about RV and duplicated exports [Archive] - RCE Messageboard's Regroupment

View Full Version : about RV and duplicated exports

evaluator

December 2nd, 2001, 04:13

Hi, Tsehp!
Hi, Solomon!
When I resolved IAT entries from CVv3.1 , interesting
fact appears. Sometimes same entries are called with
another names. For example: "GlobalAlloc" & "LocalAlloc",
"lstrlen" & "lstrlenA" and other.
Then I disassembled KERNELL.DLL and found:
this exports has same address.

My question:
What name will more right and will more compatible with
other OS(w2k,nt)? (my is WIN98SE)

Solomon!
If you have CVv3.1, please do for my this:
.resolve IT under your w2k and submit here IT.TXT.
Use this values:
IAT 001C9258
IAT SIZE 970
Thanks.

+SplAj

December 2nd, 2001, 06:21

hmmmm cv3.1 seems to change since I made my 'tut'......

anyhow here is my cv3.1 W2k resolved with IAT at 1st thunk 1A0230....

I have to d/l again now and check wtf

[/me edites 5 mins later : build is now 161 against my 156...]

check yer e-mail eval I sent you a nice challenge

Spl/\j

+SplAj

December 2nd, 2001, 08:14

eval

here is the latest (unconfirmed!) resolved W2K Sp3b3.051 for CV3.1b161 ......

evaluator

December 2nd, 2001, 11:07

Hi +SplAj!
Thanks for replay.
Shit! I have CV3.1.0.160.
Ok, so, what one is more right?

first case
7 001C9274 KERNEL32.dll LocalAlloc
15 001C9294 KERNEL32.dll lstrlenA
16 001C9298 KERNEL32.dll lstrcpynA
71 001C938C KERNEL32.dll lstrcpyA
72 001C9390 KERNEL32.dll lstrcmpA
86 001C93C8 KERNEL32.dll SetThreadLocale
87 001C93CC KERNEL32.dll SetProcessWorkingSetSize
108 001C9420 KERNEL32.dll IsBadReadPtr
201 001C95A0 GDI32.dll SetBrushOrgEx
376 001C9860 USER32.dll IsDialogMessageA
461 001C99B4 USER32.dll DestroyIcon
565 001C9B88 ADVAPI32.dll AbortSystemShutdownA
566 001C9B8C ADVAPI32.dll ControlService

second case
7 001C9274 KERNEL32.dll GlobalAlloc
15 001C9294 KERNEL32.dll lstrlen
16 001C9298 KERNEL32.dll lstrcpyn
71 001C938C KERNEL32.dll lstrcpy
72 001C9390 KERNEL32.dll lstrcmp
86 001C93C8 KERNEL32.dll AddAtomW
87 001C93CC KERNEL32.dll BuildCommDCBAndTimeoutsW
108 001C9420 KERNEL32.dll IsBadHugeReadPtr
201 001C95A0 GDI32.dll FixBrushOrgEx
376 001C9860 USER32.dll IsDialogMessage
461 001C99B4 USER32.dll DestroyCursor
565 001C9B88 ADVAPI32.dll CloseServiceHandle
566 001C9B8C ADVAPI32.dll OpenSCManagerA

Or both can be?

+SplAj

December 2nd, 2001, 11:35

565 001C9B88 ADVAPI32.dll AbortSystemShutdownA
or
565 001C9B88 ADVAPI32.dll CloseServiceHandle

duuuuuuuhhhhh ?

must be result of different builds ? but it looks like each 'build' is genuine own IAT......no 'pick+mix' allowed cv3.1b160 DIFFERENT from cv3.1b161

well all I can do is rebuild cv3.1b161 soon on both Win98SE and Win2K ....the wife will kill me for sure before I finish....

BTW

did you get the challenge

Spl/\j

Solomon

December 3rd, 2001, 01:40

hi

I tried CV v3.1 b161 on my Win2K SP0 build 2195 and I got different result. In Win2K, "lstrlen" is the same as "lstrlenA" too.

Here is my data:
OEP = 5B28A8
IAT RVA = 1C9258, length = 970

There are only 4 entries unresolved.

