JMI
September 11th, 2002, 03:00
evaluator:
Our musician friend, didn't you see the "repeat" symbol at the end of the measure? I had to "repeat" the measure, err, message again. It's my job.
sobdk:
Perhaps it would be useful to take a step back and consider the basic concept of what the protectors do and what they have to start with. For this process you need a good understanding of the PE format and how things are generally organized in such files. You need a general understanding of how import and export tables function and how they are generally organized within a PE file. For example, you start with the understanding that a PE file MUST be able to find its imports and exports, or it CAN NOT function. The imports are organized in the IAT, which tell the program what special pieces of other code the programs needs to work properly, regardless of whether it comes from Windo$e or something specific to that program.
Now, if you have this general understanding about how things HAVE to work, you are a leg up on the process of restoring the program to that condition by removing the protector's tricks designed to prevent you from finding out how to register or otherwise use the software fully without paying for it. So next you need some general understanding of the types of "tricks" that the protectors use to mess with your mind and attempt to keep you from seeing the real code.
There are several basic tricks that they can try to make that task more difficult. They can, and the better ones do, mess with efforts to disassemble and/or debug the program, under the theory that if you can't see the code, you can't "fix" it. They can encrypt parts or all of the code to make it difficult to understand. They can screw with the IAT in several ways, but the more common it to give you something that may "look" like the IAT, but it has been redirected somehow in an effort to screw with the IAT reconstructors, Revirgin and Imprec. So you end up with an IAT, but it doesn't seem to lead to the correct APIs, so the "dumped" program doesn't work.
So we need some generic plans of attack on their efforts. The first and formost is to understand that the program HAS to remove its obfuscation and/or have code that leads to the CORRECT APIs, or it CAN'T work. If you start from that point, then you recognize that your job is to FIND where this happens, that point in the protector's code where the relevant part of the code is decrypted and/or re-directed somewhere else. This can be done is several different ways and the "correct" code could be written to the file somewhere and a way to find it written in the "original" location, or it might be stored in memory, either encrypted or decrypted.
Assuming you master the first hurdle and can actually look at the code (because if you can't, you aren't going to manually unpack it) you need to realize that you can actually trace the protection code as it decrypts or moves the important code parts somewhere else. This is different from tracing a dump of the exe, which is generally assumed to be the code AFTER the protector's code has done it's thing and moved stuff around, and maybe back again.
So if you have reached the OEP and then dumped your exe, there is a very good chance that the protector has ALREADY screwed the IAT. One safer approach, but often more difficult, is to watch the protector's code "unwind" itself and often you can actually see it decrypt an IAT and then mess with it in some fashion. For this type of protection scheme, you can often trace to that "magic moment" and then dump the IAT and paste it into a later dump from the OEP and, by that means, "fix" whatever the protector's code did to it, AFTER it decrypted it.
Another technique involves understanding how the re-directed IAT's function and using a debugger (again assuming you have mastered the attempt to prevent you from doing this very thing) and "trace" the IAT entries to determine where they actually go and "fix" your dumped IAT with this information.
So where does all this get you. If you understand that the protectors are working very hard to try to stay ahead of +tsehp and the author of Imprec and find some way to make revirgin and/or imprec fail to "resolve" the IAT or, better yet, make you THINK you have the correct IAT, when you don't, you will understand that for some protector's products, you need to check the results to make sure they are correct.
If you don't understand how to trace an API in the IAT, you only know how to use someone else's tool, and when the protectors learn how to mess with the tool, you are screwed. If you know how to defeat anti-debugger and anti-disassembler code, you have a leg up and now you only need to know how to trace and what to look for.
So to answer your question on how does one learn how to do this sh*t right, the direct answer is that at some point we read a great deal of material on each of the concepts I mentioned above, not just those directed at our "immediate" target" and eventually, over time, one gets a "feel" for the code and a better clue as to where to try to break into their efforts to see the important stuff.
You might not see this as "help" or as not the "help" you want "now." But I believe it is the help you really need to make real progress.
Regards.