tElock 0.9x modified/private [Archive] - RCE Messageboard's Regroupment

View Full Version : tElock 0.9x modified/private

bedrock

March 27th, 2003, 05:02

I am trying to unpack a target which has been packed with the subject (according to PEiD 0.8)

I am using DriverStudio 2.7 on WinXP SP1

I am also using IceExt by sten.

My target runs fine with no breakpoints set. As soon as I set a bpm OEP x i get a MessageBox saying

"CRC error! File content has been modified. If you run a system debugger, clear all breakpoints before running this program!"

I assume this is purely tElock detecting softice, but i dont understand what mechanism it is using (possibly int3)

Aswell as IceExt, i have also tried nticedump, ntall and a couple of things i found whilst using the search button at the top of the page from nikolatesla20:

http://www.woodmann.net/forum/showthread.php?s=&threadid=4419

http://www.woodmann.net/forum/showthread.php?s=&threadid=4031

None of these seem to let me set a bpm at OEP for my target so that i can dump it.

Maybe i am doing something wrong, if so then a pointer in the right direction would be helpful.

--
bedrock

the_analyst

March 27th, 2003, 06:43

Hello,

BPM doesn't modify the program's code.
Especially not with an int 3. (BPX)

He might detect that you did set a bpm and kick your ass.
Though, i don't see why he would show such a message.
wtf CRC :-)

Maybe to confuse you a bit.

he could access the context of the app with "GetThreadContext"
or via SEH to read the context structure.
Then we could check if your DRx are set to 0, else, he would
show you such a message.

I guess he would also set your DRx to zero first somewhere to erase your bpm and make sure DRx are set to zero.

I think Soft ice in DS 2.7 prevent BPM erasing, he could detect you this way. not sure if it applies since it does work without bpm set though.

Anyway, i just woke up, and its just an idea.

Im off to take a shower :-)

Regards,

Analyst

bedrock

March 27th, 2003, 07:21

Analyst, thanks for your info.

I've done some more searching and just been reading this thread

http://www.woodmann.net/forum/showthread.php?s=&threadid=2949

I'm afriad that I dont yet understand a lot of this though.

--
bedrock

Solomon

March 27th, 2003, 20:58

Here is my suggestion:

Don't use BPM for tELock if you don't know where/when to set a BPM, coz tE uses debug registers to do anti-debug check. He uses debug registers to set 4 breakpoints in its own code and count it. So if you set BPM, the count will not be 4, then you will get crc error. The following quoted code snippet is the core part of this trick. You can set BPM after this. Obviously we can use BPINT3 to locate this trick.

Code:



001B:005BD07F  POP      EBP 

001B:005BD080  LEA      EAX,[EBP+46] 

001B:005BD083  PUSH      EAX 

001B:005BD084  XOR      EAX,EAX 

001B:005BD086  PUSH      DWORD PTR FS:[EAX] 

001B:005BD089  MOV      FS:[EAX],ESP          //set up own exception handling frame 

001B:005BD08C  INT      3                    //software breakpoint exception 

001B:005BD08D  NOP 

001B:005BD08E  MOV      EAX,EAX 

001B:005BD090  STC                            //1st hardware breakpoint here 

001B:005BD091  NOP 

001B:005BD092  LEA      EAX,[EBX*2+00001234] 

001B:005BD099  CLC                            //2nd hardware breakpoint here 

001B:005BD09A  NOP 

001B:005BD09B  SHR      EBX,05 

001B:005BD09E  CLD                            //3rd hardware breakpoint here 

001B:005BD09F  NOP 

001B:005BD0A0  ROL      EAX,07 

001B:005BD0A3  NOP                            //4th hardware breakpoint here 

001B:005BD0A4  NOP 

001B:005BD0A5  XOR      EBX,EBX 

001B:005BD0A7  DIV      EBX                  //devide-by-zero exception 

001B:005BD0A9  POP      DWORD PTR FS:[0000]  //will continue execution here after exception handling 

001B:005BD0AF  ADD      ESP,04 

001B:005BD0B2  MOV      SI,4647 

001B:005BD0B6  MOV      DI,4A4D 

001B:005BD0BA  MOV      AL,[EBP+00000099] 

