Hello all First I would like to say you all have a very nice place here I have learned alot in a short time

Now my problem I was wonderin if you could help me with. I have a program i'm workin on it is packed with Shrink34. When I try DeShrink 1.6 a msg box pops up and says E/A Fehler 87 ( no clue what this means) In the help file with DeShrink it says there are some trick to fake out DeShrink example - changed Shrinker header signatures (usually SHR3 in the
last file sections named .shrinkX) caused deshrink to reject
files as "Non Shrinker files"
this is what i belive to the case with this program. I tryed to change the header signature but that didnt work (not sure if i even did it right changed it to match the other signatures in shrink 0 - 2 ). I did i search here found very little on Shrink packers also search the web Krobar also. I then tryed SI with loader got it to break ( had to change it to E0000020 to get to break) Thought i found the entry point then tryed to dump with procdump gave me an error would not dump. So Im guessin i didnt find the right entry point of the program Im lame sorry.

If anyone could give me some advice as to what to try or do that would be great mybe some tuts I have not found on Shrink, maybe the error I'm gettin with deshrink or how to fix the trick they are usin the help file says it is easy if you know what your doin and i need all the help I can get Thank you so much for takin the time to read all of this and any help you sould possible give


Thank you

Hi get2:

Nice one, this

As +SplAj guru always says, "Brain is the best unpacker"

I found out OEP signature for this one! It is CALL [EBP-20]

However, if I try to dump with LordPE/ProcDump, I am unable to....

Below is my guess; correct me if I'm wrong!

This "shrinker" is making heavy use of VirtualProtectEx to make pages with NOACCESS. Hence readProcessMemory fails/Dumper fails

If what I think is right, icedump must be able to dump this one clean right ? I'll try this on Win98...

To get2: May be this is the reason why DeShrink fails! BTW, 87 (if it is the GetLastError() code means "The parameter is incorrect" Hmmm talk about descriptive error messages

Signed,
-- FoxThree

PS: Hmmm, RV 1.3 [Public] says IT is "mangled" but IT looks good to me. Also, if I give OEP in RV and try to get IT, it says "Found nothing". To me, IT looks correct. Why is RV then saying "IT is corrupt. Enter OEP?"

A small update on this "Shrinker". Yep, /dump is working and I am able to get the right dump. Imports are all correct. So, must be some bug in RV . However, when I attempt to run the dumped file, it gives access violation. After tracing, I managed to narrow down the culprit to some corrupted resource. How come the dump's icon is not getting restored after RS=VS/RO=VO operation? I think Shrinker compresses and messes up the resources so that after unpacking, an attempt to load the first resouce is crashing.

Any ideas on how to over come this?

Thanks,

Signed,
-- FoxThree

PS: Target was Calc.exe on Win2K Shrinker 3.4 from BlinkInc.

Hajo Fox,

Well protected notepad and calc with latest shrinker.
Notepad was easily done with pedump function (icedump)
Icedump did fail on calc.exe (why,,..maybe because of it's entrypoint 1000xxxx ??)
Soo did an ordinary dump from the entrypoint, and all went okee.....No need of reconstruct the import- table all was clean.
And all resources and icons are there.(sys w98 se.)

Spekk.

Hi get2

Shrink is easy as Spekk said You can't 'dump it' hmmmm

R U REALLY sure it's a 'Shrink' packed file ? Ya know our old friend TE! with tE!Lock can 'fake' itself as many known packers, including Shrinker

Look at the sections with LordPE...real shrinker leaves most sections untouched (like .BSS, .rdata etc) If you can see a lot of other section other than .shrink0,1,2,3 then it probably IS a shrink packed file. If there are just a few with Shrink then I would say tE!lock !!!

Spl/\j

Yo SpeKKel/+Splaj guru:

Yes, Spek I realized I must've tried the PEDUMP function in SICE without using the "dump at oep" later . But u say that worked on CALC. I did the same with CALC. But after section aligning, I was unable to see the icon But it was 4AM in the morning... who knows may be I was dreaming that I was unpaxing "Shrinker"

+SplAj guru: Yes, I knew about the neato tE! trick (the one disguising as a "random" packer) from your previous Iris posts Nice reading that one. I'll check again. BTW, did you happen to look at elicz's new proggie in the newest AH release. That one rocks!!!

