hobgoblin
November 9th, 2002, 18:20
Greetings guys,
I'm not sure what forum I should use for this thread, but here it is....
I have a nice challenge for those interested. I have been looking on a target for a couple of hours, and I'm getting more and more interested. The target is encrypted. When you dissasemble the exe file, you can see that the dissasembled body clearly consists of two section. One starts in the address area 4xxxxx, the other starts in the area 7xxxxx. But you see no textstrings or no import information.When you load it in the Softice loader, you start at a 7xxxxx address. While stepping through the code, you will see the program checks the Disks (Getvolumeinfoa), it checks for Drivetypes. It loops several times while it decrypts what is to become the final executable. You can during these loops see how the program builds the sections, the header and so on. Now, and here comes the interesting part: I checks whether Softice is loaded in memeory.(Easy to find). I'm not quite sure, but I think it checks for Regmon too. (Haven't really checked all it is looking for yet..). You can put breakpoints, and the program still runs. You can manipulate the program to jump/not jump during runtime, but if you change something in memory (or in hardcode), you will get problems. Either you get a message saying that you have no valid license etc., or you get a windows error message. If you change something in hardcode, and try to manipulate your way through the code to emulate the course it takes when it is untouched, you will eventually get trouble because then the program seems to decrypt the program wrong, and you'll eventually avoid what can be called getting to the OEP.
Nice, heh?
The target is Xselerator 2.5.7, and can easily be found on the net..
Regards,
hobgoblin
I'm not sure what forum I should use for this thread, but here it is....
I have a nice challenge for those interested. I have been looking on a target for a couple of hours, and I'm getting more and more interested. The target is encrypted. When you dissasemble the exe file, you can see that the dissasembled body clearly consists of two section. One starts in the address area 4xxxxx, the other starts in the area 7xxxxx. But you see no textstrings or no import information.When you load it in the Softice loader, you start at a 7xxxxx address. While stepping through the code, you will see the program checks the Disks (Getvolumeinfoa), it checks for Drivetypes. It loops several times while it decrypts what is to become the final executable. You can during these loops see how the program builds the sections, the header and so on. Now, and here comes the interesting part: I checks whether Softice is loaded in memeory.(Easy to find). I'm not quite sure, but I think it checks for Regmon too. (Haven't really checked all it is looking for yet..). You can put breakpoints, and the program still runs. You can manipulate the program to jump/not jump during runtime, but if you change something in memory (or in hardcode), you will get problems. Either you get a message saying that you have no valid license etc., or you get a windows error message. If you change something in hardcode, and try to manipulate your way through the code to emulate the course it takes when it is untouched, you will eventually get trouble because then the program seems to decrypt the program wrong, and you'll eventually avoid what can be called getting to the OEP.
Nice, heh?
The target is Xselerator 2.5.7, and can easily be found on the net..
Regards,
hobgoblin