Log in

View Full Version : Thinstall


Pyrae
July 31st, 2003, 19:39
Quote:

However, before I continue, I'm just wondering if anyone else has messed with Thinstall before? Are all the juicy parts of the code remote executed, or downloaded? or perhaps is it a simple data transfer? If someone else already knows they are remote executed for sure, then it'll pointless wasting time on this and I'll go find something else to play with

The critical parts (packing routines) are certainly not executed remotely as there's only very little traffic during the execution.
What I noticed at a quick glance I took at this target some time ago was that the dumped main exe has grown about 20kb after executing the protected functions. So it seems like this code has been transfered for usage. Maybe checking the network traffic with an appropriate tool while debugging might lead somewhere.

I know that nobody on this board releases his/her stuff,
but be aware that there might be some info (e.g. your ip) transfered and "integrated" into your dump that could make it possible to identify you.



regards,
Pyrae

squidge
August 1st, 2003, 07:37
It seems that this exe/dll/data bundler has not be talked about at all. Any reason why? It seems like an interesting program.

Now, I've taken a look at this program, unpacked the support DLLs and EXE from the main program using Ollydbg, and are interested in this "remote execution" that they are talking about in the help file. I'm wondering if this is a bluff or for real, so trying to reverse the app to find out.

Thinstall itself (when unbundled) seems to be protected using HASP (haspms32.dll, HASPUT16.DLL, HASP95DL.VXD if it matters) and fetches data from HTTPS (yup, secure web). The PE headers of the executables contained in the bundled file all have there headers zeroed, but it doesn't take more than 5 minutes to hand craft new ones. They protect against reading the process memory by other applications, but by launching the file via CreateProcess with the debug flags, I can access all the memory that way and dump it.

However, before I continue, I'm just wondering if anyone else has messed with Thinstall before? Are all the juicy parts of the code remote executed, or downloaded? or perhaps is it a simple data transfer? If someone else already knows they are remote executed for sure, then it'll pointless wasting time on this and I'll go find something else to play with

evaluator
August 1st, 2003, 07:51
mean it has dongle, so we also need it
for unpuk(so no help), or no?

squidge
August 1st, 2003, 09:15
Will run in demo version if you are connected to the net, so dongle isn't required for demo version (which does everything the full version does, apart from limit you to 14 days and show nag-screen).

evaluator
August 1st, 2003, 14:36
as i tested, this prot is very poor: It not strips IT at least..
so don't trash time on it..