Log in

View Full Version : new protector: PE-PROTECTOR


Ni2
March 8th, 2002, 10:53
Hi Fellas,

I have released my protector and I'd love if you all start cracking it

You can find it at http://softsecurity.cjb.net

Hope to hear how you get on!

Ni2

+SplAj
March 8th, 2002, 17:44
....and that would be the one that ONLY runs r0 tricks on Win98/ME...waste of time m8. Real programs run on WinNT4/2K and XP as well. So whats the point....only to prove you know all about r0 and all those other nice exploits that Win98 allows.

Please make a universal protector f- yes u have to make a *.sys and we would be glad to help u out.

thats my bitchin finished.

Spl/\j

Ni2
March 8th, 2002, 18:27
Thanks for your comments!

I really want to make PE-PROTECTOR compatible with NT/2000/XP. I didnt do it cos it was a project for the university and didn't want to spend my life at uni testing in all the Windows systems

It's true that I have to make a .SYS to make compatible with NT/2000/XP cos lots of exploits to go to Ring0 in NT have been closed for 2000. Anyway I just need to make a little driver that unprotect the IDT and almost all the protections used in PE-PROTECTOR should work fine, plus an extra work to convert some incompatible protections into NT/2000. I just need some holidays to do it

Anyway, the objetive of PE-PROTECTOR was to prove that a packer/protector can be something very good to protect software. I didnt want to make a commercial application. If I achieved that then I'll be a happy bunny

Cheers,
Ni2

+SplAj
March 8th, 2002, 22:51
hi, im glad you did not take offence, ur win98 effort is quit nice. I liked it but was disappointed with it's W98 restriction...

....and when you do have that 'commercial protector' i offer my services as an offshore tax advisor and set you up with tax free company

Spl/\j

tony b.
March 8th, 2002, 22:51
Just some suggestions on this...
_
Doing r0 under NT2kXP may not be such a great idea... For example,
if you have two different protectors messing with the IDT/GDT/LDT,
the system might bluescreen or get unstable. Also, admin privs
are necessary to install/run drivers. That's like requiring
r00t under U*ix to run any protected program, though the
NT2kXP culture is different and tolerates this, at least
today. This might change in the future, especially with the
recent security pushes.
_
Anyway, just my 2cents, inspired by the SafeDisc anti-SoftICE
driver that needs admin to run my games... it just silently
exits under a non-admin account.

_
Regards,
_
tony

evaluator
March 9th, 2002, 13:30
Ni2!
1. You sad:"new protector"
But time stamp on "PeProtector.exe" is 14.12.2000.
??

2. protect itself "PeProtector.exe" and
I show to you DEprotected...
It is match NOT interesting deprotecting myNOTEPAD!

-----------
NOTEPAD IS GREAT!

bart
March 10th, 2002, 21:33
just put

mov eax,dword ptr fs:[30h]
test eax,eax
jns _fuckin_nt_clon

in your code & forget about all those nice things in r0 )

foxthree
May 13th, 2002, 20:18
Hello:

I'm trying to unpax PEProtector but it seems to be modifing IDT to do anti-debug. How do i bypass that? Any tips/pointers...

Eval, can i have ur email? PM it to me. I need to ask u something?

Thanks,

Signed,
-- FoxThree

Ni2
May 13th, 2002, 20:43
foxthree,

Thanks mate! I thought no one was interested in unpacking my little pe-protector You have made me very happy tonight

Hope to have some good news from you soon Do you plan to make an universal packer or dumper/rebuilder for it?

Well, I'm a bit sad cos daemon wrote in one article that ASProtect was more difficult to trace than my pe-protector

These were his results:

Daemon said:

Name Description Debugging-level (Difficulty)
==============================================

Pecompact Packer *.........
Pklite Packer *.........
PeProt Protector ****...... Coder: Chris's Protector
PeLockNt Protector *******...
Aspack Packer/*Prot* ***.......
Asprotect acker/Protector **********
tElock Packer/Protector ******....
SoftSentry Protector *.........
Zcode Protector ******....
PeProtector Protector ********.. Coder: Ni2
BitArts Prod. Packer/Prot *****..... Das neue Titanium... Armadillo Packer/Protector ******.... Das neue soll ganz....
Petite Packer **........
Peshield Protector ??????????
Upx Packer ??????????
Peninja Protector ***.......
NoodleCrypt Protector ****......
Vbox Protector *******...
PcGuard Protector ****......


