on this you should know where to place breakpoints thats all

also loading this in ollydbg via loaddll may have a bottleneck as i see it has tls callbacks which dont work on LoadLibrary() method

so it might have a few more tricks up in its sleeve if you are trying to play with this dll along side an exe which has this linked at compile time