sf3lamer
July 26th, 2008, 14:38
Hi! I'm pretty lamer so you may laugh loud at my questions.
many years ago i studied z80 cpu, later i migrated on 8086...
First serious protector i'm interested in is SF-3. At first all goes OK: exe's EP contain jmp protect_1; but first protection dll is loaded. it unpacks(or decrypts) itself, checks for debugger running, checks for module integrity, loads attached to end of dll resources. And one of them is p-code instructions with some obfuscation. This resource is copied to protect_1 address, so when exe JMPs PROTECT_1, actually it jumps P-CODE-ENTER. There indeed two enters: for JMP PROTECT_1 and for CALL PROTECT_1 I suppose (it swaps P-CODE-ID and RET_ADDR on the stack). ALL IMPORTANT APP CHECKS ARE MADE IN P-CODE. By the way p-code-id is PUSHed before jump to interpreter.
At p-code-enter it makes some stuff i didn't understand (in cycle dec esp, and test [esp]) and it seems to throw exception. But that's not the point. Most interesting is P-CODE EXECUTION. I LOVE IT. Instruction follows next instruction via JMP ESI (regular) or JMP EBX (obfuscated blocks). It makes some stuff inside. It's not difficult itself and decompiler writing wouldn't be too hard, but HERE GOES C.R.A.P. into my face:
- prot is using drivers and they don't like if i try to use INT1, INT3. so bye!bye! ring0 debuggers;
I wrote little app that creates EXE suspended waits for VM to load. EB FE at first JMP ESI. And then tries to decompile p-code. But it's too SLOWWWWWWWW. Maybe because i use SuspendThread, ReadThreadContext, ResumeThread sequence? Maybe it's better to inject my exe into prot exe and do everything inside? i tried but my programming skills are far from desired.
When decompiling this way i see about 5 instructions logs immediately then pause and so on. Finally some branch changes and there is wrong jump. I tried to trace it in ring3 debugger and i traced about 200 vm opcodes but there still was no light at the tunnel (then i realized that VM is not as easy as imps reconstruction).
I needed some help. Google gave me link to rld.re.tools (with trojan.downloader inside the zip - thanx
Guys from rld make much bigger work than i did. But their logger wasn't for my version (i suppose). And it logged "sf3.sys not found" (well i hadn't sf3.sys in my package but trojan.downloader is much better
Phrases i liked: "vm exit is easy trackable" - how?
virtual file system wasn't at all (even driver)
QUESTIONS:
1. why they use RegSvr32 with their dll. Does it inject logger DLL into protected process?
2. can someone explain vm_entry hooking process
3. how they trace vm. do i necessary need sf3.sys driver?
btw why rld-guys don't write something general about them? for example i would like to know are they guys at age <=25 or they are >60 invalids. what are countries they living. sure if it's ok with theirs security. i dont even need names or e-mail. some general info
NOW YOU MAY LAUGH
many years ago i studied z80 cpu, later i migrated on 8086...
First serious protector i'm interested in is SF-3. At first all goes OK: exe's EP contain jmp protect_1; but first protection dll is loaded. it unpacks(or decrypts) itself, checks for debugger running, checks for module integrity, loads attached to end of dll resources. And one of them is p-code instructions with some obfuscation. This resource is copied to protect_1 address, so when exe JMPs PROTECT_1, actually it jumps P-CODE-ENTER. There indeed two enters: for JMP PROTECT_1 and for CALL PROTECT_1 I suppose (it swaps P-CODE-ID and RET_ADDR on the stack). ALL IMPORTANT APP CHECKS ARE MADE IN P-CODE. By the way p-code-id is PUSHed before jump to interpreter.
At p-code-enter it makes some stuff i didn't understand (in cycle dec esp, and test [esp]) and it seems to throw exception. But that's not the point. Most interesting is P-CODE EXECUTION. I LOVE IT. Instruction follows next instruction via JMP ESI (regular) or JMP EBX (obfuscated blocks). It makes some stuff inside. It's not difficult itself and decompiler writing wouldn't be too hard, but HERE GOES C.R.A.P. into my face:
- prot is using drivers and they don't like if i try to use INT1, INT3. so bye!bye! ring0 debuggers;
I wrote little app that creates EXE suspended waits for VM to load. EB FE at first JMP ESI. And then tries to decompile p-code. But it's too SLOWWWWWWWW. Maybe because i use SuspendThread, ReadThreadContext, ResumeThread sequence? Maybe it's better to inject my exe into prot exe and do everything inside? i tried but my programming skills are far from desired.
When decompiling this way i see about 5 instructions logs immediately then pause and so on. Finally some branch changes and there is wrong jump. I tried to trace it in ring3 debugger and i traced about 200 vm opcodes but there still was no light at the tunnel (then i realized that VM is not as easy as imps reconstruction).
I needed some help. Google gave me link to rld.re.tools (with trojan.downloader inside the zip - thanx


Phrases i liked: "vm exit is easy trackable" - how?

virtual file system wasn't at all (even driver)
QUESTIONS:
1. why they use RegSvr32 with their dll. Does it inject logger DLL into protected process?
2. can someone explain vm_entry hooking process
3. how they trace vm. do i necessary need sf3.sys driver?
btw why rld-guys don't write something general about them? for example i would like to know are they guys at age <=25 or they are >60 invalids. what are countries they living. sure if it's ok with theirs security. i dont even need names or e-mail. some general info
NOW YOU MAY LAUGH