live_dont_exist
October 6th, 2011, 02:33
Hi All,
I was trying my hand at a challenge posted by Eset on their site. Some parts I managed to solve but am now stuck. I will try and describe the problem:
--- There is some code which is running (somewhere) which is causing a blank CMD window to pop up even before the entry point of the program(as given by Olly). While stepping through this program, text is continuously written to the console window using WriteConsole and a congratulations message pops up when you pass a stage. I got past 1 stage. The next stage however just writes some garbage text to the screen(mostly encrypted somehow by some routine) and I don't know how to proceed.
--- I did some tracing backward and found that the address where this encrypted text is stored is populated even before entry point. So for e.g 4044AC has all the encrypted text. If I 'Follow in Dump' even before I start debugging, I can see this text is already present there in an encrypted form. Also there is this blank CMD window which pops up from somewhere; even before debugging starts...dunno how. There is some text called THiddenRecord also around there somewhere but I can't make any sense of it either.
--- I read about TLS callbacks and tried to use IDA to locate the same by following some posts online but there do not seem to be any TLS callbacks here.
--- I stopped at System Breakpoint but that did not help either. tried setting a Hardware breakpoint on the start of the encrypted text, but that didn't work either(maybe because it happens before)
--- One last interesting point is that running the executable using PEID to try and detect an entry point works. As in, PEID does say the entry point is different after Unpacking. However dumping the process from that new entry point using a plugin in Olly does not seem to work (with and without import table reconstructed) and the EXE crashes. So I continued working with the packed form.
I have attached 3 screenshots which I feel are relevant. The key point is 'How do things run before entry point'? Apart from TLS callbacks. Do I need to use a Kernel debugger now? :-o
Any pointers, good reads on how to proceed will help.
Thanks
Arvind
I was trying my hand at a challenge posted by Eset on their site. Some parts I managed to solve but am now stuck. I will try and describe the problem:
--- There is some code which is running (somewhere) which is causing a blank CMD window to pop up even before the entry point of the program(as given by Olly). While stepping through this program, text is continuously written to the console window using WriteConsole and a congratulations message pops up when you pass a stage. I got past 1 stage. The next stage however just writes some garbage text to the screen(mostly encrypted somehow by some routine) and I don't know how to proceed.
--- I did some tracing backward and found that the address where this encrypted text is stored is populated even before entry point. So for e.g 4044AC has all the encrypted text. If I 'Follow in Dump' even before I start debugging, I can see this text is already present there in an encrypted form. Also there is this blank CMD window which pops up from somewhere; even before debugging starts...dunno how. There is some text called THiddenRecord also around there somewhere but I can't make any sense of it either.
--- I read about TLS callbacks and tried to use IDA to locate the same by following some posts online but there do not seem to be any TLS callbacks here.
--- I stopped at System Breakpoint but that did not help either. tried setting a Hardware breakpoint on the start of the encrypted text, but that didn't work either(maybe because it happens before)
--- One last interesting point is that running the executable using PEID to try and detect an entry point works. As in, PEID does say the entry point is different after Unpacking. However dumping the process from that new entry point using a plugin in Olly does not seem to work (with and without import table reconstructed) and the EXE crashes. So I continued working with the packed form.
I have attached 3 screenshots which I feel are relevant. The key point is 'How do things run before entry point'? Apart from TLS callbacks. Do I need to use a Kernel debugger now? :-o
Any pointers, good reads on how to proceed will help.
Thanks
Arvind