i a new paker is out
it crashes all the cracking tools like softice,procdump,w32dasm
no tool is working if its running it crashes procdump if its in memory when the program is running
the program encrypted with this pcker is:-
cd shield se 1
download link:-
http://mindestworx.free.fr/CDSEsetup-trial.exe
hope to see this bitch fucked by a good unpcker
thanks

I didnt notice that , import table can be easily rebuilded using imprec...

hi, thematrix!

Search this forum and you will learn ways to hide better your softice... About the other tools... They can be hidden too, but even easier is to not let the program be in running state when you use tools...

I have to admit at first glance, I dunno what this is...

I just get an illegal copy message when I try to run it...

Is that what happens when run crackertools?

...or does it crash when those are found? Hmm...

Hmm... gonna check more later perhaps... Hmm...

/Manko

It seems to mostly just close down crackerapps...
also it uses isdebuggerpresent and i saw a int 68... tss..

I'm far to lazy to do this right...

/Manko

yeah this pcker firstly does not run when softice is running and even using frogice to hide softice
and when u run procdump to try unpacking it ot crashes procdump
and iwth w32dasm it again crashes w32dasm
so how to unpack the file?
hope some expert help me doing this
thanks

I can run SoftIce without any problem. You have to patch SI to become, invisible... (almost) Search on board!

Have you tried icedump? (Though there are now plenty tricks to see it too...)

He probably checks for frogsice, and then you're dead...

Tricking w32dasm is easy, IDA is better...
Though disassembling it will give you nothing as it is packed...

You should never use procdump unless process is paused...

I guess I'll have to make a cd to practice this protection on... (ok I make a virtual one... no waste CDs...)

/Manko

Strange protection... It breaks my app, lets it run with any protected CD (I might be wrong.) and enlarges it almost 1meg...

/Manko

i found an entry point in the CDSE exe. file but its only about the text section that could be dumped the rest is losed. file about 1,4 kb. ive fixed the image size with lordpe and the file icon comes back. i didn't get the iat thats a prob.. maybe manually rebulding it. Look at the attach. im to lazy to check out the cd protector but this file looks like an new petite version. In fact the latest petite versions were that easy


ive tried the exe protector also but it did nothing to a file ?? strange

Protected files are left in CDShield's "Ready" directory, along with some other files. There's a #cdsh.dat file containing the following:

ZW8BzHV6HRPtOAYUS5EeXiGCozGQrXxuQegA3P3QbA6cE/cSG/ZfbCrPkSKE00KQh2rvDvqE
rfWk+B/x7zJjXWpaeC+k7wWPnPBqWUeGHfBDAyHCFVLMvUilYwedrk2976O3nu7I+tZmeark8y/Op0dAckYRPN+XFSFaB5rvkFrCxILGhNr2qTUtXWs4buPuSuBxmf5hpL1f3gDkIK3ZVQFR//ZRK8EMcqq2LqOyN1RJdiF0Y+Y+WJBh0hK8McL2wIuHYJ//926Amt8QpPqPjdVBEvXTEpUMLDHLWauTgoUTRR4tfB8vFeV1S2ItSruQszpn6oST2Sd7ou1KUj22VrRpy0a9pB3ab4AiMFva36pV DCk=

Which looks to me like some kind of RSA key, although I could be wrong.

There's also a file called "#<progname>" where <progname> is the file you protected. This seems to be simply an encrypted version of your entire original file. The file size is identical to the file you protected. Maybe the cdsh.dat file is the key for decrypting or encrypting the file?

Looking at the newly protected file, I see "Compressed by Petite (c)1999 Ian Luck.", and PEID says it's protected by Yoda's Cryptor.

I'm going to have to do more research on this after I've got my current projects out of the way. Surely the "Petite" business and the "Yoda's Cryptor" signature is bogus to fool us unpackers?

In the middle of the file, you can see a VS_VERSION_INFO structure, which seems to mean that it could be a standard exe joined onto a encrypted file?

Also, at the end is the following strings:

~0049.tmp
MyApp
STANDALONE

I can see that ~0049.tmp does get created in my temp directory upon running the protected file, and it's 300kb, the date and time are exactly the time the protected app was executed, but the VS_VERSION_INFO states that it's a plug-in for MultiMedia builder.

Strange...

Ok, Just checked out the files it creates every time app is run and they are the following:

Squash Productions - Enhancing MMB!
Systools Plugin for MMB

Why is a protector using MMB?!

What is MMB in the first place?

MMB - MultiMedia Builder.

