View Full Version : un unknown
Mostek
December 25th, 2002, 22:12
Well guys you can check this one if you want.
No file inspector detects it.
http://www.hc11.demon.nl/thrsim11/thrsim11.zip
Peace
Mostek
squidge
December 26th, 2002, 02:34
Seems to be PC-Guard -> hxxp://www.sofpro.com
Looking on there website, it seems to be yet another shell protection...
Extract -> "you don't need any source code changes or great programming experience to accomplish professional software copy protection of your programs. PC Guard can by used by anyone, from professional programmers to programming beginners."
One other nice thing I've seen on there is "Feel the power of pure assembly coding! All PC Guard family products are mainly coded in ASM for speed, tight code and the best security. Dos version is 100% coded in 8086 assembly. Windows versions are coded in C++ (user interface) and 80386 ASM (all of the protection code).". Don't know about you, but I just love protection code written in pure asm. So much more easy to follow than optimised C/C++.
They also advertise a demo of the protection system on there front page, which is available for downloading.
I'll check it out later. May be interesting...
Mostek
December 26th, 2002, 15:40
Yeah I kinda figure that out. Snacker gave a 5min shot at it and all he got with dumping is 3.4kb.
And as I don't know shit about this packer protection, as I'm more into driver programming, I thought you guys will have a little fun with it. A Christmas gift.
Anyway going back to programming 8051(a school project).
Of course if you'll find something interesting I'm more than interested in that reading.
Peace
Mostek
squidge
December 26th, 2002, 15:49
Yup, managed to dump no more than 4Kb
Downloaded the demo version of PC-Guard and told it to protect Notepad.exe (something that I know the EP of) but the resulting file will not work regardless of what settings I use, which makes out job a little harder.
However, you can break into it by attaching to the process with Ollydbg and view the memory there. Trying to dump the memory however gave me a nice blue screen and restart (winXP).
I'll have to check out the loader code and see what it does.
Mostek
December 26th, 2002, 16:03
There is even a small anti sice in there.
Peace
Mostek
_Servil_
December 27th, 2002, 19:46
hello
i looked at your app and dont know too much about pcguard but if i can believe pe-scan it's pcguard.
if you have LordPe, try fix the imagesize before you dump, it makes the snapshot little bigger
anyhow i didn't resolve original entrypoint since it didn't allow debugger to trace through the protection layer.
dumped on-the-fly for IDA and found WinMain at 0x00512538. However this can't be real EP, no refs to it from the app module - it might be handled by BC's lib function __startup() (but no occurence in main module), or it might be called from the gui-dll, btw. protected by PCG too.
are you going to release the resource dereferencer thingy for ida?
squidge
December 27th, 2002, 20:54
Hi m8,
After my first 4kb attempt I did try again with fixing the image size. However, although the output was over 1mb, about 900Kb of it was full of zeros.
Had a look at a PC Guard decryptor from our favourite tools website and although the PC Guard GUI looks like a 9 year kid designed it, the actual protection itself seems pretty serious.
I'm going to carry on and play with Crypkey 6 a bit more, as I'm having some real fun with it.
Iwarez
December 27th, 2002, 22:49
The OEP is at 401000. I'am pretty sure of this. I also fixed the IAT but I have problems breaking on the OEP because of the anti-debugger stuff. Therefore (or because maybe my dump is bad) I experience a GPF when running it.
Mostek
December 28th, 2002, 03:15
_Servil_
Was "are you going to release the resource dereferencer thingy for ida?" for me?
If yes. Are you talking about strings plugIn?
If yes. There is a plan for doing this, but the lack of time is really big at my end.
School and programming a sound card driver eat pretty much all the time I have.
But as I have promised this to Tsehp I'll do it eventually.
Peace
Mostek
p.s. It looks the progy is a real bastard.
Uradox
December 29th, 2002, 07:41
OEP is indeed 401000 good work Iwarez
GUI.exe
ITRVA = 0016B10C
Size = 0000653E
See attached imprec tree.
Unpacked exe is roughly the same size as protected
Should now run without any problems
_Servil_
December 29th, 2002, 08:16
HI guys,
my copy is showing an error
The following connectable components can't be found;
- Switch
- LED
- 7Segments
- Hex7Segments
- Byte7Segments
- Word7Segments
Probably because the required DLL's are deleted or misplaced. Please reinstall these components.
Interesting it shows also when I restore all the original files (actually there's only the executable modified by me).
And yes Mostek, I thought the string plugin. I think it'd be useful, something like w32dasm does into comments.
