Boy!

I seem to find all the good ones - this one is labeled simply Borland Delphi 4.0-5.0 or unknown by every tool I have - it contains a squatload of sections including SFX and TLS and seems to fully unpack in memory, I'm able to find all imports with no thunks at several possible oep's but I'm having trouble finding the real one - the dump makes lots of references to madtools and other madxxxx stuff and lists a web site: http://www.madshi.net ("http://www.madshi.net")

which includes security tools, but no mention of compression - it also lists coding tools and aids - here is a list of the sections -

Anyone know this one?

SiGiNT

madCollection is library-pack for Delphi, and by the look of the sections it is a Delphi app indeed.

madCollection includes:


Maybe PM me with the target name so I can also have a look.
Cheers mate!

BTW, it you see something similar to this it's madExcept (exception handler) and it means that you haven't unpacked it correctly...

http://www.madshi.net/exc-ss3.gif

madshi is a detours type of library if i recall correctly

could be used to hook and redirect functions

i would guess that some one took a program and used that library to add some obfuscation

or may be added some trampolines all over to some crypting decrypting function

btw if you notice in your screen shot all your memory is mapped to 0x4000000
as a contigous section

not like 0x400000 pe header 0x401000 .code section etc

try analysing its peheader (especially vsize , vaddress etc) offline to see for possible manipulations

oops boy three posts before me in two minutes flat

We are getting very close here to violating the Rule prohibiting posting of Code and identifying the target. Let's make sure we do not cross over that line.

Regards

JMI, if you are talking about "Maybe PM me with the target name so I can also have a look" don't worry, that's why I said <<PM>>. We have similar rules @ ARTeam so I know the issue...

Regards.

anorganix,

I'll PM the target name to you over at our home site, you'll need a login, and I have that at work, unfortunately I managed to get this site blocked at work, (soon to be fixed).

JMI,

I took special pains not to even hint at the target, the madshi stuff bears no relationship other than the fact that the tools were used in coding this one.

SiGiNT

My comment was not aimed at any "individual", but was simply a "generic" warning, intended to hopefully preclude some of our less familiar members, or anyone really new from becoming overcome with the urge to post some code and a target name.

It was just intended as "an ounce of prevention." I do know how to scold if someone had actually violated the Rule.

Regards,

JMI,

Hopefully my large black box hiding any hint of the target name will give the right idea to those reading this thread, but I'm having second thoughts as to pursuing this one, the protection is unique and not likely to be encountered by many in the future, and this soft is essentially dead - it started as a project that was supposed to create a free utility for users of a certain software program, however, like several others with the same intent, the authors found a lot of interest for it and decided to pull it in favor of a "retail version" - in the meantime the software that it was supposed to enhance has incorporated most of the features it offers, I investigated it while trying to find an obscure "target", from a small company that used FlexLM for a tutorial I've been promising to write for months now, and it doesn't satisfy that requirement, unfortunately, curiousity and a certain amount of obssession took over and I started this thread.

@ Anorganix - if you like I'll get you this one, but i doubt you could do anything with it unless you have the other soft installed, just let me know.

SiGiNT

"any hint"? Look at that box again... or maybe the gamma on your monitor isn't set correctly

Indeed, a very obscure app.

Lol. When isn't black black?

I was more surprised that any software actually used the madshi wrappers. I had seen them a long time ago, thought they were more of general interest, POC or a pet project. Something along the lines of Elicz' ApiHooks - interesting, make use of the concepts, but write what you need yourself.

Looking at them again, I guess Delphi must be pretty limited if you can't use many of these API calls directly, without going to the extra trouble of learning to use someone elses wrappers on top of it.

In any case, I hope the retail version of this sw isn't still using those madshi libraries, free for non-commercial use only, or is paying a suitable fee for their use.

Kayaker

LLXX,

Yup!

Should have added one more box - or adjusted the tranlucency - or just adjusted the column width to eliminate it, oh well good intentions anyway.

SiGiNT