Will give a "real" try again ... this time within a "normal" human time

Signed,
-- FoxThree

Folks:

Here is the tip to unpack "Shrinker"...

The best platform is Win98.

1. Locate OeIP by putting bpx GetVersion. Scroll up and you'll see the OEiP. (Alter. locate the OEiP using my earlier sig.)

2. Do JMP EIP (or PUSH 7FFFFFFF, Call SleepEx)

3. Exit SICE and in LordPE Full dump

4. Reset the OeiP and reset the bytes

Problems:

1. Sometimes /dump 'ed exes do not run (onWin98SE). The resources are corrupt.

2. The above method does not work on Win2K though. I still think "Shrinker" is using VPEx to create pages with no access...

However, on Win98 no probz ...

See ya until next packer

Signed,
-- FoxThree

Greetz to +SplAj, SpeK, Crusader

Hi foxthree,Spekk and +Splaj
Thank you all for the replies sorry for not getting back before this was out of town

Foxthree:
I thought the oep was at ebp-24 but I could be wrong Looked real quick last night after symbol loader broke traced the code but I could not find a ebp-20 at least not in the program I am working on (I probley missed it) I am going to try and pack notepad tonight with Shrink34 to see what I’m doin wrong.

Splaj:
I think it is Shrink34 I can see in the section Shrink 0, BSS, Shrink 1, tls, rdata, Shrnk 2, Shrink 3, rdata, data, idata, load, reloc and rsrc But thank you for pointing that out I didnt know that ( I read the post on that, after you mensioned that, what a great post)

Now when I trace thru I get to call ebp-24 F8 into it goes to invalid F10 one time like all the code is there seems to be a lot of places it does this.

Maybe I could PM you the link to the s/w or post it here didn’t want to post didn’t want to break any rules. I am more interested in the protection than the s/w Thought it was going to be easy hehe yea right at least not for me.
Thank you all for the help on this. This just might make for a very nice tut on this

Get2:

You can either PM me the link or post it here with the URL obscured like hxxp or something like that so that nobody can trace the visit to this web site

Signed,
-- FoxThree

Sorry we both kind of posted at the same time didnt read before i posted last replied.

The link to the s/w is h**p://www.execpc.com/~datasol/lotpro32.exe

Again thanks

Hi all,

I am lost here... it seems that you guys are not talking about the same proggram? Or just discussion on general Shrink? weird though, another copy mem protection :>??

Get2, can I have the name of the program as well? Actually i think you are allowed to put the name of the proggy here, no need for a link, everyone knows how to search for it anyway...

cheers,
crUsAdER

LOL.. same time again :>>... this is getting like a real time board :>... cool

Hi Foxthree


You are 100 % right on this i just dumped notepad packed with shrink34 Woooooooo Hooooooo

Now I'M going to try the target program will post the results


again thank you all for getting me this far

Erm,

Is there something wrong? My Shrinker.exe is not "shrinked" or packed in anyway??? Downloaded from blinkinc.com ... wrapped my notepad and all i did was, run it, full dump! then change OEP and Import RVA.. then it runs sweet :>... all on win 2k???

Anyway... i looked at the LOtto proggy and it really has some mem protection... use IDA.. how i love it now... look at this offset of the lotto proggie
.load:007D6E18 push ebp
.load:007D6E19 mov eax, [esp+arg_4]
.load:007D6E1D mov ebp, esp
.load:007D6E1F sub esp, 4Ch
.load:007D6E22 mov ecx, [eax]
.load:007D6E24 push ebx
.load:007D6E25 cmp [ebp+Exception_Record], 0C0000005h ; Read_WriteViolation??
.load:007D6E2C push esi
.load:007D6E2D push edi
.load:007D6E2E mov edi, [ecx+18h] ; exception address
.load:007D6E31 jnz invalid_exception_address
.load:007D6E37 cmp edi, Image_base
.load:007D6E3D jb invalid_exception_address
.load:007D6E43 mov ecx, Image_base
.load:007D6E49 mov eax, Size
.load:007D6E4E add eax, ecx
.load:007D6E50 cmp eax, edi
.load:007D6E52 jbe invalid_exception_address
.load:007D6E58 mov eax, edi
.load:007D6E5A sub eax, ecx
.load:007D6E5C push eax ; RVA of access violation

