Hi

I'm quite new to RE ( about ~1/2 year ) and have found a very intersting target. Advanced Softice detection ( frogice, ntall, icedump, various anti-debugging tricks, aso.
I'm pretty sure that the programmer ( some shareware author ) does not protect his software with "custom" tricks ( except CRC checking )

- after some manual unpacking strings like "yoda" appeared in the dumped exe=> he uses more than one packer.
But the real interesting part follows:
The target is one single exe ~ 1 Mb size. Dumped process is 60 Kb. This 60 kbyte ( I'm not finished with all the packer layers ) appears to be only some Loader/Unpacker for the real software which is encrypted in the 1 Mb exe file ( after the process image ).

Guessing OEP for each layer is quite hard for me.. are there any other "generic" ways to recognize an OEP ?
( the only one I know of, and which appears on this board too is:
POPAD
RET )
Well, and building up IT... I don't really know when I'm correct.. for some reason the target quits itselfe without any error - even with a complete messed IT.. ( perhaps I've missed some CRC/size check )

Now - does anyone of the grand-crackers have an idea which protection this could be ? Reminds me somehow of "Himan 2" (securom v2. + "special tricks" where some dlls and other program parts are built up in memory by the encrypted executable.

I have spent nearly an hour ( maybe too less )into looking for tutorials which explains how to crack multiple protected targets. Does anyone know of some resources I should look into, before I start asking questions here ?
I have to admit.. I prefere to find it out by myself.. but this finding out has cost me nearly 2 weeks by now - and I really don't know if I'm on the right track ( unwrapping layer by layer ).

update:

a few further layers removed - I have also found a reason why IT didn't need any modification - All the packers ( so far ) have used the same functions which has used the first packer. ( yes I could have checked that in the first place ).
It's like a matroschka - you open a doll - and there is another doll in there..

Does noone recognize the protection ? ( Loader which loads an encrypted part in the same exe )

The only protection I've seen which has an exe size of, say, a few meg, but when dumped, only outputs about 60kb has been a lame exe cryptor written in Delphi (forget the name). You didn't need to find the OEP or anything though as it decrypted the main part of the app to a temp directory on your hd and executed it from there. Of course, it deleted it afterwards.

So my advice would be to use filemon and check that this is not happening - if the program is decrypting into memory, you can normally dump the entire memory range including the decrypted and crypted parts of the prog.

No, filemon hasn't catched any suspicious file-access.

And the loader ( it must be some loader ) confuses me a lot... mainly because it keeps detecting softice...

another newbie question: how to hide current 4.2.7. Softice on W2k ?

ntall fails
nticeset fails ( tried to update pntice.ini, but without success )

I have found several topics on this forum but nothing helping me much..



SplAj says somewhere he has posted an "EliCZ macro set" ... but I've never found it.

Maybe I should try to hide softice by my own first, before I start to crack right away ... but on the other hand.. why invent the wheel again ?

addon:
I have found out so far:

-The loader process overwrites itselfe with the decrypted process which is hidden after the stored process image in the executable.
( process image size changes )

-loader is heavy guarded by packers ( anti-debugging, anti-dumping )


Where I'm stuck right now:

this anti-softice tricks....

so I change tactic and will try to patch my softice installation to remain undetected. This could take a few days...

This sounds interesting, may i know what you are playing with ?

uhm.. how embarrassingly...
after hiding si ( thanks SplAj for his nice tut I ve found ) there was no problem dumping the real process image.

now this was too easy :|

since the target runs only on w2k ( squidge and I discovered ) the 2 weeks I ve spent on that weren't worth it.

but Ive learned how to hide softice on w2k/xp..


@squidge: thanks

the target was a reception client for highspeed networks ( called FFR Fast File Receiver ) by WizzCast ( the author's nick )

The "project" seems to be dead ... ( hp is down about 3 weeks now )

well.. anyway I look for a new target.. which is worth writing a tut about it...

Happy reversing,
mystical friend

Mfriend:

Just a word for anyone looking to hide softice.

In addition to +Spl/\j's walk-through there was a patch for hiding DS 2.7 by nikolatesla20 in a thread titled "Driver Studio *2.7* anti detect patches" dated 10-23-2002 in the TOT Forum. It made all the patches for everything except int 1 detection. In that thread I also posted a link to the +Spl/\j walk-through. Nikolatesla20 also posted a previous patch for DS 2.6.

There is also a multipage thread from 09-23-2002, titled "Avoiding INT1 detection of SoftICE under WinXP" which discusses how to avoid even this detection method. There is a "Detect" program posted by +Spl/\j which will show you if your patches are working.

These were all posted within the last 90 days (except the +Spl/\j walk-through) and could have been located with rather simple searches and/or simply looking back through the listings on the TOT Forum.

Regards.

of course you are right - a little bit more searching would have spared me to ask about si hiding on w2k/xp/nt.

I do hate it too, if the same questions are asked over and over again -

thankyou to point me to the int1 threads.

mf