001B:005BD0C0  JMP      005BD161 

                                              //This is the entry point of own exception handler 

001B:005BD0C5  MOV      EAX,[ESP+04]          //EXCEPTION_POINTERS.ExceptionRecord 

001B:005BD0C9  MOV      ECX,[ESP+0C]          //EXCEPTION_POINTERS.ContextRecord 

001B:005BD0CD  INC      DWORD PTR [ECX+000000B8] 

001B:005BD0D3  MOV      EAX,[EAX]            //switch(ExceptionRecord->ExceptionCode) 

001B:005BD0D5  CMP      EAX,C0000094          //case EXCEPTION_INT_DIVIDE_BY_ZERO: 

001B:005BD0DA  JNZ      005BD100 

001B:005BD0DC  INC      DWORD PTR [ECX+000000B8] 

001B:005BD0E2  XOR      EAX,EAX 

001B:005BD0E4  AND      [ECX+04],EAX                //dr0 = 0 

001B:005BD0E7  AND      [ECX+08],EAX                //dr1 = 0 

001B:005BD0EA  AND      [ECX+0C],EAX                //dr2 = 0 

001B:005BD0ED  AND      [ECX+10],EAX                //dr3 = 0 

001B:005BD0F0  AND      DWORD PTR [ECX+14],FFFF0FF0  //dr6 = FFFF0FF0 

001B:005BD0F7  AND      DWORD PTR [ECX+18],0000DC00  //dr7 = 0000DC00 

001B:005BD0FE  JMP      005BD160 

001B:005BD100  CMP      EAX,80000004        //case EXCEPTION_SINGLE_STEP: 

001B:005BD105  JZ        005BD113 

001B:005BD107  CMP      EAX,80000003        //case EXCEPTION_BREAKPOINT: 

001B:005BD10C  JZ        005BD120 

001B:005BD10E  PUSH      01 

001B:005BD110  POP      EAX 

001B:005BD111  JMP      005BD160 

001B:005BD113  CALL      005BD119 

001B:005BD118  

001B:005BD119  POP      EAX 

001B:005BD11A  INC      BYTE PTR [EAX]                //increase the number of hardware breakpoints 

001B:005BD11C  SUB      EAX,EAX 

001B:005BD11E  JMP      005BD160 



001B:005BD120  MOV      EAX,[ECX+000000B4] 

001B:005BD126  LEA      EAX,[EAX+24] 

001B:005BD129  MOV      [ECX+04],EAX                  //dr0 = 005BD0A3 

001B:005BD12C  MOV      EAX,[ECX+000000B4] 

001B:005BD132  LEA      EAX,[EAX+1F] 

001B:005BD135  MOV      [ECX+08],EAX                  //dr1 = 005BD09E 

001B:005BD138  MOV      EAX,[ECX+000000B4] 

001B:005BD13E  LEA      EAX,[EAX+1A] 

001B:005BD141  MOV      [ECX+0C],EAX                  //dr2 = 005BD099 

001B:005BD144  MOV      EAX,[ECX+000000B4] 

001B:005BD14A  LEA      EAX,[EAX+11] 

001B:005BD14D  MOV      [ECX+10],EAX                  //dr3 = 005BD090 

001B:005BD150  XOR      EAX,EAX 

001B:005BD152  AND      DWORD PTR [ECX+14],FFFF0FF0  //dr6 = FFFF0FF0 

001B:005BD159  MOV      DWORD PTR [ECX+18],00000155  //dr7 = 00000155 

001B:005BD160  RET 

001B:005BD161  SUB      AL,04                        //AL = (number of hardware breakpoints - 4) 

001B:005BD163  MOV      [EBP+00000099],AL            //for data decryption later

Use BPX instead. But don't set a BPX at the first instruction of Win32 API, coz tE checks whether it's 0xCC. You can set a BPX at the 2nd/3rd... instruction， for example, BPX VirtualProtectEx+3

the_analyst

March 27th, 2003, 21:00

Looks like i wasn't wrong :-)

Analyst