You see something fishy :>>??... yeah look at the value of edi, there will be lots of ???? there... but press F12, what do you see... sweet hex again :>>.... if you put a bpx there, sice break once, look at edi and then F12 you will see sweet virgin IAT.. dump it!!!... F5 again sice will break again... dump edi, lots of ?? but can you guess what should edi be now?... press F12, then disassemble the code at that address, looks like OEP :>>... so i guess you are right fox... if you look down below the code section you will see this :>
.load:007D6F35 push 1Ch ; dwLength
.load:007D6F37 lea eax, [ebp+Buffer]
.load:007D6F3A push eax ; lpBuffer
.load:007D6F3B push esi ; lpAddress
.load:007D6F3C call ds:__imp_VirtualQuery
.load:007D6F42 cmp [ebp+Buffer.Protect], 1 ; jump if no access :>
.load:007D6F46 jz short NO_access_GOOD!!!
.load:007D6F48 jmp invalid_exception_address


and then soon....
.load:007D6F5D lea eax, [ebp+flNewProtect]
.load:007D6F60 push eax ; lpflOldProtect
.load:007D6F61 push 4 ; flNewProtect
.load:007D6F63 push [ebp+dwSize] ; dwSize
.load:007D6F66 push esi ; lpAddress
.load:007D6F67 call ds:__imp_VirtualProtect ; PAGE_READWRITE
.load:007D6F6D test eax, eax
.load:007D6F6F jnz short virtual_protect_ok
....

lol... do you see what is coming... trace down a bit more you will see everything suddenly filled up nicely... :>>...
finally,
.load:007D72C1 push ecx ; lpflOldProtect
.load:007D72C2 push eax ; flNewProtect
.load:007D72C3 push [ebp+dwSize] ; dwSize
.load:007D72C6 push esi ; lpAddress
.load:007D72C7 call ds:__imp_VirtualProtect ; PAGE_EXECUTEREAD

That is all :>>>.... i guess the point here is like Kayaker says, dont just dump it.. reverse it ....

I think me have super system........

1 run prog.
2 dump from oep >> somewhere in 6xxxxx
3 adjust entry-point in dump
4 runs like a virgin..
5 start winning with those balls..

Do i have a super system ???



Greetz,

Spekk

LOL..

like fox3 said, you must be running win98, speKKel.. looks like copymem doesnt work on win98... but if you dont fix IAT your dump will not run on another system... this shrinker doeshave weird behaviours though.... and stop gambling speK... better send me your money to fund my education :>.. i bet the return will be more rewarding

see ya
crUsAdEr

Sorry I have a lame system It's called my brain hehe

I thought I found the oep at ebp-24, eax was at 63xxxx I put a jmp eip exited sice started procdump tryed a full dump got this process cant be dumped.

Just one question If you would be good enough to answer for me ( I know I look pretty lame right now but tryin to learn ) Did you dump with sice ?? and if not could you tell with what??


Many thanks to you all

Dumped with "lordPe" option > dump full

"I thought I found the oep at ebp-24, eax was at 63xxxx " >> yep that's okey.


Spekk

Interesting stuff

The IAT is NOT at 0x3D5000.. it's at 0x336000 with 1st thunk 0x3361B8. I dumped IAT before api's were mapped in and copy+paste to a dump that worked in Win98.
Changed PE header and it runs in Win98SE +Win2K.

Now dumping in Win2K is a bitch cos you have to 'pagein' the memory. Look at the image with LordPE and try 'DUMP Region'
you will immediately see the 'no access' sections. Just pagein each one ....refresh, repeat blah blah. Then you can dump.

Spl/\j

Hi All


Thank you for takin the time with me. Found my problem it was the pc I'm using it's a win 98se 1200mhz with 768 meg memory, the problem is that it was running out of memory thats why it would not dump (now i have to see why this is happeing there is no way it should be )

What I did was set everything up on another pc and dumped like a dream fixed entry point and runs like new well almost have to finish fixin it called it a night at 3am heheeh.

Again I'm sorry for lookin so lame I was workin on doin this for 3 weeks before I posted it here and was at the end of my rope didnt know what i was doin wrong.

Again thank you all