zenloren
September 10th, 2008, 01:21
Hi to all of you
After reading some tutorial by deroko, subzero, hacnho & my target from below tutorial
WinLicense-1.8x---1.9x---Unlock-Hardware-Dependance-.7z
you can d/l from below url.
Note: Below url is not commercial soft, files.zip are from tutorial target.
http://rapidshare.com/files/143620264/files.zip.html
After reading the unlock-hardware tutorial i thought why not unpack the test.exe from files folder provided by the author of the tutorial.
which uses Harware Dependance's & below is my small findings
Step 1:
Load the target under OllyDBG
Ctrl-M & we set memory break point on write
Step 2 : Shift-F9 & it breaks on the below famous code
00689A1A rep movs byte ptr es:[edi],byte ptr ds:[esi]
00689A1C mov byte ptr ss:[ebp+C7C36A9],56 <--- Famous 56
00689A23 push D41F6D39
Step 3: F7, F8 & Shift-F9 we at an address. Now we search for famous bytes
Ctrl-B to search for famous bytes 3d 00 00 01 00
006993B0 cmp eax,10000 ; UNICODE "=::=::\"
got it at 006993b0 scrolled up & wanted for find another famous bytes this time
39 85 ?? ?? ?? ?? ?0 0f 84
0069912F cmp dword ptr ss:[ebp+C7C20A9],eax
00699135 je 006991C8 ; test.006991C8
I scrolled up & down for some more famous 4 jmp which we have to nop it but could not found.
I am sure IAT patching for hardware dependant target are different than regular encrypting.
Finally decided to study the test.exe it-self from start.
Reload the test.exe under Ollydbg. Follow above steps up till 3 & search for below bytes
83 f9 00 0f 84
First time we'll land here
0059F695 cmp ecx,0
0059F698 je 0059F6B4
Ctrl-L we land here
0069880F cmp ecx,0 <--- Here we'll set break-point Hardware on-execution
00698812 je 0069C52E
Ctrl-F2 reload the test.exe
Shft-F9 & we break at below address
0069880F cmp ecx,0 <--- have the program finished loading all dll's. in our case NO
Check Registers windows in Olly. Its comparing ecx with 0 & ecx=7c800000 Kernel
Now i traced & noted all the things which are happening here's
00698916 lods word ptr ds:[esi] ; <---E8
00698960 sub esi,16625424 <--- esi=262c RVA of Kernel
006989AE mov edi,dword ptr ds:[ebx] ; edi=3B5 exported api's to get from kernel
00B88ECC call dword ptr ds:[7C801190] ; ntdll.ZwAllocateVirtualMemory to store encrypted apis
I have traced some more & will write summary of what's happening.
It gets the length of api name & then there is a loop to xor & then not & store it in ZWAllovateVirtualMemory address
00698C4C scas byte ptr es:[edi] ; scans api name
00698C4D jnz short 00698C4C
00698D39 xor al,cl <-- here xor first byte of api with FF
00698D69 push dword ptr ds:[edi+eax*4] <-- get dword from already encrypted area
00698DAA xor ecx,eax <--- xor ecx with eax=dword from already encrypted area
xor stuff continues till lenght of api name
00698EEC cmp dword ptr ss:[ebp+C7C120D],edx <-- did we finished 3B5 ?
00698F96 mov edx,dword ptr ss:[esp] <--- once we finished with 3b5 we land here
0069926C cmp eax,EEEEEEEE <--- i guess if not encrypted
006993B0 cmp eax,10000 ; UNICODE "=::=::\" landing at famouns 3D 00 00 01 00
006996A8 cmp eax,dword ptr ds:[edx] ; <<< comparing Encrypted API
00699995 add eax,7CB21DFE <--- Real API
My Question How to build IAT in such case ? Also i failed to find OEP for the trial.exe
Awaiting for others to look into it.
Lorens
After reading some tutorial by deroko, subzero, hacnho & my target from below tutorial
WinLicense-1.8x---1.9x---Unlock-Hardware-Dependance-.7z
you can d/l from below url.
Note: Below url is not commercial soft, files.zip are from tutorial target.
http://rapidshare.com/files/143620264/files.zip.html
After reading the unlock-hardware tutorial i thought why not unpack the test.exe from files folder provided by the author of the tutorial.
which uses Harware Dependance's & below is my small findings
Step 1:
Load the target under OllyDBG
Ctrl-M & we set memory break point on write
Step 2 : Shift-F9 & it breaks on the below famous code
00689A1A rep movs byte ptr es:[edi],byte ptr ds:[esi]
00689A1C mov byte ptr ss:[ebp+C7C36A9],56 <--- Famous 56
00689A23 push D41F6D39
Step 3: F7, F8 & Shift-F9 we at an address. Now we search for famous bytes
Ctrl-B to search for famous bytes 3d 00 00 01 00
006993B0 cmp eax,10000 ; UNICODE "=::=::\"
got it at 006993b0 scrolled up & wanted for find another famous bytes this time
39 85 ?? ?? ?? ?? ?0 0f 84
0069912F cmp dword ptr ss:[ebp+C7C20A9],eax
00699135 je 006991C8 ; test.006991C8
I scrolled up & down for some more famous 4 jmp which we have to nop it but could not found.
I am sure IAT patching for hardware dependant target are different than regular encrypting.
Finally decided to study the test.exe it-self from start.
Reload the test.exe under Ollydbg. Follow above steps up till 3 & search for below bytes
83 f9 00 0f 84
First time we'll land here
0059F695 cmp ecx,0
0059F698 je 0059F6B4
Ctrl-L we land here
0069880F cmp ecx,0 <--- Here we'll set break-point Hardware on-execution
00698812 je 0069C52E
Ctrl-F2 reload the test.exe
Shft-F9 & we break at below address
0069880F cmp ecx,0 <--- have the program finished loading all dll's. in our case NO
Check Registers windows in Olly. Its comparing ecx with 0 & ecx=7c800000 Kernel
Now i traced & noted all the things which are happening here's
00698916 lods word ptr ds:[esi] ; <---E8
00698960 sub esi,16625424 <--- esi=262c RVA of Kernel
006989AE mov edi,dword ptr ds:[ebx] ; edi=3B5 exported api's to get from kernel
00B88ECC call dword ptr ds:[7C801190] ; ntdll.ZwAllocateVirtualMemory to store encrypted apis
I have traced some more & will write summary of what's happening.
It gets the length of api name & then there is a loop to xor & then not & store it in ZWAllovateVirtualMemory address
00698C4C scas byte ptr es:[edi] ; scans api name
00698C4D jnz short 00698C4C
00698D39 xor al,cl <-- here xor first byte of api with FF
00698D69 push dword ptr ds:[edi+eax*4] <-- get dword from already encrypted area
00698DAA xor ecx,eax <--- xor ecx with eax=dword from already encrypted area
xor stuff continues till lenght of api name
00698EEC cmp dword ptr ss:[ebp+C7C120D],edx <-- did we finished 3B5 ?
00698F96 mov edx,dword ptr ss:[esp] <--- once we finished with 3b5 we land here
0069926C cmp eax,EEEEEEEE <--- i guess if not encrypted
006993B0 cmp eax,10000 ; UNICODE "=::=::\" landing at famouns 3D 00 00 01 00
006996A8 cmp eax,dword ptr ds:[edx] ; <<< comparing Encrypted API
00699995 add eax,7CB21DFE <--- Real API
My Question How to build IAT in such case ? Also i failed to find OEP for the trial.exe
Awaiting for others to look into it.
Lorens