girl
April 18th, 2004, 19:22
unpack it
I'm a chinaese gril
help me
thankyou
I'm a chinaese gril
help me
thankyou
View Full Version : unpack me
esther
April 18th, 2004, 21:08
*sigh* Do you think ppl here will believe you are a girl 
Woodmann
April 18th, 2004, 21:13
Errrrrrrrrrrrrr........
Most women would not make so many spelling errors
Woodmann
Most women would not make so many spelling errors
Woodmann
girl
April 18th, 2004, 21:15
sorry!
why????
this is a new Protector .
I can't unpack it.
help me
why????
this is a new Protector .
I can't unpack it.
help me
girl
April 18th, 2004, 21:16
I'M a chinaese girl (cracker) ---------TRUE.
esther
April 18th, 2004, 21:18
Most Woman will sharp enough to read the faq before posting here
girl
April 18th, 2004, 21:29
to esther
whan do you mean?
whan do you mean?
esther
April 18th, 2004, 21:33
http://www.woodmann.net/fravia/rce-faq.htm
*sigh* you aren't a girl after all
*sigh* you aren't a girl after all
Woodmann
April 18th, 2004, 21:37
Howdy,
What exactly are you looking for ?
So what if I have it unpacked....now what ?
You need to include more information.
Woodmann
What exactly are you looking for ?
So what if I have it unpacked....now what ?
You need to include more information.
Woodmann
girl
April 18th, 2004, 21:42
sorry !!!!!!!!
My English is very poor.
can't express my thought.
sorry!!!!!!!!
My English is very poor.
can't express my thought.
sorry!!!!!!!!
esther
April 18th, 2004, 21:47
you need to show what you have done before ppl can help you,that's what Woodmann means 
girl
April 18th, 2004, 22:08
to esther
thank you
thank you
evaluator
April 19th, 2004, 08:44
hi, "girl"
i have 3 question:
1. why you need to unpack it?
2. why we need to unpack it?
3. what proctector's name is? (is it your protector?)
i have 3 question:
1. why you need to unpack it?
2. why we need to unpack it?
3. what proctector's name is? (is it your protector?)
esther
April 19th, 2004, 09:33
1. why you need to unpack it?
For fun and laughter
2. why we need to unpack it?
To help her to unpacked it,if you suceed in unparking it she give you a kiss LOL
3. what proctector's name is? (is it your protector?)
Dunno,doesn't run in my win2k,maybe I have softice installed
Update:
It doesn't run even softice disavbled
maybe compatible issues
For fun and laughter
2. why we need to unpack it?
To help her to unpacked it,if you suceed in unparking it she give you a kiss LOL
3. what proctector's name is? (is it your protector?)
Dunno,doesn't run in my win2k,maybe I have softice installed
Update:
It doesn't run even softice disavbled
maybe compatible issuesgirl
April 20th, 2004, 01:47
proctector's name -----SDproctector v1.10 ---chinese.
you can run it -----XP
I'm a cracker I want to unpcakthis.
thank you.
my msn: mm@digitalnuke.com
welcome
if you unpack it I'll give you a kiss.
thanks!!!
you can run it -----XP
I'm a cracker I want to unpcakthis.
thank you.
my msn: mm@digitalnuke.com
welcome
if you unpack it I'll give you a kiss.
thanks!!!
evaluator
April 20th, 2004, 09:55
esther, you have AMD!?
Mrklippel
April 20th, 2004, 11:32
Quote:
| [Originally Posted by esther]1. why you need to unpack it? For fun and laughter 2. why we need to unpack it? To help her to unpacked it,if you suceed in unparking it she give you a kiss LOL 3. what proctector's name is? (is it your protector?) Dunno,doesn't run in my win2k,maybe I have softice installed Update: It doesn't run even softice disavbled maybe compatible issues |
mmm it is a weird kinda protection...
i cannot attach to it with olly
if i start this app, and then start olly..
olly closes and the app closes....
evaluator
April 20th, 2004, 16:29
this is SoftDefender newer version.
it checks for program file names, program window class names etc..
rename all in Olly or in Sice & try so.
it checks for program file names, program window class names etc..
rename all in Olly or in Sice & try so.
{Sturm}
April 21st, 2004, 17:38
well i've tried running it with olly after renaming everything and it still detected it and closed before even unpacking anything :|
anyone had any luck?
it also seems to have some sort of crc check maybe to check the integrity of the program to see if you put some breakpoints....
not sure how it checks for the presence of a debugger tho..
anyone had any luck?
it also seems to have some sort of crc check maybe to check the integrity of the program to see if you put some breakpoints....
not sure how it checks for the presence of a debugger tho..
%UNDEFINED%
April 21st, 2004, 21:30
Interesting protection, I have never had the pleasure of examing it before now.
