Log in

View Full Version : pelock anti SI detection


+SplAj
December 31st, 2002, 13:18
hello again

I'm gonna paste some asm here so I *hope* i'm in the right forum

Now, Evaluator disclosed some infos that IceDump left Colonel32 memory w-i-d-e-o-p-e-n ....naughty naughty tsk tsk. is it true... is the nemesis here.......

How to detect Icedump is loaded in Win9x O/S .....

Just run latest PElock 1.05 Demo and you'll see

how does it know.... you have /protect on but the bastard still knows you are using SoftICE !!!! (btw this Bart is not Bart, the other is Bart , Evaluator)

heres how :-


TASM ASM


.386p
.MODEL FLAT,STDCALL
locals
jumps
UNICODE=0
include w32.inc
include PELOCK.INC
extrn GetProcAddress :PROC


.data

msg1 db "PELock 1.05 check 'IceDump' test",0
msg2 db "SEH triggered ok....Did NOT detect IceDump.... ",0
msg3 db "*** I C E D U M P *** D E T E C T E D ",0
mark db 0
iKern db "Kernel32",0
iExit db "ExitProcess",0

.code

Start:

xor eax,eax ;zero to EAX for setting xhandler
push offset SEH_handler ;address our new SEH handler
push dword ptr fs:[eax] ;save previous handler address
mov dword ptr fs:[eax],esp ;set our new xhandler
call GetModuleHandle, offset iKern
call GetProcAddress , EAX, offset iExit ; get 'ExitProcess' memory location
add dword ptr [eax],00 ;try and write to it....SEH if no IceDump else

push eax ;just ExitProcess...should NEVER GET HERE !!!]
call MessageBoxA,0, offset msg3, offset msg1,0
ret ; this will ret into ExitProcess and your gone !!!

;DEMO_START This is how EASY pelock programming-in-source-code is (see pelock.inc)

;place here some ' registered user only ' bit of code blah blah blah

;DEMO_END but i disabled it ( for my example
; and included a bit of home made crypto

iNop: db 05Eh,06Ah,087h,0C4h,07Fh,02Eh,03Dh,04Eh ; for phun.......


pop dword ptr fs:[0] ;set previous handler
add esp,4 ;clear stack
cmp mark, 1
jnz jump

call MessageBoxA,0, offset msg2, offset msg1,0
call ExitProcess, -1 ;end program

jump:

call MessageBoxA,0, offset msg3, offset msg1,0
call ExitProcess, -1 ;end program

;+++++++++++++++++++++

SEH_handler:

mov eax, [esp+04] ;set EAX to address with exception #
mov ecx, [esp+0Ch] ;read to ECX address start of context structure
mov dword ptr [ecx+0b8h], offset iNop ;return EIP
mov eax, [eax] ;read exception number
sub eax, 0C0000005 ;ACCESS_VIOLATION error value
jnz SEH_handler_end ;if it isn't Exception Breakpoint jump (not our exception call)
inc mark ;set mark because xhandler ran
xor dword ptr [iNop+4],0DEADBEEFh ;decrypt running code with DeadBeef+ShitFace ...hmmm
xor dword ptr [iNop+0],05417FACEh

SEH_handler_end:

ret ;back to program ..we hope


ends
end Start

Woodmann
December 31st, 2002, 20:36
Quote:
decrypt running code with DeadBeef+ShitFace ...



BWAHAHAHAHAHAHHAHAHAAA


Later, Woodmann

bart
December 31st, 2002, 20:51
hmm so who am i?

or [ExitProcess],0 can be easily defeated by setting bpm ExitProcess + superbpm

JMI
December 31st, 2002, 21:07
Gosh:

"DEADBEEF" and "BEEFABAD" for years were part of the decryption code on PACE copy protection for the MAC some years ago. Found it in most of my MAC early music software. Haven't had time to check if they have changed their strips on the newer stuff for the MAC.

And Bart: Obviously you are the "other one." You, of all people, should be able to tell the difference.

Regards.

+SplAj
January 1st, 2003, 16:27
hi bart the real bart

PElock 1.05 is my first find for this trick in a commercial protector.

Seemed too much of a coincidence.........it was NOT in v1.04.

I just made a SI macro that set EAX to 0 , poke EIP back to the offending line, X, and SEH caries on as normal. Actually in this case the real code that is RET to is some 4928 lines back. If you follow the SEH you'll get to SUB DWORD PTR [EAX+B8],00004928

hmmm that a boring infos for N Y day....

cya

SpeKKeL
January 2nd, 2003, 21:25
Hajo,

svkp-protector claims to be the first who can trap icedump..,
H'mm i protected good old notepad and deprotected it without
to much problems, the svkp.exe file itself seems to be more difficult..
It has some anti-trace routines and icedump detection.(protect on will not be triggered)
Maybe (talking about icedump detection) this is also a nice target
to play with..(i can't see how they detect icedump there my knowledge is poor in these fs,seh,drx's bla bla beef..)

Happy new year,

Spekk.

