Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   private exe protector unpacking? (https://forum.exetools.com/showthread.php?t=19446)

0xall0c 02-29-2020 01:37
private exe protector unpacking?
 
hello everyone,

i was looking at a binary protected with private exe protector, cant find any tutorials, can anyone push me in right direction? if not resources than any hints?

thank you

deepzero 02-29-2020 15:18
literally if you enter "private exe protector manual unpacking tutorial" into google, this is the first hit:

http://185.62.190.110/accessroot/arteam/site/download.php?view.330

For v3 though. Much of it applies also to v4. Dont know about v5.

0xall0c 03-02-2020 01:31
i tried got some references on tuts4you but no accessroot site!

sorry i didn't mention version i was looking for v4, thank you for the reference though.

the pdf is about unpacking the protector not a target packed through it?

deepzero 03-02-2020 01:47
Quote:
the pdf is about unpacking the protector not a target packed through it?
Same thing, as the protector is protected by the protector. ;)
you will have to see how much applies to your specific target.

0xall0c 03-02-2020 01:58
also i reached till import resolver on my own though!!

after that i get access violation!!

0xall0c 03-02-2020 02:33
the target i have has no trial just the nag, i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?

deepzero 03-03-2020 01:27
Quote:
also i reached till import resolver on my own though!
great! :)

Quote:
i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?
I dont know! Try any of the generic OEP detection methods out there. Then post what you tried. I doubt they are using OEP virtualization.

PM me the target, but I am on the road right now, so dont idle and count on me...

0xall0c 03-03-2020 02:45
thanks for the gesture man, its ok i will try it for my self for now..

so i think there is a confusion, do pep provide a registration scheme dialog box or something like that? cause i have a window where it says unregistered, and enter user and key, and gives a reference to a hwid, i think its coded in delphi but i am not sure its part of the protection or the real program, does pep provides a licensing mechanism?

p.s. have a safe journey man!

deepzero 03-03-2020 03:30
Yes, pep provides something like that, but of course the program might be providing its own form. Good luck!

0xall0c 03-03-2020 18:36
tracing backwards from NtTerminateProcess Call, i figured out ntcontinue api calls are being used to make following the code difficult, if u came across in pep ntcontinue as any standard trick like running vm wrapping arround ntcontinue, please enlighten!

thank you!

h4sh3m 03-03-2020 19:13
Hi

You can use this patterns :
Quote:
=============================================
Private Exe Protector 3.3.3 Bypass Reg

C6459C00E9????0000
=============================================
Private Exe Protector 4.1.2 Bypass Reg

85 C0 75 04 33 C0 EB 02 B0 01 5B 5D C2 10 00
=============================================
Private Exe Protector 4.2.5 Bypass Reg

B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00 > xor eax,eax
It's not too hard bypassing this protector's registration (as I remember) but not tested on newer versions.


BR,
h4sh3m

0xall0c 03-03-2020 19:17
ok i will try, target is 4 i dont know exactly which version! will report

0xall0c 03-03-2020 19:28
pattern search for 4.2.5 gave me this

Code:
push ebp
mov ebp,esp
push ecx
push dword ptr ss:[ebp+14]
push dword ptr ss:[ebp+10]
push dword ptr ss:[ebp+C]
push dword ptr ss:[ebp+8]
call <wartrc2.sub_FDFB10>
test eax,eax
jne wartrc2.FDFF3F
mov byte ptr ss:[ebp-1],0
jmp wartrc2.FDFF4C
lea edx,dword ptr ss:[ebp-1]
mov ecx,1
call <wartrc2.sub_FE04F8>
movzx eax,byte ptr ss:[ebp-1]
pop ecx
pop ebp
ret 10
i tried to set eax return to 1 but no luck can you explain a little bit more!

evlncrn8 03-03-2020 21:17
and setting eax to zero does.. ?

0xall0c 03-03-2020 22:00
nop zero makes it directly exit!, no form nothing appears. i also tried to nop all opcodes which are in pattern, but no luck!

evlncrn8 03-04-2020 03:25
and whats the value of the byte @ ebp-1.. that seems somewhat critical

h4sh3m 03-04-2020 03:37
can you share your target (max 50 mb)?

0xall0c 03-04-2020 03:50
https://www78.zippyshare.com/v/CHp4KO0m/file.html

here

0xall0c 03-04-2020 03:56
Quote:
Originally Posted by evlncrn8 (Post 119468)
and whats the value of the byte @ ebp-1.. that seems somewhat critical
i tried changing it to zero still same direct exit!

also that value is written by the above function as edx is treated as a pointer to that location, a value is being copied from another location

h4sh3m 03-04-2020 04:18
Quote:
Originally Posted by 0xall0c (Post 119470)
needs password ;)

0xall0c 03-04-2020 04:21
Quote:
Originally Posted by h4sh3m (Post 119472)
needs password ;)
12345 is the password

h4sh3m 03-04-2020 04:47
did you tried to run your debugger as admin?

