There isn't a great deal of info that I can find on this one, but I do have an excellent tut from MaDMAn H3rCuL3s - everything follows perfectly until I set my breakpoints on WriteProcessMemory and VirtualProtectEx - the results I get indicate that I need to write a huge amount of code to the dumped tmp file - am I missing something here, or is this because I'm dealing with extremely bloated code, I've talked to a couple of people and 1 says only 4 Bytes are all you need to write the other says as much as a couple of KBytes but they both say several Megs, isn't possible - attached are target censored views of Ollie's tmp frame at both BP's - anybody have any pointers?

(I hate packers and child-proof containers - the good stuff is always hard to get to!)

SiGiNT

Here's #2 -

SiGiNT

No one has any idea? - I've done a lot more searching RE: this packer and considering there are freeware versions and pro versions available, I suspect we'll be seeing more of this one - here is what I've found out - at one forum the prevailing opinion is it cannot be unpacked - obviously that's a defeatist attitude that is usually wrong. At ART you can find 2 tut's one of which I was following when the problem occured - amongst the praise for MaDMAn's tut is a post that suggests all you need to do is get past the ant-debugging stuff and dump the .tmp file with PELord, no need to fix the IAT or anything else, well the anti-debugging is a simple window check so after modifying PELord to remove the title, (sorry yoda!), I tried it but I receive a memory error - so i tried PE-Tools and was able to dump it, (but unable to resolve the oep), still no joy - anyone have any idea?

SiGiNT

Wait - if this is a .NET app, I mean, if it's written in C# or VB.NET, the first call should be to mscorlib.dll. It would look just like old VB5, it would have a push XXXXXXXX, and then a call to mscorlib.dll, wouldn't it? So really you just need to find that single mscorlib call and there's your OEP.

-nt20

nt20,

This stupid POS has me between a rock and a hard place - I have learned a lot about the capabilities of Exeshield - this packer has available the full gamut of licensing and protection schemes RSA128, RSA1024, dongle,trial period, reg code, license file, the whole ball of wax avilable to it's potential users, none of them being employed here, it is a simple capabilities reduced demo, hard coded in the .net app itself - the problem I'm having, and your suggestion is an excellent one, is IDA wants to decompile the dumped app not disassemble it, so I've got lotsa refs to mscorlib but push is not part of the .net language, on the other hand w32dasm disassembles it but does not associate calls, so finding a call to mscorlib (with my limited knowledge of w32dasm anyway, IDA is my preference), is not possible. Olly - wants to run the prog. with no pause at the EP - so I go straight into a nonrecoverable error and the app terminates, even if its renamed with a non-executable extension - if any one wants some good reading I've got a dump of the string refs from the fully decrypted packer - let me know and I'll post it.

Geesh, I always pick the fun ones - I think I'll go download WinZip and play around with it just to get my confidence back!

SiGiNT

Oops, I meant to say mscoree.dll is the first call, and it's a call to _CorExeMain. Looks like:




This is what the OEP looks like. A .NET app is still a normal PE file with some additional info tacked in..if you still can't find it, it may be that the mscoree is the first import in the IAT table, so try focusing on the very first import.

-nt20

olly wants to execute it without stopping in ep
well you can make it stop on ep if you mean the ep that is in peheader--> addr of entry point even if it inherenently is not able to stop due to some reason

events--> pause on system break point
alt+f1
bp ZwSetInformationThread
hit ctrl+f9
you should be on a call[ebp+08] in kernel32.dll that always points to entry point

another almost sure fire way is to
view file-->your file go to peheader and find the address of entry point
use ctrl+g to go there (if it was 1000 and raw address is 400 use 400 on goto)
and change the bytes to ebfe (infinte jump)
there are some tricks like tls which can check this modification but its rare
on loading this modified app it will just run and loop
hit f12 and pause ollydbg and change your bytes back to original

nt20;

Thanx for the tip, and of course you're correct - I can find the code at the bottom of the disassembly with a jmp directly to the beginning of the code whioch is the address that Olly tells me is the oep - so 6 of one 1/2 dozen - etc:, blabberer thanks for the tips, they'll be useful as I've pretty much come to the conclusion that it's necessary to clip and paste the huge amount of code that the tut indicates - now all I have to do is find the time to work on it! again thanx! and I'll let you know how it works out.

SiGiNT

well that is not entirely true..
obviously you read my tut on exeshield..
if you were to try it on the newer versions.. (that dvd app)
you would see (besides it being crippled) that only the first PUSH is needed to be replaced.. oh.. and also the tmp file is now named differently.. (because of the tut?) but it is still very easy to find (ts still in installed folder). I am waiting for a more (non-.net) commercial app to float around again...If you were to replace the whole memory location.. it would crash....
so... i would try a few different ways..
try the full amount at first.. then if that doesnt work...
try a few bytes at the header of the memory location...
and if that doesnt work..
dude you are SOL..
.net sucks as it is.....
now they use commercial packers...
not cool...

MaDMAn,

I've been waiting for your input! You seem to get a little cranky when asked stupid questions about your tuts! The temp file is not named that much differently xshld1684.tmp - but you give me hope - I'll try replacing the first section and see what happens.

Thanx again!

SiGiNT

Cranky?
me...?
never
your question isnt actually all that stupid..
yes exeshield has went .net compatable...
the newest is v3.7 (from site)
i just installed sice (no joke) like 20 minutes ago..
well i went through a world of poop trying to bypass the checks..
i havent used sice since like 98...
so it was like a dull mist when i saw it again...
but the checks are pretty easy..
also it seems the author is either in talks or is friends with our SVKP coder.
he uses his dll.. the API's .. no joke are labeled as SVKP trick #1
and so on...
but other than that it seems the same (aside from .net) so your troubles shouldnt be too long