View Full Version : Looks like something really NEW !!!!!
Zilot
January 23rd, 2004, 09:06
Hi !!!!!
This kind of protection I've never seen before. Making temporary files, then executing them, after all cleaning all of them. And plus debugging of main process, looks like something pretty new. Peid says nothing more than common C++. Do you believe, maybe it is.
First I thought it was Armadillo, but could Armadillo evolve for such short time, dont believe. One file in directory is protected with Armadillo, actually it is not protected just packed (there is no copy mem).
Try yourself with this bone. I needed several hours to domesticate him. If anyone has problem I can attach my files. Maybe they will work only under win2k, dont know.
Program is BulletProofSoft.com's SpywareRemover, really challange.
lmth.ndrs\moc.tfosoorptellub.www\\: ptth
Zilot
arz
January 23rd, 2004, 09:43
If I remember correctly they use (not Softwrap) Trialmaster. Dump it after the nag and it should be a fully working app.
Plenty of tuts on the web
Sorry for the wrong 1st infos, just found my old notes on CD...
arz
January 23rd, 2004, 11:29
Just tested it, still the same...
Nothing to learn doing it this way but then tis a pretty lame protection if can be unpacked quicker than some take to load.
UNWRAPPING:
Start Target.exe
At the Trialmaster nag screen, enter SI and BPX WriteProcessMemory
F5 out of SI
Click the 'Continue Trial' button on the nag
F5 seven times (after each break in SI)
At the next break(final) F12 to return to the 45r343e8.dll thread
Replace the TEST EAX,EAX with JMP EIP (ie A EIP, JMP EIP)
F5 and full dump the process (something like 45r343e8.dll)with LordPE as dump.exe
Back in SI put back the TEST EAX,EAX
F5 to exit SI
No need to rebuild the imports as the OriginalFirstThunk is intact and valid, only the FirstThunk points to memory (MSVBVM60)
dump.exe should now run as it's the full unwrapped prog
Zilot
January 23rd, 2004, 12:08
Shit

Pe id screwed me up. Shit

again.
I had to find out my own way to defeat this, instead of reading tut of 2 min.
Anyway thanks for replay.

Zilot
January 23rd, 2004, 12:40
This one is from prehistorical age (1 min for fixing), even OEP is valid in dumped.exe. And I though it was something new

and spent a lot of time in completelly another approach.
However the idea is very good, and with the little work coulde be excellent protector. Thanks to God they didnt realise that

nikolatesla20
January 23rd, 2004, 13:17
hehe, sorry it didn't work out for you
It's a hard lesson to learn - trying not to overthink or overestimate the protection, but over time you get more conservative and more methodical in approach to a new target. Especially after you learn most of the "tricks" protections use.
Usually the IAT is step one for me, to see how advanced the protector is. First I just but a BPX anywhere on a usual entry API (GetVersion, etc.) and when it breaks I look around in memory for a IAT structure...then I just dump the proggie anyway and paste in any IAT I was able to find, so I disAsm it with WinDasm, this can lead me to the OEP.....sorta like a test dump.
ANyway, you can usually tell by the IAT how "good" a protector is.
-nt20
evaluator
January 23rd, 2004, 13:48
bleh, so should i put direct in trash this 7MB?
or this prog is somehow usefull??
arz
January 23rd, 2004, 14:51
"And I though it was something new and spent a lot of time in completelly another approach."
heh, I feel a little guilty now....
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.