Hi All,

If anyone is looking for a nice, masochistic challenge...

EldoS AnyCalc multifunction calculator
http://www.eldos.org/elanycalc/elanycalc.html

The program is listed as a PE Windows GUI by FileInfo 2.3. It is protected by AsProtect, but FileInfo doesn't pick this up. The program maps a part of itself initially into memory in the 82Dxxxxx region with MapViewOfFile and then I believe runs through the gamut of GetProcAddress calls from there.

0167:00C6FB09 CALL KERNEL32!MapViewOfFile

Plenty of Self Modifying Code follows. All the unpacking and such occurs from this C6xxxx memory range. Lots of tracing later the program starts to unpack its sections from 401000 onwards. VirtualQueryEx or VirtualAlloc breakpoints seem to be as good a starting point as any to break into the unpacking routine.

Anti Filemon/Regmon - Partway through the unpacking process (stops at 4A4000, then I can't pick it up again) it uses GetClassNameA to check for the presence of 'FilemonClass' and 'RegmonClass'. If found, FindWindowExA and a series of SendMessageA calls send an ExitProcess message of some sort to shut down the SysInternal monitors. Must do something comparable with Prudens RegMonitor98 as it closes this one too. Luckily, modifying Filemon/Regmon by changing the strings 'FilemonClass' and 'RegmonClass' bypasses this protection.

Anti API Monitor - they don't pick up any useful API calls until after the program has started. Not sure if this is something specifically anti-API hook or just because of the memory location the program is running from.

Anti SoftIce - no nag, but Loader32.exe doesn't break on WinMain of course. Most direct calls seem to work OK though, surprisingly.

Anti FrogsIce - this is the one that gets me and the reason for my post. I'm using 1.08.8 with Bulletproof options, I1HERE is set to ON, Hook DRx selected, FrogsIce restarted as directed. I tried other combinations as well. SoftIce doesn't pop up, the program just ignores everything as if it wasn't there and goes on its merry way. Without the helpful hand of FrogsIce returned code I don't know what detection method might be being used. (CreateFileA / _lopen it ain't and there's no report of memory or IDT errors)

Now the FrogsIce domain is still a bit (!) of a Black Art to me, but I've used it successfully before. I just thought I'd mention this program to +Frog's Print & +Spath in case it's doing something new and unusual they might like to have a look at

If FrogsIce works for others on this program then the fault must lay with my system or its user (I give it 50/50 ^_^ )


Beyond all this convoluted protection, it's still quite easy to use the 30 day trial program indefinitely by deleting a CLSID reg entry, and it doesn't seem to put a lot of crap on your system, so anyone could have a look at it without too much concern.

Regards,

Kayaker

Hi

I have unpacked it without problem.
It was Version 1.5 build 64.
What is your version ?

Hi Kayaker,

I have tried this app (1.53 build 73), and found
no anti-debugging, for me it works fine with or
without FrogsICE. What kind of problem do
you exactly see without FrogsICE loaded ?

Regards,

Spath.

Y'know I think you're right, I was making this a lot harder than it needed to be. Amazing how different things look in the light of day

I'm working on version 1.51 build 67 (1.52 build 69 is the latest I think). 3 breaks on MapViewOfFile and I'm where I want to be in Anycalc code. I kept getting caught up in the C6xxxx memory range, which seems to be mapped program code, but doesn't correspond to any specific module listed with MAP32 or MOD.

I haven't *quite* found the correct OEP but I've been able to make several dumps which have the main icon and apparently the full Import table intact (this would be a surprise for AsProtect?). FrogsIce still won't kick in on the packed file but I found that TRW loads the program OK.

I can work with this

Thanks,

Kayaker

Hi Spath,

I caught your post just after I posted my reply to SV. Just the minor problem of SoftIce not breaking on WinMain, but I guess I got around that. I had seen a ref. to AsProtect in the programs code in the Data window and figured, especially with the Filemon/Regmon checks, that things would be a bit tougher to dump the file. Still working on that OEP though

Thanks,

Kayaker

Hi once again,

OK, I must apologize for my previous posts. My problem was that the SoftIce Loader wasn't breaking at the start of the unpacking code (which I erroneously called WinMain before but I guess that isn't technically correct). I had tried it several times and even after fresh reboots.

So I thought that perhaps because this was what FileInfo terms a PE Windows GUI type file, it behaved differently and that there might be SoftIce detection as well. Breakpoints on CreateFileA and _lopen didn't show any MeltICE type detection, so I turned to FrogsIce to see if it was using some Interrupt detection method. When FrogsIce didn't pop up SoftIce that's when I figured I had trouble on my hands

I should have heeded the Occam's Razor principle that the simplest explanation is the best. For whatever reason, phase of the Moon, sunspot activity, bonehead user error, SoftIce is now breaking at the start of the unpacking code. Everything is well with the world again

I know SI gives glitches every once in while, it'll break one moment and then not the next, I guess that's what this was...

Just so this wasn't a totally wasted effort, I've often wondered exactly what a PE Windows GUI type file was, if anybody knows what I'm talking about. I've searched for the term but not found anything. It does seem to be a Delphi type language, using TForm like headings.

Thanks for your indulgence...

Kayaker

this is the same old winice feature/bug that's been biting people for some time now... and what i fixed in icedump earlier this year. check out icedump.asm, around line 1100 or so.

That is REALLY Cool Owl!

Line 1073 in Icedump.asm version 6.020c states that the code that follows will:

"; hook into a function which places a BP on the entry point of a module
; (used by loader32/wldr) and fix the problem with win32 modules not having
; their first section marked as executable (and thus winice not breaking at all)

So I start the problem program AnyCalc from a fresh boot with SoftIce Loader. Time and again SI does NOT break at the entry point.

I change the code characteristics of the 1st section from C0000040 to E0000020 and SI breaks, but there's a "File corrupted" CRC check message. Fair enough. Change it back and the program functions normally, but SI no longer breaks.

I thought I'd be a smartass and see if I could get SI to break by changing the Entry Point manually from 60 Pushad to CC Int3, and it did if I had a BPINT 3 set, but after restoring the code within SoftIce, the CRC check kicked in since the file itself still had the CC written into it of course!

Restore the program, run Icedump - SI breaks at entry point!! Unload Icedump with 'icedump u', hook is removed, SI no longer breaks. Amazing! It's like Magic happening there ^_^

Anyway, thanks for the explanation, I don't feel like I was going crazy now, I must've started Icedump out of habit at some point and that's when SI suddenly started breaking. Absolutely wonderful job you and the team have done on this, it goes beyond words. There's a LOT of work involved there which is much appreciated.

Regards,

Kayaker