Log in

View Full Version : EXEStealth - SPOILER - Unpacking!


Manko
February 13th, 2003, 20:10
Since someone asked, though it dissappeared...

Exestealth 2.6 - Not so good protector...

558BEC578B45108BB8C4000000FF3733FF648F078380C400000088BB8A4000000C1C70789B8B8000000B8000000005FC9C3

Code:

55 push ebp
8B EC mov ebp, esp
57 push edi
8B 45 10 mov eax, [ebp+10h]
8B B8 C4 00 00 00 mov edi, [eax+0C4h]
FF 37 push dword ptr [edi]
33 FF xor edi, edi
64 8F 07 pop dword ptr fs:[edi]
83 80 C4 00 00 00 08 add dword ptr [eax+0C4h], 8
8B B8 A4 00 00 00 mov edi, [eax+0A4h]
C1 C7 07 rol edi, 7
89 B8 B8 00 00 00 mov [eax+0B8h], edi <<==--- !!! NOW OEP is in edi. !!!
B8 00 00 00 00 mov eax, 0 """"""""""""""""""""""""""
5F pop edi """ """
C9 leave
C3 retn


This proc will reveil OEP in exestealth...
Take out a signature and search with winhex, when proggy is running.
Note down adress and rerun program and break on this adress to get OEP!
When dumping, with procdump, don't forget, rightclick, correct imagesize!
When rebuilding IAT, put in oep, search and get imports and click show invalid and rightclick+tracelvl1. All good!

How did I find proc?

Pack an app you know's OEP. Break on OEP. Walk the stack backwards, looking real carefull as some things are not simply returnadress, making new breakpoints as you go along, and reach this proc. Trace it down to mov [eax+0B8h], edi and say heureka!
You SHOULD practice this!

!!! ? !!!
Remember, I have hidden my softice... You need to do that too! (Don't really know that since I haven't tried without it.) Info about that can be found elsewhere on fraviaMB if you search! Ask how, if you can't manage it... (But don't be lazy and not try yourself!)
!!! ? !!!

Also, let's hope the author will now improve it.

/Manko

bedrock
February 14th, 2003, 09:23
Manko, thanks for this great info. I have been struggeling with this for about a week now, but following your info i have unprotected and rebuilt the imports for my target and it is working 100% now.

Thanks a lot man.

Manko
February 14th, 2003, 16:32
Any time!

If you see to it you learn something from this, I will be happy!

/Manko

neviens
February 15th, 2003, 09:41
One week?! Why you didn't ask for more help here? Well,
I understand, that a learning is important, but to trash a
week for this, khmm.., "protector" !?

I take a look @ one ancient IDA listing and here is:

1. In Sice you have to pass 1st SMC code with F10, while
following code appears:

nop
call _CRC1
mov ss:_CRC1Result[ebp], eax
mov eax, ss:_ProtectionFeatures[ebp]
and eax, 1 ; Sice, SmartCheck, Idag check
jz short _toGetProcAddresses

In variable _ProtectionFeatures[ebp] protector stores, what
protection features are enabled (1h=Sice check, 2h=erase
EXE header, 4h=erase imports, ...). Simply put a zero here, and all that is gone!

2. Continue F10, while following code appears:

mov ebx, ss:_ImageBase[ebp]
add ebx, ss:_OEP[ebp] ; OEP is here!
ror ebx, 7
mov [esp+10h], ebx

I think explanations isn't necessary . Only note, that
Manko found it in other place, those ror, rol are encrypting,
decrypting instructions to hide OEP for some time.

3. After dumping @OEP remain the usual procedures:
PE header corrections and IT creation. For short programs
I don't use Revirgin or Imprec but simply write the damaged
IT by hexeditor (if you are familiar with IT structure,
it's easy). Result is "perfect crack".

I fully agree with Manko, that this "protector" requires
a serious upgrade .
Neviens.

Manko
February 15th, 2003, 14:10
Hi, Nievens!

This IDA listing seemed very nicely commented.
Did you do it yourself? Did it not take you at least some time, and WHY the work if it's just some crappy trash-protection... ?

I know that when I was even more of a newbie some months back, I knew next to no asm. I would have gotten nowhere in a week and probably given up after few hours even.

I give recognition to persistence and hard work when I hear about it! I know I would not last that long, and I'm not even suffering from tender age syndrome...

It was REALLY interesting to hear about that single point of security! Hehe... I knew it was crappy. But my god! ...

Anyway, gotta rush, time for eurovision song contest!
(I really was in a hurry. Ofcourse it was only the preliminary swedish tryouts... or something...)

/Manko

bedrock
February 16th, 2003, 06:22
I guess my persistence counts for something then The thing is someelse had already cracked the target i was looking at, but i really wanted to unprotect it myself.

Once Manko helped me find OEP everyting was ok. Thanks for all your comments guys.