0xall0c 03-04-2020 04:51
nop i dont have a reason to do so, do i?

h4sh3m 03-04-2020 06:05
Quote:
0100A060 | E8 3F 66 FC FF | call <wartrc2.RegCreateKeyExW> |
returns non-zero and will exit silently :|
you just need debug file carefully to find out solution, you need look after decryption function for next step ;) (you have all needed info to reach oep).

0xall0c 03-04-2020 06:39
i am not running inside a vm and i dont know the key if it has already created, this api is not being called(can you tell me the key path so i can delete it?)..also i have to return 0 in eax and ebp-1?

also i am getting access violation if i return all 0 from the pattern function...strange!

0xall0c 03-04-2020 15:42
so i think this is doing something like xoring the first byte at that address where the exception is occuring, and as because registration is bypassed by xoring but our licence is still invalid so i get exception?

also this is wrapped by a loop and later one more loop to decrypt another function!!
dont know how i can validate the licence keys!

here:

Code:
push ebx
mov ebx,dword ptr ds:[eax]
xor ebx,dword ptr ds:[edx]
mov dword ptr ds:[ecx],ebx
mov ebx,dword ptr ds:[eax+4]
xor ebx,dword ptr ds:[edx+4]
mov dword ptr ds:[ecx+4],ebx
mov ebx,dword ptr ds:[eax+8]
xor ebx,dword ptr ds:[edx+8]
mov dword ptr ds:[ecx+8],ebx
mov eax,dword ptr ds:[eax+C]
xor eax,dword ptr ds:[edx+C]
mov dword ptr ds:[ecx+C],eax
pop ebx
ret

0xall0c 03-04-2020 20:38
is 0x4c00000 is the oep?

0xall0c 03-05-2020 19:12
my progress till now in python x64dbg:


Code:
from x64dbgpy import pluginsdk
from x64dbgpy.pluginsdk._scriptapi import module
from x64dbgpy.pluginsdk._scriptapi import memory
from x64dbgpy.pluginsdk._scriptapi import pattern
from x64dbgpy.pluginsdk._scriptapi import register

PEP_425_REG = "B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00"

addr  = pluginsdk.RemoteGetProcAddress('kernel32.dll','CompareStringW')
pluginsdk.Run()
pluginsdk.Run()
pluginsdk.SetBreakpoint(addr)
pluginsdk.Run()
pluginsdk.DeleteBreakpoint(addr)


pattern_location = pattern.FindMem(module.GetMainModuleBase(), module.GetMainModuleSize(), PEP_425_REG)

setEaxAddress = pattern_location + 10

pluginsdk.SetHardwareBreakpoint(setEaxAddress,pluginsdk.HardwareType.HardwareExecute)
pluginsdk.Run()

# called 14 times, if ebp-1 set to 0
for i in range(13):
    memory.WriteByte(register.GetEBP() - 1, 0)
    pluginsdk.Run()

pluginsdk.DeleteHardwareBreakpoint(setEaxAddress)

# now it will jump to oep 0x4c0000

0xall0c 03-06-2020 02:22
Quote:
Originally Posted by evlncrn8 (Post 119468)
and whats the value of the byte @ ebp-1.. that seems somewhat critical
yes it was can you, give some more hints?

0xall0c 03-06-2020 02:35
previous oep is wrong, i am very sure it is 0x004BF9C0 but still contains all 0s. its hard!

0xall0c 03-06-2020 19:45
little more debugging and i get to know that the pattern function in some way compares some bytes with another bytes generated from the same function, so right now i am patching the function to contain [ebp-1] = 0, what if i make [ebp-1]=0 with valid data not patching then i think i would not get the exception as the same data is later getting xored with the real oep section? is this correct?

0xall0c 03-13-2020 03:52
ok i give up, can anyone hand me the solution? so that i can actually see whats happening?

GautamGreat 05-15-2020 20:29
Quote:
Originally Posted by h4sh3m (Post 119461)
Hi

You can use this patterns :


It's not too hard bypassing this protector's registration (as I remember) but not tested on newer versions.


BR,
h4sh3m
Hi the last pattern seems working but if target is encrypted then the code section not decrypted and program crashes.

Can you give little more information about it? maybe some older notes you've wrote while analysis or anything

0xall0c 07-13-2020 00:47
i didnt create any notes! although yea it crashes because of wrong decryption, you have to get the key!


All times are GMT +8. The time now is 15:53.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX