Pyrae
April 2nd, 2002, 15:39
Hi guys,
I need help with some strange looking unpacker/decryptor code (see snipet below), maybe somebody already took a look at it as it's used in both versions of the recent DivX 5.0 Pro Codec (ad-supported & retail versions).
The protector has been developed by Protexis (http://www.protexis.com).
The main DLL is crypted and a lib named psikey.dll (some anti-dasm stuff, no encryption), which performs key setup and validation routines, is copied to your SysDir.
The protected DIVX.DLL contains 8 sections of which the 7th (.data) obviously contains the decryptor code.
So I replaced the first opcode (pushad) by CCh to break on INT3 and adjusted things in SoftICE accordingly - but this messed up the whole thing and a nonsense-msgbox was displayed.
How is this possible when it is the first instruction of the whole protected module that is executed? And how can the further code be executed following the snippet below?
Here is the mentioned code snippet:
divx.dll (5.0 PRO GAIN):
.1015F000 90 nop (start of .data section)
.1015F001 60 pushad (code entry point)
.1015F002 E803000000 call .1015F00A (see code snippet below)
.1015F007 E9EB045D45 jmp 0456434F7 (invalid?)
.1015F00C 55 push ebp
.1015F00D C3 ret
called from .1015F002:
.1015F00A 5D pop ebp
.1015F00B 45 inc ebp
.1015F00C 55 push ebp
.1015F00D C3 ret
Thanks a lot, Pyrae
I need help with some strange looking unpacker/decryptor code (see snipet below), maybe somebody already took a look at it as it's used in both versions of the recent DivX 5.0 Pro Codec (ad-supported & retail versions).
The protector has been developed by Protexis (http://www.protexis.com).
The main DLL is crypted and a lib named psikey.dll (some anti-dasm stuff, no encryption), which performs key setup and validation routines, is copied to your SysDir.
The protected DIVX.DLL contains 8 sections of which the 7th (.data) obviously contains the decryptor code.
So I replaced the first opcode (pushad) by CCh to break on INT3 and adjusted things in SoftICE accordingly - but this messed up the whole thing and a nonsense-msgbox was displayed.
How is this possible when it is the first instruction of the whole protected module that is executed? And how can the further code be executed following the snippet below?
Here is the mentioned code snippet:
divx.dll (5.0 PRO GAIN):
.1015F000 90 nop (start of .data section)
.1015F001 60 pushad (code entry point)
.1015F002 E803000000 call .1015F00A (see code snippet below)
.1015F007 E9EB045D45 jmp 0456434F7 (invalid?)
.1015F00C 55 push ebp
.1015F00D C3 ret
called from .1015F002:
.1015F00A 5D pop ebp
.1015F00B 45 inc ebp
.1015F00C 55 push ebp
.1015F00D C3 ret
Thanks a lot, Pyrae