Code:



IAT RVA         Addr value

1C93C0        5B1FAC

1C9410        5B202C

1C9480        F7C548 (this is GetProcAddress)

1C94D4        5B2060

The above 3 remain unresolved, coz CV seems to use ASProtect API to modify the corresponding IAT entry:

Code:



001B:005B20E8  PUSH      EBP

001B:005B20E9  MOV       EBP,ESP

001B:005B20EB  PUSH      ECX

001B:005B20EC  XOR       EDX,EDX

001B:005B20EE  MOV       [005C873C],EDX

001B:005B20F4  XOR       EDX,EDX

001B:005B20F6  MOV       [005C8740],EDX

001B:005B20FC  XOR       EDX,EDX

001B:005B20FE  MOV       [005C8744],EDX

001B:005B2104  MOV       [005BC918],EAX

001B:005B2109  MOV       EAX,004074E8

001B:005B210E  MOV       [EBP-04],EAX

001B:005B2111  MOV       EDX,005B202C    <--------- new addr value

001B:005B2116  MOV       EAX,[EBP-04]

001B:005B2119  CALL      005B20A8

001B:005B211E  MOV       EAX,00407588

001B:005B2123  MOV       [EBP-04],EAX

001B:005B2126  MOV       EDX,005B1FAC   <--------- new addr value

001B:005B212B  MOV       EAX,[EBP-04]

001B:005B212E  CALL      005B20A8

001B:005B2133  MOV       [005C8738],EAX

001B:005B2138  MOV       EDX,005B1FAC   <--------- new addr value

001B:005B213D  MOV       EAX,[EBP-04]

001B:005B2140  CALL      005B20A8

001B:005B2145  MOV       EAX,00407360

001B:005B214A  MOV       [EBP-04],EAX

001B:005B214D  MOV       EDX,005B2060  <--------- new addr value

001B:005B2152  MOV       EAX,[EBP-04]

001B:005B2155  CALL      005B20A8

001B:005B215A  POP       ECX

001B:005B215B  POP       EBP

001B:005B215C  RET

I have uploaded the original setup package of CV 3.1b161 to yahoo brifecase to ensure that we are always talking about the same version.
h**p://us.f1.yahoofs.com/users/ab932d34/bc/software/cv3.zip?bcvm3W8AJqGcudJo

saved txt:

+SplAj

December 3rd, 2001, 02:22

hi guys

looks like tamo/alex have worked together on this latest cv3.1 b161.

1) as you mention the 'resourse' api are now redirected inside REGULAR code with no chance to auto trace with RV/imprec....

........I mentioned this new 'redirection' in smartwhois3.3 post a few weeks ago.....

2) also they changed the CRC/HASH algo into ripeMD whatever....

hmmmm nice

thanks for the update guys , thats crackers and protectors alike

evaluator

December 3rd, 2001, 03:22

1. TuMo

have "developer license" of cASPR

2. Those "regular-code redirected API" is
trick for totally newbies. IAT entries are
overwriten by code. So you must simple
resolve IAT on OEP.
3. Lets make pause in CV and lets analyze
DigiSecret (also by TuMo). Here released
another cASPR trick. ok?

evaluator

December 3rd, 2001, 14:13

Ye-Yo!
1. Today dld new DigiSecret, "unpacked" && cr0cked
2. I found place where decripted ORIGINAL(!) export names.
So now WE can sure about correct export names!!!
SPLAJ! Can't beleave, you don't know about it??
3. As I understand, those "LockResource" & "FreeResource"
are free replacements. OK, SPLAJ!?
AND this replacements NOT works with DigiSecret!
I SIMPLE.... hihihihi. Guess, what I did!!

Solomon, would you like test my cr0ck0? Please! I am interesting
if my rebuilded IT will work under your w2k.

evaluator

December 4th, 2001, 09:07

OK, job done!
Here are right export names for CVv3.1.0.161
(size=803328 crc32=F5444359)

001C9294 KERNEL32.dll lstrlenA
001C9298 KERNEL32.dll lstrcpynA
001C938C KERNEL32.dll lstrcpyA
001C9390 KERNEL32.dll lstrcmpA
001C97E0 USER32.dll RegisterWindowMessageA
001C9860 USER32.dll IsDialogMessageA
001C99B4 USER32.dll DestroyIcon
001C9B10 SHELL32.dll Shell_NotifyIconA
001C9B18 SHELL32.dll DragQueryFileA
001C9B2C SHELL32.dll SHGetPathFromIDListA
001C9B38 SHELL32.dll SHBrowseForFolderA
001C9B54 0025 KERNEL32.dll (ordinal,inW2K has names?)
001C9B58 0024 KERNEL32.dll (ordinal)
001C9B5C 0023 KERNEL32.dll (ordinal)
001C9B70 WINMM.dll PlaySoundA

Also, Solomon, if you stop program at OEP, RV resolve for you:
001C93C0 KERNEL32.dll SizeofResource

Solomon

December 4th, 2001, 09:21

In win2k, the 3 ordinals are:

001C9B54 CompareStringA
001C9B58 CompareFileName
001C9B5C CommConfigDialogW

yes RV can resolve 3 modified entries at OEP, actually I just manually resolved them days ago

Thx

evaluator

December 5th, 2001, 04:34

Hi, Solomon!