ASProtect has 2 more asterisks than me

Thanks daemon for than comparative in protectors, i think that no one has done that before (At least, i can't read that in computers magazines, TV.... )


Regards,
Ni2

Ni2
May 13th, 2002, 21:06
Sorry evaluator, I didnt see your post and the question that you asked me (until now that I have seen foxthree's post about pe-protector

[QUOTE]Originally posted by evaluator
[B]Ni2!
1. You sad:"new protector"
But time stamp on "PeProtector.exe" is 14.12.2000.
??

Ohhh, yes. It's not new at all. I said "NEW" because it was released for the first time to the public. Pe-protector was sleeping in my computer for one year I was waiting for my uni to publish it...but they didnt do that and I decided to do it by myself



2. protect itself "PeProtector.exe" and
I show to you DEprotected...
It is match NOT interesting deprotecting myNOTEPAD!


Uppps, sorry. I didnt know that you prefer to deprotect my protector instead of your Notepad I'll think about that next time . But believe me, if i release my protector protected by itself, I'm sure that some people are going to complain because they want to smell how pe-protector is coded internally....It's so difficult to keep everybody happy

Kind regards,
Ni2

^DAEMON^
May 14th, 2002, 14:10
the table should be corrected... your
protector is much much more difficult to trace/defeat than asprotect is! (i did several mistakes in that list)

(btw: iam currently working on sys driver and other things)

but better email me... to exchange knowledge
^DAEMON^

Ni2
May 14th, 2002, 14:27
Thanks daemon,

Coming from you (an expert in unpacking) means a lot to me

What do you mean with "working on sys drivers"? (for a company?....or another of your nightmare's protection )

Talk to you soon,
Ni2

crUsAdEr
May 14th, 2002, 23:46
Hey fox3,

The best way to bypass IDT detection is debugging it with a ring3 debugger with and without softice, compare the value of registers and you will see what is change.. if i remember correctly there was a tutorial by Killby or maybe not him about some bit-art products that access IDT for sice check.. the value of esi has to be something like 6 and not 10h... cant remmebr but the tut is on krobar site.. crunch i think :>... ot maybe softlocx...

Of course, go to Daemon's page :>>... play with bit-art products might help but i dont know... Guess i 'll have to wait for SVK release to play with a win2k compatible version...

Good luck,
crUsAdEr

foxthree
May 15th, 2002, 07:47
Yo Crus:

Thanks for the heads up on this one. I'll take a look and see what I can find.

Signed,
-- FoxThree

Kilby
May 15th, 2002, 12:22
I did a bi-tarts tute but it was only for Crunch 2.

I suspect that Splaj or horndog (as I remember) may have been the one who took offence at the other bi-tarts products.

Kilby...

evaluator
May 18th, 2002, 17:21
Hello, Unpackerz!

Just want share some intresting info.

1. Yep, when Pe-Protector kils INT1 & INT3 then
WINICE 4.05 crashes.
BUT WINICE from DS2.6 dramatically STABLE!
So you can successfully use BPR-wEapoN

2. Yep, it anyway detects WINICE 4.05,
BUT not detects WINICE from DS2.6.

RESUME:
Upgrade WINICE: & enjoE with EasY unPUCKing PE-PROTTECTOR

Ni2
May 22nd, 2002, 22:08
Hi evaluator!

I think you are the man! Only with that you unpacked my pe-protector? Ummm...strange...didnt work for me, i have to learn how to crack

I have released a new version of my mini pe-protector (and this time i packed it with pe-protector itself, as evaluator suggested me So, I hope that this time you all have a bit more of fun than the last time

You can find it at h**p://www.softsecurity.cjb.net

NOTE: still Win9x/Me compatible

All da best,
Ni2

evaluator
May 23rd, 2002, 17:25
Hello, Ni2!

Unfortunately, I give my PC to my frends(for help), and I'm currently not aviable for UNPACKING

Btw, I checked your PEP with LordPE and it dumps only 00h!
Thats Great

evaluator
May 25th, 2002, 05:58
Hey, Ni2!

I failed for install WINICE on WinME
So unpacked you PEP with out DBGER!
& when unpacked exe crushed, I found: because main code jumps in protector's section I just removed.

Question!!!
What option I must choose for protect NOTEPAD
with same trick?!

crUsAdEr
May 26th, 2002, 10:56
Hi folks,

Talk about adiction :/... i was just bored last nite... and since i has some win98 handy, i digged into No2's protector for a while...

Ni2, you are cruel ... if Alexey uses seh more than 30 times, you access IDT about 29 times .... doing absolutely nothing meaningful.... i made a few patches and "clean" it up a bit.... still havent unpacked it yet... was interested in how the protection works... however i have a few queries about IDT, maybe some guru can help me answer???

Ni2, i hope you find this familiar :>
sidt qword ptr [esp-2]
pop eax
add eax, 0C
mov ecx, [eax] ; getting int1 handle???
and ecx, 1FFF
cmp ecx, 0E00
jnz sice_not_found??

jmp sice_found???

sice_not_found:
add eax, 1C
mov ecx, [eax] ; getting int 3 handle???
mov loc_1, ecx
mov ecx, [eax+4]
mov loc_1+4, ecx

I was just wondering about the initial sice check??? my thinking is that, since sice hooks int 1, the first proggie checks for int1 handler, compare it with default int1 hadler by sice?? if equal then sice detected???

The later bit is slightly more confusing... after you add, "C" to eax, eax points to int1 entry in IDT, you add another "1C"???? This will bring you rite in the middle of int 4 entry in IDT??? why int 4.. i was thinking it was more like int 3 that he should want to check...

That si all for now, i only have time 2 weeks later, but i do have a feeling once i am done with PE Protect, i will know a lot about IDT just like the way I learnt from AsProtect about seh ....

Hopefully someone can explains my question above.
Thanx,
crUsAdEr

ZaiRoN
May 26th, 2002, 12:55
hi...
i don't have tried this program so if i'm wrong...forget my words.
int1: your analysys should be right.
int4: this is a strange int...i don't know if it's your case but sometimes it's used to go into ring0:

pushfd
pop eax
or ah,80h
push eax
popfd ; if overflow flag is set
into ; then: ring0!!!

if the overflow flag is not set the into instruction is only a nop.

ZaiRoN

Ni2
May 27th, 2002, 17:45
First, I'm glad to hear that some of you are trying to crack my old pe-protector. Almost two years have passed since I finished it and I released some progs protected with pe-protector for you to play, so I'm glad it's still "alive"

Well, Evaluator, now do you want that I pack notepad with pe-protector? I released the whole protector without packing it and you said that you were bored of packing/unpacking your notepad and you wanted my protector packed with itself....Oh dear, I dont understand you Well, when you enable and use *ALL* the features of pe-protector, some extra "magic" code is inserted. There are several ways that the target program references pe-protector code. I dont know exactly what your case is Anyway, good work unpacking pe-protector...where can i find the top secret "undocumented procdump"? (Hi Stone! )

crUsAdEr, I'm glad your are trying with pe-protector. I dont want you to lose your motivation but you are a bit stuck in the very beginning of pe-protector. I dont want that the trees dont allow you to see the forest (Make your maths again..you know 1C.....0C....do you got it now?...and 0E00...is not so difficult, believe me )

ZaiRoN, you are right. You should go to Ring0 with that

Keep the good work fellas! and hope to hear from you again soon

Ni2

foxthree
May 27th, 2002, 18:29
Yo Ni2:

You presume that you've covered all the bases in your PEProtector. Alas, I hate to disappoint you ... [wink, Crus...]

I've successfully bypassed *all* your anti-debug tricks on Win98. So, it is only a matter of time

Hang on

Signed,
-- FoxThree

PS: Good Analysis, Crus...

Ni2
May 27th, 2002, 18:50
Hi foxtree!

Of course I dont presume that i have covered all the bases in pe-protector.

When I did pe-protector, there werent so many good cracker's tools as nowadays. I did my best in 6 months that i had to design and implement pe-protector.

I know that pe-protector is far from the perfect protector....but I still think that +Orc theories about that everything is crackeable can be put in doubts by someone....and that someone will be the chosen one, eheheh

Anyway, congrats for bypassing pe-protector anti-debug tricks and hope you are using the latest pe-protector version

Regards,
Ni2

crUsAdEr
May 28th, 2002, 01:52
Hi Ni2,

Just a quick report on my progress to make you happy :>

Here is my finding so far
sidt qword ptr [esp-2]
pop eax
add eax, 0C
mov ecx, [eax] ; getting int1 handle???
and ecx, 1FFF
cmp ecx, 0E00
jnz sice_not_found??
jmp sice_found???

sice_not_found:
add eax, 1C
mov ecx, [eax] ; getting int 3 handle???
mov loc_1, ecx
mov ecx, [eax+4]
mov loc_2, ecx
jmp continue_normal

sice_found:
mov ecx, [eax]
mov loc_1, ecx
mov cx, [eax-4]
mov loc_1, cx
mov [eax+1Ch], ecx
add eax, 10h
mov ecx, [eax]
mov loc_2, ecx
mov cx, [eax-4]
mov loc_2, cx
mov [eax+10h], ecx

continue_normal here....


2. ANTI /protect on tricks
CLEAR bpm?????
sidt qword ptr [esp-2]
pop ebx
add ebx, C
mov [ebx], 12345678h
mov ebx, [ebx]
call $5
pop ecx ; points to current eip
add ecx 12h ; point ecx to a few bytes below
xor [ecx], ebx ; Decrypt the instruction


3. Hook int3 to decrypt code... use int3 handler to decrypt code with dr values... hence foil any bpm used!!!

4. bpx checking
cmp [eax], CC ; eax is API address
jne no_bpx
add eax, 100h
no_bpx:
jmp eax

I have bypassed all these, with a little dumper of mine, all of these plus usual obfuscation are cleared... however.. as i have indicated, the first one still baffled me cos i dont see much point of it... is this just your "bad" coding practise of anyhow patching IDT to cause system crash??? or is there something i am missing...

Just a suggestion... you might make dumping harder if you re-encrypt your code after they are executed... or just clear them... cos rite now, i just need to dump once and i have everything to disassemble and play with... but hell, once you do that i wont bother play with the protection anymore.. my aim is to learn anti-debugging and stuff only... however, you ought to help me out here and there :>> ok??

Also, dont you think using the same trick all over again is kind aeasy to defeat with a small proggy that parse the dump and clean it up???

that's all for now...

P.S : the thing is that this is the first time i work on win98, and ring 0 stuff... been living in the luxury of a real OS called win2k :>>.. hence i have little idea of how all these stuff work... i realise that i do need more background knowledge on IDT and stuff.. but alas, Windows Programming secret is not on my book shelf :<... and searching gives little details.... anyway... i'll work on this once in a while when i have free time :>>.. great learning experience....

Ni2
May 28th, 2002, 10:48
HI crUsAdEr!

I'll answer/comment your last post.

I know that you are a bit confused with all those things that pe-protector does. Well, from your point of view it's normal that you are lost. If you dig much more inside of pe-protector, I'm sure that you will understant what that first chunk of code is for (the one you call anti-sice.....the magic 0C + 1Ch )

About the part that I decrypt-encrypt again...I'm totally sure that after entering in the middle of the first hardware decryptor, you will understand why i do that And...are you sure you can make a dump at that point and study the disassembly code in your IDA? Well, I think that the code after that point is more than encrypted (remember the 300 encryptacion layers of pe-protector?

You say that the same trick is done over and over again and you can do a small proggy to defeat that....Ummm, i KNOW that there is no way to make a small proggy that makes that in this case (and if you believe that It MUST be possible...i'm completely sure that after digging in pe-protector you'll realise that i'm totally right in what i'm saying now)

About the:

cmp [eax], CC ; eax is API address
jne no_bpx
add eax, 100h
no_bpx:
jmp eax

Oh dear, that's embarrassing...did i do that lame anti-bpx trick? hehehe...what a lamer I am


And well, I see how interested you are in learning new antisice tricks and learning in general, believe me, i'm happy to hear that. The only thing that i can tell you (also to motivate you in learning even more) is that you have only seen a 1% of the anti-tricks that pe-protector has inside. Hope that you can share with us all the new anti-tricks that you are discovering

Grettings to evaluator, foxthree and crusader....the only 3 brave guys that i know that are still trying to crack pe-protector You will succeed mates if you keep like that!


All the best,
Ni2

crUsAdEr
May 28th, 2002, 18:45
hi Ni2,

Thanx to Clandestiny for the info... I just need checking if my understanding is rite...

sidt qword ptr [esp-2]
pop eax
add eax, 0C
mov ecx, [eax] ; get high dword of int1 entry
and ecx, 1FFF ; get the low word of this
cmp ecx, 0E00
jnz sice_not_found??
jmp sice_found???

sice_not_found:
add eax, 1C
mov ecx, [eax] ; getting int 5 entry (lower dword)
mov loc_1, ecx
mov ecx, [eax+4] ; high dword of int5 entry in IDT
mov loc_2, ecx
jmp continue_normal

sice_found:
mov ecx, [eax] ; get top words of offset to int1 handler
mov loc_1, ecx ;
mov cx, [eax-4] ; get lower words of offset handlers??
mov loc_1, cx
mov [eax+1Ch], ecx ;write to lower dword of int5 entry
add eax, 10h
mov ecx, [eax]
mov loc_2, ecx ; store int3 handler to loc2
mov cx, [eax-4]
mov loc_2, cx
mov [eax+10h], ecx ; write to upper dword of int5 entry

continue_normal here....

OKie, so i was wrong about the int1 handler, this piece of code actually check whether int1 entry on IDT is a "interrupt gate" or a "trap gate"???

The result on ecx should be either 0E00 (interrupt gate) or 0F00 (trap gate)??? I presume that the value at loc1 and loc2 will be used later, but i need to find out more about the way you write to int5 entry like that...

I guess if i dig deeper into the code i will out more... but please comment if i am write about the code above???

Thanx,
crUsAdEr

P.S : 2 nites = 1% ==> PE-Protect reversed in 200 nites = 6 months = coding time :>>

P.P.S : wat do u mean by "hardware decryptor"??? i understand hardware breakpoint is bpm using Drx... but hardware decryptor? decryptiong using Drx??

evaluator
May 28th, 2002, 21:24
Thanks, Ni2 for replay!

As gift, take from me unpacked PE-PROTECTOR.

Write me, if I did something wrong.
Sorry, because of later response. I already wrote,reason. See you after to days!

Ni2
May 29th, 2002, 13:42
Hi fellas!

Evaluator, i think you did a good work. I havent tried your unpacked pe-protector cos i only have W2K in this computer. Anyway, looking at the entry point and if you have posted it, it's cos you solved all ur internal call [pe-protector] I've been thinking 4 a minutes and i think u have a nice R0 dumper or something like that You must have done an artisan work copying-pasting code, am i right? Next time, I'll go for anti-Ring0 dumpers techniques that it seems that is the way that packers can be defeated nowadays (cos they are too complex to study'em line by line....though there are still a few of us that like to smell the code from the OEP to the OEP-Target-Program ) (special grettings now to Daemon)...Anyway evaluator, good work and felicitations for that.

About crusader post... well my friend, as you can see i check for the Int 5 (and not 4 ) in the very beggining of pe-protector code. SICE does NOTHING with the INT-5 so, i wouldnt have a chance to detect SICE (or another debugger...cos i have no idea if another debugger uses INT5 for something ). So, do you still think that that is a anti-sice trick? if you goes further in pe-protector code, you should see why i do that (i'd like to tell you but i think that we, crackers, like to discover things by ourselves cos that's the way that we start feeling good in the cracking scene and start being recognised as a "good" cracker ) I'm glad cos you have gone to the "trap-gate, interrupt-gate" levels of knowledge in the x386 architecture I'm sure that you will learn a lot soon if you keep always like that

Ahhhh, about hardware decryptors, you are right, i meant hardware breakpoints decryptors (and you already know a lot about them )

All the best,
Ni2

crUsAdEr
May 29th, 2002, 13:57
Hi Ni2,

Thanx... that pretty much clears things up... even though i am not sure aboutt the difference between "interrupt gate" and "trap gate" still... but at least i am on the right track

Okie, about the hardware decryptor... i made a dump at the right moment, most code in .Ni2 sections are already decrypted, NOP the int3 instruction and fix the starting offset of kernel32.dll.. that is it.. i have full .Ni2 section disassembled.. though i have not gone through them all... that is why i thought you could have done like cacheX IE, decrypt a small block, execute it, then zero them out before going on to the next block... that way i had to manually dump each code section and fit them it again.. more painful to reverse.... but ah well.. there might be more things that i have missed out... but i did jump when i first see the ring 0 code :>>.. first time i see code playing with Drx :>>>... guess it is not that complex after all...

Thanx for the tip... shall dig into it again once exams are over :>>... soon.. btw, dont you know there are a few ring-0 dumper around ...

Regards,
crUsAdEr

Ni2
May 29th, 2002, 15:42
Hi crusader!

I have never seen one of those ring0 dumpers that you say (except icedump or those extension for a kernel debugger). Is there any program like Elicz dumper but for Windows? I heard that there is a version of procdump with a Ring0 dumper (but that version was only internal for the procdump group)

Good luck with your exams!
Ni2

evaluator
May 29th, 2002, 15:47
Hello, Ni2!

1. I have NOT R0 dumper
2. I NOT traced inside PEPr code
e.g. OEP I guessed (BTW, is it right!?)

Ni2
May 31st, 2002, 13:17
Hi evaluator!

You guessed the entry point...you are a magician I think that you always do that in all the latest protectors (Daemon's protector, SVK-P...) you have good instinct to guess OEP Have you ever traced over a current packer? Believe me, it's pretty cool in Daemon's one and SVK-P

So, did u use a process patcher or a modification of that? I dont want to think in how many copy-paste you did to fix the original executable

Anyway, a crack is a crack and I congratulate you for that.

Regards,
Ni2

evaluator
June 1st, 2002, 21:11
Thanks for replay!

I can sey about you:
you are better then DAEMON! Simple because hi not confirmed my guessed OEP!!!

You are SPANISH MAN!

_DAEMON_ is not spanish w_man...

How about comparing protectors? Maybe if you manage same terrible thingz on ntXP your will
coolest

Bengaly
June 1st, 2002, 21:28
lol.
that was a very weird reply evaluator ;D
next time "think before u act", not "act before u think" ;D
but that just a suggestion ;D

crUsAdEr
June 1st, 2002, 21:40
+++++++++++++++++++++++++++++++++++
Believe me, it's pretty cool in Daemon's one and SVK-P
+++++++++++++++++++++++++++++++++++

LOL, Ni2... I must disagree... patching IDT without proper chaining isnt very "cool" :>... when ever the apps exit on one of those seh.. sometimes IDT are not restored... though you did install some kind of global seh... thus if it exits accidentally, that is it.. my computer cant help but gives a BSOD or just plain reboot/crash... something good better come out of this... cos i dun want my Hardware to screw up...

Till then.. hopefully in 2 weeks you will hear more news :>

Regards,
crUsAdEr

P.S : if my understanding is rite, then "interrupt gate" is the orginal hardware interrupt while "trap gate" is installed by software??? So if Windows itself install a handler over the interrupt, does it set the trap flag?

evaluator
June 1st, 2002, 21:44
hello, cencey Bengaly!

Many time I not see your posts!
How are you?

Did I wrote something wrong!?
Is phrase:
"_DAEMON_ is not spanish w_man"
logically wrong?

Bengaly
June 1st, 2002, 22:08
heya Master evaluator ;D
i dont paste much here heh ;D well ur right.
so far i'v been working on some useless pe viewer/packer identifier [win32], probably for fun and knowledge.
and how u'v been doing so far?
thnx in advance [gba hihi ;D]
ben

crUsAdEr
June 11th, 2002, 03:08
Hi Ni2,

Hope you are still well and waiting for my update :>??? Here i am, after a long break... this thread is almost forgotten...

Looks like eval has done a great job of removing your protection, though how he does it is still unknown to me...

Here is my progress updates but i do have a few pointers that need to be clarified, so would you guys please help me out...

More sice check :>>???
5. MeltIce
CreateFileA : sice, ntice, TRW
funny cos you should check for SIWVID instead of NTICE...

6. ring-0 example:
.Ni2:00474A57 E8 00 00 00 00 call $+5
.Ni2:00474A5C 59 pop ecx
.Ni2:00474A5D C6 41 05 CD mov byte ptr [ecx+5], 0CDh
.Ni2:00474A61 90 nop
.Ni2:00474A62 20 C1 and cl, al
.Ni2:00474A64 00 01 add [ecx], al
.Ni2:00474A66 00 EB add bl, ch
.Ni2:00474A68 00 F9 add cl, bh

Self modifying code :>>??? after the move CD, the instruction looks like this
.Ni2:00474A61 CD 20 C1 00 01 00 VMMCall Test_Debug_Installed

7. Another ring-0 but i am clueless about this one, prolly miss out some code before this?
Right at the beginnning of int3 handler
add eax, 20C
mov ecx, [eax]
mov cx, word [eax-4]
cmp word [ecx+3], FFFF
jne debugger_found

8. check fs:[20]
mov ecx, large fs:20h
jecxz short fishy
stc
jmp short continue

fishy:
clc

continue:
jb debugger_found
nop
jmp debugger_not_found

9.Hic hic.. so that was you anti ring-3 dumper trick :>??? Hooking ReadProcessMemory and install it in the PE Header of kernel32 :>>>?? nice idea, though now that i know it, a small patch will do the job just fine... the question is the way you use kernel32.ORD_01???
push 20060000
push 0
push 1
push edi ; edi = 400
; then edi = kernel base /1000
push 1000D
call kernel32.ORD_01

Is this just similiar to VirtualProtect API???