Mostek
December 30th, 2002, 17:25
Uradox: Could you send the unpacked file to my mail?
So that I can disable the other demo limitations and give working progy to my friend.
I would be very happy if you could.
_Servil_: I think the next time I'll have a little time I'll not work on i2s but on strings plugin.
Could you please send me the picture of how the resource reference looks in WDasm (I'm not using it for a long time so ..).
Peace
Mostek
TheSearcher
December 30th, 2002, 18:01
Think you should unpacked yourself Mostek
Mostek
December 30th, 2002, 18:24
As I sad before I don't know anything about unpacking.
I know it's sad, but that's life. I only have so much time.
And more I'm not saying that he should send me the progy,
if he will I'll be very happy or friend of mine will be,
if not well that is life too.
Peace
Mostek
Woodmann
December 30th, 2002, 23:19
Ya'll know better then this..................
If you want to conduct such bizniz, take it on the
down low, email was created for such a purpose, aaaight.
Peace out,
¥OBC
Mostek
December 31st, 2002, 03:32
My humble apology.
Peace
Mostek
banshee
January 1st, 2003, 21:38
I also unpacked this proggy. Just one stupid question ;-)
What kind of SI detection in SplAj's classification it uses:
1) NTice class driver check(meltice)
2) BHCK boundschecker check
3) GF,MJ check
4) UnhandledException check
5) SIWVID class driver check
6) Int 1
7) Actual installation of SI in the registry
or any other?
I didn't use any patch for SI, just manually edited ASCII "NTice.sys" in target's memory.
P.S. My reconstructed IT has some differents in size and your's doesn't work by me. What is the problem?
esther
January 2nd, 2003, 01:50
Hey guys!
you are not supposed to upload IT.txt files in here
Kayaker
January 2nd, 2003, 06:37
OK guys and gals, we've reached a consensus and these it.txt file attachments have to be considered in the copy 'n paste 'n crackit category, just as a matter of course, considering the target is also named.
Sorry, they seem harmless enough because they're not intended for lamers for sure, but if we have to enforce rules for the good of the board then we have to live by them too.
People can still rip a protection apart to learn how it works and discuss things to death and have fun here, I mean that's the whole point, but this can be done without these complete IT fixups.
Regards,
Kayaker
Uradox
January 2nd, 2003, 06:50
Sorrry bout the import fix.
banshee first of all my sice has been patched and program did run fine.
As for import size yes my size is way bigger than the table attualy is but the imprec version i was using was screwing up if i cut the size down. If you use my import.txt you will notice a diffirence between that and if you were to just use my details (cleaning and cutting to be done
)
Quote:
| I didn't use any patch for SI, just manually edited ASCII "NTice.sys" in target's memory |
I take it by doing this you understood then what sice checks it was doing?
banshee
January 2nd, 2003, 14:40
Firstly, I am very sorry about posting IT. I had to notice that rules changed.
Uradox: The irony is that I managed to recognize where the check is performed, but I am still newbie and don't know what exactly tricks from the list I posted above looks like.
If anybody who read this thread can explain what kind of detectionit uses:
Check begins by calling GlobalAlloc for some buffer, then it calls the function that enumerates all loaded *.sys modules (don't remember it's name exactly). After doing that it scans the buffer and compares filenames with predefined ASCII "NTice.sys". So by patching in memory that value we get SIce hidden.
Crimson Sunset
January 3rd, 2003, 03:12
No need to use imprec or revirgin on this target
a clean import table is decrypted when run.
Can't seem to understand the anti-softice trick used however,
and Pcguard itself isn't fooled by editing "NTice.sys" string in mem.
(beginning to get frustrated, hope someone will give me a hint)
Kayaker
January 3rd, 2003, 07:01
OK, you got me interested
The PCGWIN32.EXE program itself, I don't know about something packed with it, uses the old CreateFileA method of Softice detection (Meltice). Many, many, many times... Detects for \\.\SICE, \\.\NTICE, \\.\TRW, and something called \\.\ZTW (wtf is that?)
After the call to CreateFileA, if it returns a valid handle to say \\.\SICE, there's a call to CloseHandle and SetErrorMode, then C847h bytes are overwritten somewhere with 0's then the killing call to ExitProcess is made. What's interesting is how it handles the check for a valid er, handle, making use of the Zero Flag and SMC to hide where the decision is made. Here's a little unobfuscated code for fun which shows what's going on. This is from TraceDump, a perhaps soon-to-be-released app for Win98 which makes use of the power of the Backtrace feature of Softice...
After decrypting the Import table a call to CreateFileA is made...
Code:
44DBBB 6A00 PUSH 0 ; hTemplateFile
01 44DBBD EB01 JMP SHORT 44DBC0
02 44DBC0 9C PUSHF
03 44DBC1 EB01 JMP SHORT 44DBC4
04 44DBC4 EB08 JMP SHORT 44DBCE
05 44DBCE EBF7 JMP SHORT 44DBC7
06 44DBC7 9D POPF
07 44DBC8 EB01 JMP SHORT 44DBCB
08 44DBCB EB03 JMP SHORT 44DBD0
09 44DBD0 6A00 PUSH BYTE +0 ; dwFlagsAndAttributes
10 44DBD2 60 PUSHA
11 44DBD3 E803000000 CALL 44DBDB
12 44DBDB EB01 JMP SHORT 44DBDE
13 44DBDE 58 POP EAX
14 44DBDF EB01 JMP SHORT 44DBE2
15 44DBE2 40 INC EAX
16 44DBE3 EB01 JMP SHORT 44DBE6
17 44DBE6 FFE0 JMP EAX
18 44DBD9 EB0E JMP SHORT 44DBE9
19 44DBE9 61 POPA
20 44DBEA 6A03 PUSH BYTE +3 ; OPEN_EXISTING
21 44DBEC EB01 JMP SHORT 44DBEF
22 44DBEF 60 PUSHA
23 44DBF0 E803000000 CALL 44DBF8
24 44DBF8 58 POP EAX
25 44DBF9 EB01 JMP SHORT 44DBFC
26 44DBFC 40 INC EAX
27 44DBFD EB01 JMP SHORT 44DC00
28 44DC00 FFE0 JMP EAX
29 44DBF6 EB0B JMP SHORT 44DC03
30 44DC03 61 POPA
31 44DC04 6A00 PUSH BYTE +0 ; lpSecurityAttributes
32 44DC06 EB01 JMP SHORT 44DC09
33 44DC09 9C PUSHF
34 44DC0A EB01 JMP SHORT 44DC0D
35 44DC0D EB08 JMP SHORT 44DC17
36 44DC17 EBF7 JMP SHORT 44DC10
37 44DC10 9D POPF
38 44DC11 EB01 JMP SHORT 44DC14
39 44DC14 EB03 JMP SHORT 44DC19
40 44DC19 6A00 PUSH BYTE +0 ; dwShareMode
41 44DC1B 60 PUSHA
42 44DC1C E803000000 CALL 44DC24
43 44DC24 EB01 JMP SHORT 44DC27
44 44DC27 58 POP EAX
45 44DC28 EB01 JMP SHORT 44DC2B
46 44DC2B 40 INC EAX
47 44DC2C EB01 JMP SHORT 44DC2F
48 44DC2F FFE0 JMP EAX
49 44DC22 EB0E JMP SHORT 44DC32
50 44DC32 61 POPA
51 44DC33 6800000080 PUSH DWORD 80000000 ; GENERIC_READ
52 44DC38 60 PUSHA
53 44DC39 E803000000 CALL 44DC41
54 44DC41 EB01 JMP SHORT 44DC44
55 44DC44 58 POP EAX
56 44DC45 EB01 JMP SHORT 44DC48
57 44DC48 40 INC EAX
58 44DC49 EB01 JMP SHORT 44DC4C
59 44DC4C FFE0 JMP EAX
60 44DC3F EB0E JMP SHORT 44DC4F
61 44DC4F 61 POPA
62 44DC50 50 PUSH EAX ; //./SICE
63 44DC51 EB01 JMP SHORT 44DC54
64 44DC54 9C PUSHF
65 44DC55 EB01 JMP SHORT 44DC58
66 44DC58 EB08 JMP SHORT 44DC62
67 44DC62 EBF7 JMP SHORT 44DC5B
68 44DC5B 9D POPF
69 44DC5C EB01 JMP SHORT 44DC5F
70 44DC5F EB03 JMP SHORT 44DC64
71 44DC64 FF95784E4100 CALL NEAR [EBP+414E78] ; CreateFileA
72 44DC6A EB01 JMP SHORT 44DC6D ; returns with Zero Flag set
73 44DC6D 60 PUSHA
74 44DC6E E803000000 CALL 44DC76
75 44DC76 58 POP EAX
76 44DC77 EB01 JMP SHORT 44DC7A
77 44DC7A 40 INC EAX ; unsets Zero Flag (ZF)
78 44DC7B EB01 JMP SHORT 44DC7E
79 44DC7E FFE0 JMP EAX
80 44DC74 EB0B JMP SHORT 44DC81
81 44DC81 61 POPA
82 44DC82 8BD8 MOV EBX, EAX ; mov CreateFileA handle to EBX
83 44DC84 60 PUSHA
84 44DC85 E803000000 CALL 44DC8D
85 44DC8D EB01 JMP SHORT 44DC90
86 44DC90 58 POP EAX
87 44DC91 EB01 JMP SHORT 44DC94
88 44DC94 40 INC EAX ; no change to ZF
89 44DC95 EB01 JMP SHORT 44DC98
90 44DC98 FFE0 JMP EAX
91 44DC8B EB0E JMP SHORT 44DC9B
92 44DC9B 61 POPA
93 44DC9C 43 INC EBX ;
; if EBX contains a valid handle this has no effect on the ZF, it's still unset
; if EBX contains FFFFFFFFh (SoftIce not detected) this *sets* ZF to "on"
94 44DC9D EB01 JMP SHORT 44DCA0
95 44DCA0 9C PUSHF
96 44DCA1 EB01 JMP SHORT 44DCA4
97 44DCA4 EB08 JMP SHORT 44DCAE
98 44DCAE EBF7 JMP SHORT 44DCA7
99 44DCA7 9D POPF