Hwoarang
January 3rd, 2003, 22:10
I am having trouble getting Pelock.exe run on Win2k with Sice loaded, even if I managed to make it run on Win9x.
Also it's very weird how my Win2k reboots whenever I set a bp on a api..(maybe I should disable the BCHK interface?)

+SplAj
January 4th, 2003, 00:27
yes hwo

BIG troubles...... try bpm exitprocess rw and see how he uses the old trick of API protection... no BPX on API allowed (CC check)

Also he (t'other bart) uses INT1 fault of SINGLE_STEP error instead of expected STATUS_ACCESS_VIOLATION with SI running......so SEH steps through to RET MessageBox..FluckOfCracker....instead of redirecting to real flow......

i'm sure not many ppl will run pelock 1.05 on Win2K/XP

(and WinXP with SP1 is a real MF challenge for the nerves !!!)

anyway have phun and keep D FS:0 / D CS:[FS:0+4] checking the SEH. The year has only just started....

Spl/\j

crUsAdEr
January 4th, 2003, 07:39
If i remember correctly, PElock uses int1 and UnhandledException API check on win2k

So simply patch IDT to remove int1 check and then do this
bpm UnhandledExceptionFilter
then change the value in eax from "CC" to "55"

That is all :>

Hwoarang
January 4th, 2003, 13:06
I know of both int1 and UnhandledExceptionFilter check..I was able to run previous versions of Pelock on WIn2k with Sice...but the new one seems to use some new trick

r4g3
January 4th, 2003, 15:04
for ( int i = 0; i < 0xFFFFFFFF; i++ )
{
cout << "(and WinXP with SP1 is a real MF challenge for the nerves !!!)"
}

bart
January 4th, 2003, 17:57
did you saw that update.exe from XP SP1 is full of encrypted code and asm snippets eg.:

010079E2 pusha
010079E3 pushf
010079E4 call sub_100AAB4
010079E9 push eax
010079EA lea edx, ds:0FEFB881h
010079F0 lea ecx, ds:19905CF5h
010079F6 sub esp, 8
010079F9 mov [esp+30h+var_30], edx
010079FC push ecx
010079FD shl eax, 10h
01007A00 or eax, 0Ch
01007A03 sub [esp+34h+var_30], 0EEF3E64h
01007A0B pop ebx
01007A0C mov [esp+30h+var_2C], eax
01007A10 jmp short sub_1007A3C


0100955C mov [ebp+var_1A8], edx
01009562 lea ecx, ds:10F1C526h
01009568 add ecx, [ebp+var_1C8]
0100956E sub ecx, [ebp-1ACh]
01009574 sub ecx, 0FF12FAAh
0100957A jmp ecx
0100957C ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
0100957C lea ecx, ds:0DC096DAh
01009582 sub ecx, [ebp-1A8h]
01009588 add ecx, [ebp-1C4h]
0100958E sub ecx, 0CC00144h
01009594 jmp ecx

010276AB pushf
010276AC pusha
010276AD push offset unk_1027967
010276B2 push 1
010276B7 call sub_1007A3C
010276BC add esp, 4
010276BF jmp eax

evaluator
January 4th, 2003, 20:36
"Hi, BTW +SplAj"!

I assume, u have xmas-LIBian-vacations & remember this MB..

So letz broke IceDump!?
(RRREALLLY easy-peesy!)

But before start, I need little help. (Maybe NOT_THAT_bart can help me?)

..I found one resouce_Crackme. & I try play with it using RSRC_editors.
So I removed many thingz, for example all contents of 2nd tab.
But I can't remove this 2nd("Project" tab.

So my question is:
RSRC_editors sux or this 2nd tab must be disabled from program code?

Kayaker
January 4th, 2003, 23:25
Hi Eval

I had a look at it and saw what you did. (this is a crackme?) Unfortunately tab windows are inserted into code as children of a "SysTabControl32" parent dialog with TCM_INSERTITEM, so even if you delete the controls, or even the whole child dialog resource, the "tab" will still show. If you delete the SendMessage call that does it it might work. It might look something like this...

Code:

tci TC_ITEM <> ; Tab Control struct
strTab1Text db "PELock",0
strTab2Text db "Project",0

; ----------------------------------------------------------
; Add Tabs to Tab control, fill TC_ITEM struct
; ----------------------------------------------------------

mov tci.imask, (TCIF_TEXT or TCIF_IMAGE)

mov tci.pszText, OFFSET strTab1Text ; 1st Tab control
mov tci.cchTextMax, SIZEOF strTab1Text
mov tci.iImage, 0

invoke SendMessage, hTabDlg, TCM_INSERTITEM, 0, OFFSET tci

mov tci.pszText, OFFSET strTab2Text ; 2nd Tab control
mov tci.cchTextMax, sizeof strTab2Text
mov tci.iImage, 1

invoke SendMessage, hTabDlg, TCM_INSERTITEM, 1, OFFSET tci

Kayaker

tgodd
January 16th, 2003, 16:02
You will find something close to that in alladins Hardlock driver.
BEEFBABE and CAFEBABE.

regards,

tgodd

squidge
January 16th, 2003, 16:22
I prefer the one in Crypkey 6 -

0x1234