10. finally i am totally clueless about this one
11. check fs:30
mov eax, large fs:30h
test eax, eax
jns something?
jmp else

something:
mov eax, [eax+C]
mov eax, [eax+C]
mov [eax+20h], 1000h
jmp positive_cont


else:
push 0
Call GetModuleHandleA
test edx, edx
jns positive_cont
cmp [edx+8], -1
jnz positive_cont
mov edx, [edx+4]
mov [edx+20], 1000h

positive_cont: here onwards.........

I guess i need "Win 98 Secret" to find out more abt what is stored at fs:[30] but some pointer would definitely help....

Well... well, I responded to your request for some ppl to crack your protector :>>... and i am still learning so i hope you, Ni2, will respond to my request and help me understand certain part...

The quest shall go on i hope :>>... see u then

crUsAdEr

^DAEMON^
June 11th, 2002, 16:12
well i didn't check the loader code... but it's maybe a check to see "WHO" created this process (anti - unpacking stuff)

^DAEMON^

crUsAdEr
June 13th, 2002, 19:55
Lo Daemon,

Thanx for the info... i shall have to research further into that...

Anyway, Ni2, where have you gone? You almost tricked me there... when i saw :
mov edi, Image_base
lea eax, [edi+1E47]
jmp eax

Damn, so i know what eval means by it jumps back to Ni2 section... but alas, there isnt anymore antidebugging tricks hence a quick dump and disassembly and scroll will reveal the return to code section :>>... neat trick though cos i was wondering wat the hell is going on for a while :>>...

Guess you are not the one who defy +ORC's saying yet... wat ever runs still can be cracked, but eval has already proven that to you, though how he did it without knowing how the protection work is still a mystery... my guess is that he has a patched version of TRW and hence goes undetected by your createfileA check... Or maybe he uses DS2.6 which of course you fail to detect cos u check for ntice instead fo SIWVID... ah well... maybe he uses some special skill....

++++++++++++++++++++++++++++++++++++++++++++
About the:

cmp [eax], CC ; eax is API address
jne no_bpx
add eax, 100h
no_bpx:
jmp eax

Oh dear, that's embarrassing...did i do that lame anti-bpx trick? hehehe...what a lamer I am
++++++++++++++++++++++++++++++++++++++++++++

You are worse than a lamer .. look at your IAT redirection, even worse than wat i posted above... maybe if your product ever go commercialise, i'll do a 1kb PE-Protector.dll plugin for revirgin...

Ah well, wat else??? I cant remember what i have been doing so far anymore, btw, i still dont get wat you were trying to do, patching int5 like that.. cos even ur ExitProcess seh handler only recover int1/int3 handler... unless you were fooling me and it is indeed a sice check trick, if sice detected then mess it up???

Anyway, time to reinstall win98, or maybe remove the damn OS altogether... it cant even detect my modem and printer anymore, thanx to your PE-Protector :>>

That is all...
See ya around, me off for holiday :>>

Dr.Golova
June 15th, 2002, 00:23
Quote:


10. finally i am totally clueless about this one
11. check fs:30
mov eax, large fs:30h
test eax, eax
jns something?
jmp else

something:
mov eax, [eax+C]
mov eax, [eax+C]
mov [eax+20h], 1000h
jmp positive_cont

else:
push 0
Call GetModuleHandleA
test edx, edx
jns positive_cont
cmp [edx+8], -1
jnz positive_cont
mov edx, [edx+4]
mov [edx+20], 1000h



Hmm, mov eax, large fs:30h / test eax, eax is OS check (something for NT, else for 9x). mov [eax+20h], 1000h will change on WinNT process internal ImageSize so some dumpers (like ProcDump32) will fail (dump only first 0x1000 bytes or just crash). Yo! It's code for WinNT so it's useless here Second part with GetModuleHandleA must do this dumper-phucking in Win9x but AFAIK it dont work (go to positive_cont - I test it on WInME and Win98