100 44DCA8 EB01 JMP SHORT 44DCAB
101 44DCAB EB03 JMP SHORT 44DCB0
102 44DCB0 C3 RET
103 44D93F EB01 JMP SHORT 44D942
104 44D942 9C PUSHF
105 44D943 EB01 JMP SHORT 44D946
106 44D946 EB08 JMP SHORT 44D950
107 44D950 EBF7 JMP SHORT 44D949
108 44D949 9D POPF
109 44D94A EB01 JMP SHORT 44D94D
110 44D94D EB03 JMP SHORT 44D952
111 44D952 744F JZ 44D9A3 ; if ZF not set you're a Bad Boy!
The same code is called for all the debug drivers PCGuard checks, and is repeated at several different addresses just to keep you on your toes. How to defeat it? Don't know, don't care ;-)
Cheers,
Kayaker
banshee
January 3rd, 2003, 11:30
OK, think I have to explain it more precisely, it seems to be interesting. As I understood Kayaker you are talking about PCGuard in general:
Quote:
| The PCGWIN32.EXE program itself, I don't know about something packed with it, |
but what about the link posted in the beginning of this thread
h**p://www.hc11.demon.nl/thrsim11/thrsim11.zip
pe-scan reports that it's pc-guard 4.03d-4.05d, PEiD with hardcore scan that it's pc-guard 3.03d. I installed SICE 2.7 and nikolatesla's pathes but the target still detects it. I traced a little the detection routine and found that proggy calls ntoskrnl!NTQuerySystemInformation then scans returned list of loaded modules and compares with ASCII "NTice.sys" (actually with "NTic"
. I fooled the program by bpm on that ASCII and patching it, so I unpacked program without problems. Now have a question: is this method of detection in the list of antisice tricks posted here by +SplAj about 1.5 year ago. If not, can you explain the class of method and how it can be defeated. Think that changing name of SICE driver may help. Am I true?
+SplAj
January 4th, 2003, 00:11
Well
This NTQueerFuckerInformation is NOT recommended by M$
in the MSDN
/Quote :-
Remarks
The NtQuerySystemInformation function and the structures that it returns are internal to the operating system and subject to change from one release of Windows to another. To maintain the compatiblity of your application, it is better to use public Win32 API functions mentioned above instead.
If you do use NtQuerySystemInformation, access the function through run-time dynamic linking as shown in the example below. This gives your code an opportunity to respond gracefully if the function has been changed or removed from the operating system. Signature changes, however, may not be detectable.
/End Quote
However it is working right now with Win2k SP3 and WinXP SP1 as a nice SI detector simply by finding the name of 'NTice.sys' in the system folder (you can also use it for the other 2 sys files )
as described by banshee.
I made a quick exe to replicate this function. It worked on my 5 PC's
Source and compiled exe are attached for your pleasure ..........
Spl/\j
banshee
January 4th, 2003, 10:45
What about defeating this detection? We can patch memory each time manually or create a loader, but is there any way to do it automatically? I compiled simple loader with R!SC's process patcher for above target (I mean link in the beginning, not the +SplAj's file). On my Win2k SP2 it works fine.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.