Log in

View Full Version : Lamecrypt


ThrawN
May 21st, 2002, 11:48
Just some small tutorial on writing a decryptor for newbies...
Based on a old protector called lamecrypt
Very basic.. hope someone finds it usefull

Sorry for pasting here, if you dont aprove then simply remove

ThrawN

Sphinx
May 21st, 2002, 13:44
thx ThrawN

i am going to try it.
This is a usefull skill

c ya

ThrawN
May 23rd, 2002, 12:51
You'll probely notice some things in the PE i change which isnt needed, i only did it in a attempt to make some things work on NT,
not to worry. If anyone is interested i do have a CD i constructed which contains all my sources on it including softwraps unpacker and various other things.
However i will only mail it to trusted friends iv known for a while... someone contact me for some arangments perhaps..

If you need any help with this either post here or email me

ThrawN

egg
August 23rd, 2002, 09:35
Thrawn, VERY useful tutorial! (the simplest things in life are often the best)

However, it left me with one question ...

After reading in an entire executable file, getting its image header and optional header, etc etc, how can you find out the real entrypoint of the program and it's consequent file offset?

For example, when you open the lamecrypted showbmp.exe in win32dasm, on the very second line of the disassembly, it says:
Code Offset = 00002C00, Code Size = 0000001F
And sure enough, pressing F10 in win32dasm to go to the entrypoint takes me to RVA 00406000 (00002C00 in the file). So how does win32dasm determine that 00002C00 is the entrypoint?

Any help from anyone would be very much appreciated

NervGaz
August 23rd, 2002, 13:25
it's in the PE optional header

Code:

IMAGE_OPTIONAL_HEADER32 STRUCT
Magic WORD ?
MajorLinkerVersion BYTE ?
MinorLinkerVersion BYTE ?
SizeOfCode DWORD ?
SizeOfInitializedData DWORD ?
SizeOfUninitializedData DWORD ?
AddressOfEntryPoint DWORD ? ;<--------- here you go
BaseOfCode DWORD ?
BaseOfData DWORD ?
ImageBase DWORD ?
SectionAlignment DWORD ?
FileAlignment DWORD ?
MajorOperatingSystemVersion WORD ?
MinorOperatingSystemVersion WORD ?
MajorImageVersion WORD ?
MinorImageVersion WORD ?
MajorSubsystemVersion WORD ?
MinorSubsystemVersion WORD ?
Win32VersionValue DWORD ?
SizeOfImage DWORD ?
SizeOfHeaders DWORD ?
CheckSum DWORD ?
Subsystem WORD ?
DllCharacteristics WORD ?
SizeOfStackReserve DWORD ?
SizeOfStackCommit DWORD ?
SizeOfHeapReserve DWORD ?
SizeOfHeapCommit DWORD ?
LoaderFlags DWORD ?
NumberOfRvaAndSizes DWORD ?
DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>
IMAGE_OPTIONAL_HEADER32 ENDS


hope that was fairly clear.. (i'm tired)

egg
August 23rd, 2002, 14:49
NervGaz thankyou very much for your help -- I would've thought AddressOfEntrypoint was the answer here, but it doesn't seem to be...
I'm looking at showbmp.exe from this LameDecrypt demo (seems like the best place to start), the AddressOfEntryPoint is &h100000 (1048576), but the offset in the file is 11265, which is the value I need to get to, not the RVA ...

NervGaz
August 23rd, 2002, 14:57
actually if you take a peek at it in a PE-edit/viewer it will tell you that AddressOfEntryPoint in 0x00006000 wich translates to 0x2C00 as the file offset...

egg
August 23rd, 2002, 15:01
Ah but how do you get 2C00 from 6000 ?!? This would be the final answer to my problem
Thanks very much for all of your help, it is very much appreciated

ZaiRoN
August 23rd, 2002, 16:51
hi egg!
6000 is the relative virtual address (rva)
2C00 is the offset
there are many tools that translate offset to rva and viceversa.
they are called 'file location calculator' (FLC).
i.e. you can use lordpe. click on flc and put the right value in the box...

regards,
ZaiRoN

egg
August 23rd, 2002, 17:35
Thankyou very much Zairon
but how do these programs calculate the file offset given an RVA? this is basically what I need to do

ZaiRoN
August 23rd, 2002, 18:08
suppose you want to pass from rva = 6000 to offset = 2C00.

the formula is: Offset = RVA - (VOffset + ROffset)
where VOffset and ROffset are respective the virtual offset and the real offset of the section 'lamecryp'.

hmmm...why exactly this section?
you have to choose the section that contains the rva you want to convert. in general:
VOffset =< rva < (VOffset + VSize)

in this specific case:
6000 =< 6000 < (6000 + 1F)

so, in conclusion:
offset = 6000 - (6000 + 2C00) = 2C00

ciao,
ZaiRoN

egg
August 26th, 2002, 05:09
Got it, thanks!