I tried protecting my own target and single stepping through it
It detected me using a stack trick...I am pretty sure at least
http://d-jester1.tripod.com/Exit__.png ("http://d-jester1.tripod.com/Exit__.png")
http://d-jester1.tripod.com/stacktrick.png ("http://d-jester1.tripod.com/stacktrick.png")
URL's are case sensitive
Sorry I couldn't be more help
I tried protecting my own target and single stepping through it
It detected me using a stack trick...I am pretty sure at least
http://d-jester1.tripod.com/Exit__.png ("http://d-jester1.tripod.com/Exit__.png")
http://d-jester1.tripod.com/stacktrick.png ("http://d-jester1.tripod.com/stacktrick.png")
URL's are case sensitive
Sorry I couldn't be more help
{Sturm}
April 21st, 2004, 22:39
yeah i did the exact same thing...downloaded the demo and protected my own target...
however im not sure about the trick used...im still really a newbie at all this so im not sure to understand about that stack trick??
when single stepping through i have also found the that the loopfd seemed a bit suspect....and also some places you can put breakpoints, other places you can't because it checks for modifications to the program :/
interesting target...makes me wonder what's up next after by passing this first trick
however im not sure about the trick used...im still really a newbie at all this so im not sure to understand about that stack trick??
when single stepping through i have also found the that the loopfd seemed a bit suspect....and also some places you can put breakpoints, other places you can't because it checks for modifications to the program :/
interesting target...makes me wonder what's up next after by passing this first trick
evaluator
April 22nd, 2004, 13:15
don't forget, it creates second process, first exits, passing in tmp file time;
many TickCount checks, again not_correct check for single-step tracing;
(self overwriting REP_MOVS, some earlier AMD always will fail)
there can be some more checks for Ring3 debugger, then IsDebuger byte.
later will look.
many TickCount checks, again not_correct check for single-step tracing;
(self overwriting REP_MOVS, some earlier AMD always will fail)
there can be some more checks for Ring3 debugger, then IsDebuger byte.
later will look.
upb
April 22nd, 2004, 16:16
HI!
i found a nice anti-ollydbg-tracing trick at the very start of the program
SDPI:0106B046 push large dword ptr fs:0
at this point, the last seh handler will be circular, with this i mean that the pointer-to-next-handler member in the structure will reference the same last seh handler struct. and this somehow fucks up olly's ability to single step thru the code, olly will be caught in a 100% cpu hogging loop.
the same thing can be done with those 5 instructions (the protector used 26)
i found a nice anti-ollydbg-tracing trick at the very start of the program
SDPI:0106B046 push large dword ptr fs:0
at this point, the last seh handler will be circular, with this i mean that the pointer-to-next-handler member in the structure will reference the same last seh handler struct. and this somehow fucks up olly's ability to single step thru the code, olly will be caught in a 100% cpu hogging loop.
the same thing can be done with those 5 instructions (the protector used 26)
Code:
push dword ptr fs:[0]
push esp
sub dword ptr [esp], 4
mov fs:[0], esp ; <- olly v 1.08b will hang after single stepping this
pop eax
pop dword ptr fs:[0]
evaluator
April 23rd, 2004, 09:19
ok, in decrypted protector section I see api name ZwQueryInformationProcess;
on XP this breaks 2 time;
second time this api called with parameter 7; traced it..
so it works like IsDebuggerPresent, but gives info from KPEB(Ring0 PEB);
So this is, why can detected Ring3 API debuggers;
on XP this breaks 2 time;
second time this api called with parameter 7; traced it..
so it works like IsDebuggerPresent, but gives info from KPEB(Ring0 PEB);
So this is, why can detected Ring3 API debuggers;
{Sturm}
April 24th, 2004, 01:53
Quote:
| [Originally Posted by evaluator]ok, in decrypted protector section I see api name ZwQueryInformationProcess; on XP this breaks 2 time; second time this api called with parameter 7; traced it.. so it works like IsDebuggerPresent, but gives info from KPEB(Ring0 PEB); So this is, why can detected Ring3 API debuggers; |
well tks a lot...that was my big problem :| i just changed the jmp right after this api is called and the program runs fine...however im not sure to understand 100% how this work, i guess ill just try to find more info on it
also, how did you end up setting a breakpoint on that api? another common trick..??
JMI
April 24th, 2004, 04:47
Well perhaps he did a SEARCH of the Board, using "Debugger Detection", (without the quotes) and read nikolatesla20's post #6 [mentions the parameter "7"] and Kayaker's great comments in post #8 of this thread [mentioning "ZwQueryInformationProcess"]:
http://www.woodmann.com/forum/showthread.php?t=5140
or, maybe he read it when it was posted. Or maybe he taught Kayaker how it worked. 
Anyway, well worth the read, as Kayaker generally goes deeper into the code then others generally do. Must be because he spends so much time "gliding over the surface" [in his Kayak] every chance he gets.
Regards,
http://www.woodmann.com/forum/showthread.php?t=5140
or, maybe he read it when it was posted.