Ok a little suggestion: (not finally cracked!)

target notepad.exe (wxy.geocities.com/freetryin2000/)

1. Open the protected file with ollydgb and click away the whole error msges (out of pe header, compressed file).

2. Toggle Breakpoint on Import at GetProcAdress (if you know how to use olly you know how to set breakpoints on apis!).

3. Press Shift+F9 until the stack window show (yes there will be an out of pe header error be - ignore).

ProcNameOrOrdinal = "IsDebuggerPresent"

trace with F8 until you are in the main code.

you are @ 52869D trace to 52869F and set an jmp.

you are @ 5286A9 trace to 5286B3 and set an jmp.

at 52870B you return with F8 to 52873E

4. Set an Breakpoint on Pushad at 52875C and press shift + F9

wot the code after 528768 is lost hehe.

trace to 528766 and take a jump into the bath of 00's.

5. Press 2 times shift+F8 and you are in the ntdll thread.

Ok Press F8 until you are in the main NOTEPAD thread again.

....

Scroll down ... to 52411C and set an breakpoint on it.

(im to lazy to explain this whole loops and jump heh)

SHIFT+F9 will you bring you there.

6. Press F8 you are now at the OEP. The the whole code is red, isnt it? :P because of replacing the whole code with the decrypted one...

Don't move, start LordPE and select out notepad task with the left and rightclick -> CorrectImageSize.

rightclick again -> dump full.

7. Close LordPE but dont close Olly.

=========================
The Imprec way
///////////////////

start Imprec, click to the Active process and enter the OEP

4913F0 -
400000

= 913F0 enter it. Click on IAT Auto Search, the on Get Imports.

voila there are all valid sections.

Close Olly and Fix Dump(dumped.exe) file.

Open your dumped_.exe file whit peditor and change the oep to 913F0.

Open Sections, look at raw offset from text and code.

Change your Base of Code to: 1000
Change your Base of Data to: C6000

Save exit done.
================================

The revirgin way
////////////////////

Open revirgin and select your notepad task.

enter OEP: 913F0
RVA: B8FFC
Size: 750

click IAT resolver, lenght shoud be 118 now.

Close olly, open the original notepad.exe with peditor and have a look at the size of image 12A000 enter it into RVA at revirgin under IT Values + generator. Click on generate.

Select you dumped file. and safe the table as dump.bin or whatever else lol.

Open the .bin and the dumped exe file in a hex editor and select the first 4 bytes from the .bin file. Copy them to the clipboard and search for them in you dumped.exe, you will gladly have an result at 12A000. Go back to you .bin file and press CTRL+A to select everything, now CTRL+C.

Back in your dumped.exe go before you bytes 18A1 and hold the left mouse button, scroll down until the end of the file.
Now press ctrl+v to paste your iat and replace the old one.

Save your dumped.exe again. Exit your hex editor.

Open your dumped.exe file with peditor and change the oep to 913F0.

Open Sections, look at raw offset from text and code.

Change your Base of Code to: 1000
Change your Base of Data to: C6000

Save exit done.
=======================================

Problem: Don't work so YOU should help :P

Open with Olly: Ok all seems fine..

Start: Bang! msacm32.drv -> "Corrupted Stand alone file (1)"

There must be an crc check somewhere



- I had a look at 43148B where it shows "STANDALONE" a from from MMBuilder as well ...

Part 1

Yes, this is Petite, but I don't know which version because I've never had bussiness with it, and now I was intrigued.

OEP is 4913F0 and was pretty easy to find that. Even PeId could do that.

And after fixing IAT (what was again very easy to find) seemed everything was OK. But after starting there were several ugly messages. Something about standalone file.

There was maybe possibility to inspect for conditions about jumping over messageboxes with warning, but after sometime I realized that is uselles bussiness.

What is the tricky part. I don't know if anyone noticed that ImpRec wonted work if CD-shield runs ????? (That was with me) and that was maybe the first trap. And then I started to thing what can be that about standalone. And got him. Protected file has at the end one section, but is not marked and it starts at

Section start -----------> B6600

and ends at

Section end ------------>173931

Part 2

And unpacker checks for information stored there. And he doesn't check for

particular address, just takes the end of a file, and it is base address for forward

checks. Why he does that, because cracker will as usual attach IAT at the end of a

file and there will be for sure error during unpacked works. But also in dumped that

part wasn't saved. So everything that must be done is to save that section on disk

(with Lord Pe), first of course you have to add section header in original file with

size=BD332, and start in B6600.

After that in dumped with fixed IAT as usual you have just to load new section from

the disk previously saved. And after than BUM !!
Proggie is working , but is still unregistered


BTW there is no CRC or so.

Here in section I talked about.

Soldat

Section is splited

Part 1

Part 2

Part 3

Part 4

(no more)

i've only got that XX and CD-Shield sections what do you mean with one section? don't see any unmarked section.

You have to add new section header with above borders, and that is what I attached. You can do it as I said with LordPe, and after that you'll have _NewSection after CD-Shield, this new one is actually unmarked, and you have to mark it just to load to HDD.

Soldat