Hello guys,

I have downloaded a game from Trygames dot com and it uses TryMedia protection system. (i did this on purpose to test the protector).

I took m*n*p*ly because its the smallest one. It has interresting code.
I have been able to dump at OEP, and rebuild IAT..

a quick searh on the forum tells me it might emulates API as well..
hmm apparently some code is missing in my dump too..

If anyone wanna check it out, we could work on this as a mini project or something

Me is tired of Asprotect

Regards,

Hopcode

Ps: i read the FAQ and all the thing, its not a request, its just some informations, and why not, some cooperative work.

Noone cares about a PE wrapper which hasn't been taken apart yet ?
you can grab a smaller game from the site tho.
protection has interresting features.

HopCode

People would most likely be much more interested if you started off the whole "apart-taking" with some nice facts from your own analysis...

As in "Here's where I've gotten with the project" likely would be a good start.

Regards.

What I discovered this far is that when I run the program with a commandline, in my case --MPRMMGVA-- the program yells I'am using a debugger whatever I do. How it detects my debugger is still unclear for me.

Ok, this is sick... This protector reads the import table by itself effectively bypassing the getprocaddress. It just walks the importtable of kernel32 until it finds what it needs (WinExec). I still haven't found out though how it finds my debugger.

Yes, he actually runs itself using WinExec..
you can't put a bpx on it because it copies bytes at this API entry point to some place and add a jmp to the rest of the api after..
if you bpx it, it will copies your int 3

Anyway, he runs itself with the new commandline (like you mentionned) and close the first process. Then starts the anti debugging code.
Use IceExt to hide SICE.

Finding its entry point and rebuilding IAT is not much of a problem.
Then you will notice that he does FF25 / FF15 mangling.

ie: rather than doing a FF15 to call an API, the protected app will call
a subroutine in the protector which has some obfuscations and will end up
calling the good IAT slot.. but the code has been patched..

So once you have rebuilded your IAT, you have to find a way to patch the calls back to FF15

FF15 becomes 90E8 addy protector. (nop call )

Im stuck there for now. i need to find a way to rebuild that.

Btw, unlike safedisc, there is a protector addy per API.. its not just one address handling every mangled call.. so you can't just patch it and make it do all the job for you.. there are too much of those to make it by hand.

Hope this lil infos make you guys want to look at it.

Regards,

Hopcode

Far_Call & Far_Jump mangling is old cool thing.
for example Yado's Krypton does it;
(i tried contest for it, but nobody responds).
also XTreamLok i can remember here;
Now asSpr decides to include this "newest" technics.

as about restoring, all is simple.
you need to write some snippet of code for restoring calls..
activate your Phantasy..


ps
i have some bad remembrance on you?

Do you say that when I run the app with the commandline already attached that I can bypass the debugger detecting by hand? I was thinking the wrong way then, because I thought the app would not execute winexec when there was no debugger.

Howdy,

I know that it is not new at all.
Safedisc uses this too. This is the "good" way to do if you redirect IAT, because
even with tools such as ImpRec your app is still not ready.
Anyway, while some protectors will mangle those to always call the same
subroutine that will land to the good API (and where you can patch it easily to your own code to rebuild everything in a single run) there, each API is called from a different subroutine inside the protector.
-not- all FF15/FF25 are mangled though.

here is some sample:

90E814119500 (one bogus example)

at 951114 you will find some obfuscations, that uses a lot of jmps to jmp
around the protector code, and you will enventually end up to
the real FF15 IAT slot. but then you will have other obfuscation and apparently
that's where it crashes.. maybe there are some initialised shit that get tested
and as it is a dump, it detects it and crashes. no idea yet.

so once you have found it, you just have to copy that to the location of the
90E8 etc

Then you have rebuilded the API..

But you have to do this for every mangled ones.
And more over, you have to be able to track where it will have to be patched
and with the right bytes.. while there is some crap obfuscations..