Or maybe he taught Kayaker how it worked. Anyway, well worth the read, as Kayaker generally goes deeper into the code then others generally do. Must be because he spends so much time "gliding over the surface" [in his Kayak] every chance he gets.Regards,
evaluator
April 24th, 2004, 07:42
curious, but i tried search for word "ZwQueryInformationProcess", & search sux
because too much long word?? can you fix it?
so i myself discover about it, but in mind i remember that Kayaker one told something about.
BPX i set on this api & that's all folks.
because too much long word?? can you fix it?
so i myself discover about it, but in mind i remember that Kayaker one told something about.
BPX i set on this api & that's all folks.
{Sturm}
April 24th, 2004, 09:36
well this is really interesting learning quite a few tricks...
it seems however that the protected notepad also has something else to detect olly.
when i packed my own program i was able to run it fine by just changing the jump after the return of ZwQueryInformationProcess
but for the notepad protected one, since its protected by the full version of SoftDefender i guess it has a few more tricks..
learning quite a few tricks...it seems however that the protected notepad also has something else to detect olly.
when i packed my own program i was able to run it fine by just changing the jump after the return of ZwQueryInformationProcess
but for the notepad protected one, since its protected by the full version of SoftDefender i guess it has a few more tricks..
nikolatesla20
April 25th, 2004, 23:40
LOL
Softdefender is one of the best protectors out there currently in my opinion. I actually have an unpacker written for it it's about 98% done, but too bad I'm not going to share my info right now...to busy with other things, and I didn't write everything down! but I have all my code to go by.
Basically the program writes out a tmp file, kills itself, then restarts itself, reads in the temp file, the current tick count is used in the temp file so if it takes too long, it kills itself again (to detect ring3 debug), also does LOTS of gettickcounts everywhere, as well as the nice ZwQueryInformationProcess. If you are a ring3 debugger tho you can override ALL of these calls and give the protection what it thinks it needs to keep working. Not that hard.
My unpacker fakes the whole temp file read and just feeds it bogus info LOL. Also, override GetTickCount and return a constant value always..piece of cake. Now just have to dump at OEP. Well, OEP is a little harder to find, because of stupid other checks, but it's easy manually, just hard automated. That's why I never finished yet, got busy with other things.
Definitely a nice protection.
I think I got far enough to do a program dump, but you'll have to find OEP yourself. If you have any skill at unpacking that shouldn't be too hard for you anyway. Imports as well, you should be able to do manually. The dump is always the hard part with this protection.
I wrote this a LONG time ago, so I have no idea if it works on current SoftDefender, but you are welcome to try it for the dump.
-nt20
Softdefender is one of the best protectors out there currently in my opinion. I actually have an unpacker written for it it's about 98% done, but too bad I'm not going to share my info right now...to busy with other things, and I didn't write everything down! but I have all my code to go by.
Basically the program writes out a tmp file, kills itself, then restarts itself, reads in the temp file, the current tick count is used in the temp file so if it takes too long, it kills itself again (to detect ring3 debug), also does LOTS of gettickcounts everywhere, as well as the nice ZwQueryInformationProcess. If you are a ring3 debugger tho you can override ALL of these calls and give the protection what it thinks it needs to keep working. Not that hard.
My unpacker fakes the whole temp file read and just feeds it bogus info
LOL. Also, override GetTickCount and return a constant value always..piece of cake. Now just have to dump at OEP. Well, OEP is a little harder to find, because of stupid other checks, but it's easy manually, just hard automated. That's why I never finished yet, got busy with other things.Definitely a nice protection.
I think I got far enough to do a program dump, but you'll have to find OEP yourself. If you have any skill at unpacking that shouldn't be too hard for you anyway. Imports as well, you should be able to do manually. The dump is always the hard part with this protection.
I wrote this a LONG time ago, so I have no idea if it works on current SoftDefender, but you are welcome to try it for the dump.
-nt20
Kayaker
April 26th, 2004, 03:23
Quote:
| [Originally Posted by evaluator]curious, but i tried search for word "ZwQueryInformationProcess", & search sux because too much long word?? can you fix it? |
Done. I increased the maximum search length from 20 to 30 characters and rebuilt the search index. ZwQueryInformationProcess or a wild card derivative of it shows up now.
This will increase our database size, but shouldn't be by too much since the long words are mostly only API's. Maybe we could up the length even a bit more, caretakers? (Did I break anything?
)Also, another method is to use the unrestricted search function of the Archive .chm file. The original thread can then be opened from the server by clicking on the thread title.
Here's a quiz that would actually help us here - what is the longest API or other reversing term that might be used in this forum?
Cheers,
Kayaker
dELTA
April 26th, 2004, 18:06
Well, one of the contestants might be the "Can anyone give me a SuperDuperMegaUnpackerCrackerPatcherThatWillDoEverythingForMeWithoutMeHavingAFrickinClueAboutWhatsGo ingOnAtAll, please?".
evaluator
April 27th, 2004, 04:26
..from library "you_bastar.dll"?
fif, dirti delta..
fif, dirti delta..
girl
April 27th, 2004, 18:32
thank you
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.