Disassemble KERNELL.DLL with Wdasm,
find ordinal(23-25) export references and
look if other export names presents.
Anyway, you can remove that names from IT.TXT.
BTW, can you compress and upload somewhere
for me KERNELL.DLL?

Have you checked DigiSecret?
Here finally activated cASPR's trick,
that is inactive in CV!
AND this trick is better then STUPID redirection
inside main code!
Also, did you found place, where cASPR decrypts
export names?!!

Hi, SPLAJ!
What about "CRC/HASH algo into ripeMD" you talk
and why we need it? You can't force CV to run?
i can

tsehp

December 5th, 2001, 04:40

to resolve the duplicated exports, here's what we need :
an asm coder could do the following task :
in all notorious dll's kernel32.dll , shlwapi , user32 etc...
when rv loads, take all thos dll's exports and redirect them to new addresses inside the own dll by forwarding them for example :

export1 contains apix1 apix2
forward apix2 to adrx2 inside the own dll

the goal is to have for each export 1 address for 1 duplicate.

after this, rv will make the difference and take the real name, compatible with all platforms.

theOwl already did this when you launch icedump, it's pretty hard to do on w2k causes a driver is needed...

Solomon

December 5th, 2001, 05:18

hi evaluator,

here is my kernel32.dll.
h**p://us.f1.yahoofs.com/users/5f65830d/bc/%ce%d2%b5%c4%ce%c4%bc%fe/kernel32.rar?bc_rkX8Angd3rTPk

my unpacked CV quits silently too. What's the trick? It's not a CreateMutexA/File CRC

I will check DigiSecret later, hope I can learn new stuff

evaluator

December 5th, 2001, 06:11

Hi, Tsehp!
Hi, Solomon!

Tsehp, as I sad, I found "magic" moment & place,
where cASPR decrypts export names, so now WE ALL GOOD GUYS
can be 100% sure about this problem.

Solomon, CV exits because of SIMPLE FILE SIZE check!
At 5B3247 CALL returns current size in eax ,
5B324C compares to C4200 (original CV size),
5B3251 not jumps

So, ACCELERATE YOUR FANTASY!
If you failed, post again.

Solomon

December 5th, 2001, 08:57

damn! It uses FindFirstFileA(wrapped by TSearchRec) to get the file size, that's why my breakpoints CreateFileA/_lopen/GetFileSize never get hit.

If I change the JZ at 5B3251 only in memory, it runs well. But if I change this in the disk file, I always get a "Unknown Application Fault" message box. Why? there seems to be no further crc check after this jump.

Thx for the reply

+SplAj

December 5th, 2001, 11:34

dear eval

can you stop playing a me-myself-and-I tune and show us the notes

What is this 'caspr' ???? ........the one by SAC ?????

I am interested in how you got round patching the cv3.1 b161 exe
to run.......... WITHOUT a loader ??? I'm sure solomon is too.

BTW the wife DID kill me, I say this with my last breath

evaluator

December 5th, 2001, 13:53

Hi, SPLAJ!
Hi, Solomon!

Dear SPLAJ!
1. under word "cASPR" I mean ASPR. Little joke

Another joke for you: "SmartWhoWas"
Guess what program I mean!

2. of course, I can't kill terrible Tamos-protection
because I'm musician, not-programmer. But I have terrible
fantasy (musician)!
I compose funny&easy code... Later about it.

Solomon!
After you reverse that JS in memory and execute,
did you restore back this byte? (SPLAJ!!)
If you not restored and CV runs, this is very strange!

+SplAj

December 6th, 2001, 02:46

OK i'm laughing at myself....

be careful with the word 'caspr' as this is not your copyright.
I was mistaken into thinking you used the

CASPR

auto-magic-unpacker and this is NOT allowed here on the RCE MB

The CV3.1 b161 was fixed with a SMC patch.... Solomon has the details. Now I see you did that too. I'm warming to you

I often resolve the IAT while EB FE at the OEiP. BUT I NEVER REALLY CONSCIOUSLY THOUGHT there would be a different resolve result than if you just let the target proggy run and then use RV/imprec......But now it's bloody obvious that a new anti tracing trick is to RE-RE-DIRECT the IAT into regular code as a SHORT TERM solution to our exploits, until Alexey comes out with a new version. It must be time , its been 14 months since the last ASProtect 1.2

Ok please send me & tsehp what you found about this ORIGINAL place you are talking about....TIA.