How would you attack this ? write a simple tool that browses the dump to
find the mangled calls and jmp to the protector, looking for FF15 bytes?
might be dodgy, because you might find some other redirected API before the good one.
Maybe an IDA script could do the trick, im not sure.
Its not like the mangled one where already calling the good places..
you would just have to find them and patch them back with the good calling stuff.

Any idea on this matter? i mean, a killer idea

For the bad remembrance on me, i think its because we never actually talked together. I used to look on Asprotect back in the days though.

See you guys later,

HopCode

I don't think you will bypass the debugger detecting.
It actually uses winexec to run itself a second times and _then_ inside the new process, he checks for the command line (ie: am i first or second process) and then he starts the debugger checks..
Maybe its to break some debuggers, like Olly. dunno.

Use IceExt on NTice and you will be well hidden.

Why don't you grab Lem*nade Tyc*on on TryG*mes dot com.
Its a 4 mb game and has the protection it it.
The protection is about the same in every games, its just to analyse the Packer and have fun with "new" materials.

Enjoy musicboy

I DLDed from there game "Ch*** **omp Safari" (2mb) &..
LOL, it is UPX-packed & then protected.

are you sure, your Lem*nade is not also UPX-ed?

I didn't notice it myself, but i heard they all do.
Anything so far on your side ?
I didn't look at it since then.. i will look the game you grabbed and see if it looks
like monopoly.

Let us know if you found a way to rebuild it intelligently.

sir hopcode

eh, this stupid L******* is also UPX-ed
i unprotected my Chopm** on UPX level.
IAT is absolutely normal;

That code in original rdata section
should be protector's module [ampestub.exe],
which probably contains some functions required for program.
(this can be trial functions, can be some util functions..)
you must analyze each func, if you decide to remove.
mostly not need.
Better try replace junk instructions with NOPs
for easy disasm, analy, crk..

*****
>>Let us know if you found a way to rebuild it intelligently.
Yes-Yes!
sure, it is my life's main dream
to find intelligent ways for you ~8-)
.

Hey!
Main code is FlashPlayer~:0
only now just viewed resources..
So this prog is UPX-ed FlashPla.exe+ampestub.exe
[ampe ~ Active Mark Protection Engine!?]

yep, so attached at the end row data shoud be flash!?
& TryMedia games are jusT flash games!?

it's terrible..if so, we need extract flash as final unprotecting.
.
.

>eh, this stupid L******* is also UPX-ed
>i unprotected my Chopm** on UPX level.
>IAT is absolutely normal;

Yes, this is no problem.

>That code in original rdata section
>should be protector's module [ampestub.exe],
>which probably contains some functions required for program.
>(this can be trial functions, can be some util functions..)
>you must analyze each func, if you decide to remove.
>mostly not need.
>Better try replace junk instructions with NOPs
>for easy disasm, analy, crk..

Well, if you looked well, you will see that those subs
are called from inside the program, and places where you should have seen
a CALL API (FF15).. Rather they will just nop call sub in the section
and there they will call the real api..

>Yes-Yes!
>sure, it is my life's main dream
>to find intelligent ways for you ~8-)

hahaha how funny
i knew you were dedicated to me, but i didn't know it was your main dream ;-)

No TryMedia games can be anything.
the one you choose is a flash game, but lemonade isn't.
Monopoly , Worms Armaggedon aren't either.
Its a wrapper to protect any kind of executables..

So they use UPX to compress the files.. interresting.
Where did you see reference to "ampe" inside the protected exe ?

And yes, its gotta be Active Mark Protection Engine.
We have to find a way to remove this piece of crap.
the upx part is not a problem at all.
hmm what did they really do ?
Add anti debugger code above UPX ?

Hopcode

Afaik they compress their shit with UPX. ampestub.exe string u can find if u dump the process. the original PE header is as well in the file. I already posted all of this month ago, you can even find in memory the list of API they will "protect" and some translation table. Check back : http://www.woodmann.com/forum/showthread.php?t=4639&highlight=trymedia .