Keep hard trancing my musical cracker

Spl/\j

evaluator

December 6th, 2001, 05:38

I think, here is no reason for secure this,
because A.S. already knows, what happens. So:

***Start of crazy TUT for SPLAJ & TSEHP from just_Evaluator!***
Now very easy way for catch original IAT names in cASPR protection.
Target CVv3.1.0.161 (size=803328 crc32=F5444359)

As you know, after full unpacking in memory,
cASPR writes his own IAT. OK?
Lets make: BPR 5C9258 5C9BC0 (CV)
SICE breaks, when cASPR will try write his first
IAT entry at 5C9258.
at EAX we see value that will written at EDX.
hm, but-but-but what tries to hide ESI???
Tape: d ESI
SALUT!
Now press again F5. OOPS!
SICE breaks on second write attempt && you already
see second name.
So press F5, look at display and EnjoE!
Of course, special ASPR-trick names will not decrypted.
(GetCommandLineA, etc., this is another job

Also, when ORDINALs without name will decrypted you
will see at ESI register ordinal's value.
I attached two screendumps.
In addition:
1. if after bp you will trace little, you will
also find decryptor engine..
2. Before OUR action, print "RESOLVED.TXT" & check

***End of crazy TUT for SPLAJ & TSEHP from just_Evaluator!***

Tsehp! Beta draft, DO NOT DISTRIBUTE!!

tsehp

December 6th, 2001, 08:16

I'm just disgusted, I didn't knew it was so easy...
I'll code an automate to do this

ASPR usual way to build iat didn't seems to change a lot since a long time, before building rv I made an essay (look at the archives) with a small asm prog to rebuild iat.

but it's always target/protection/version dependent , but concerning a general iat rebuilder, this info just can't be used.

But always useful when our tools don't locate the api function name

evaluator

December 6th, 2001, 11:46

1. When I use tracer with ASPRotected files,
aspr-engine(dll) lands in another(lower) memory
location. With S+ICEDUMP this dll lands in same
place as in clear windwz.
Suggestion: maybe if you will move tracer and thread dlls
in higher area (~30000000), this will not happens?

2. Will be good, if you add to IT.BIN production engine
"NO HINTS" option. So if we want, RV will create
IT.BIN only by export names (as IMPREC). Of course
except ORDINALS.
Shit, yesterday I during 1 hour was manually removing those
hints...

3. I read about "unSafedisc v2.40"! But failed for find

Probably this file can be protected with newest KKryptor
& will good for tracer test and for my hobby

JMI

December 7th, 2001, 03:10

Great reading material. Keep it coming.

Evaluator:

Here's a copy of unSafedisc v2.40.10 for you to practice on.

Apparently file size it too large to attach. Sorry. Send me a PM with an e-mail address or upload address and I'll send you the file.

evaluator

December 7th, 2001, 15:10

At "forums exetools" one good guy
uploaded for me "unSafeDisk".
UNFORTUNATELY v2.40.10 exe files are
NOT protected

Have you POXYLOCK?

JMI

December 7th, 2001, 16:26

Yes!

Attached.

JMI

December 7th, 2001, 16:36

By the way, Safedisk 2.2.2 is shareware and available "everywhere." You would download and "protect" "unsafedisk v 2.40.10 yourself and then take it apart. Just a thought.

evaluator

December 8th, 2001, 03:46

Thanks, JMI!

But you made "little"mistake!
When I wrote:
"UNFORTUNATELY v2.40.10 exe files are NOT protected"
I mean not a "Safedisk" protection. I mean R!SC'c
terrible protectoin!
For example try debug "your" file "poxylok.exe"......
For more info about it, go to ^DAEMON^'s post:
http://www.woodmann.net/forum/showthread.php?s=&threadid=1897

I had "deprotected" "SafediscV2.30.31Rebuilder" &
"SafediscV2.30.31Dumper". In last one I probably missed 3 exports.
Now I will download "SafeDisk" and will test my work.

evaluator

December 8th, 2001, 09:50

Tsehp!

Today I performed special test:
I loaded into RV Solomon's "resolved.txt" for CV under W2K,
(my sys-W98se) and I CV displays error:
CAN'T LOAD USER.EXE
This is simple because of those shit HINTs!
So YOU have real reason for remove HINTs.
Or at least add special option to IT.BIN production engine.

Tsehp! SPLAJ!
VERY IMPORTANT!

If I correctly understand, you & SPLAJ think:
these 2 special ASPR-redirects to little code inside
ASPR-dll are:
1. LockResource (xxxxC954 in dll)
2. FreeResource (xxxxC960 in dll)

If so, you are wrong since this trick is released!
Confirm if you think so and I explain...

evaluator

January 6th, 2002, 08:11

just unpacked CVv3.2.0.171.
Seems TuMOS read this thread and changed file size ckeck!
Now program displays RUNTIME ERROR after about 75 second

I'm too lasy for find their trick, I manage in other way..
I will keep in mind TuMOS

+SplAj

January 6th, 2002, 08:50

Of course they read it, they luv it that we discuss their nice CV+aspr here........keeps em bizzy codin..... better than sittin on their ass and playing quake3 on the office lan