Thread: Sentinel Manual Unpacking Question
View Single Post
  #1  
Old 08-03-2008, 21:38
bytexorer bytexorer is offline
Friend
  
Join Date: Mar 2005
Posts: 12
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
bytexorer Reputation: 7
Sentinel Manual Unpacking Question
Hi,

I'm trying to decrypt code section of an sentinel shell protected PE Exe file.

I have read Cyberheg Tutorial "Braking the shell" form CrackZ site

hxxp://www.woodmann.com/crackz/Tutorials/Cyberheg4.htm

as he mentioned in his document, decryption routine is like this in c

Code:
do
{
	tResponse += (((tResponse << 4) + tResponse) >> 9) ^ (tResponse << 5);
	*(lpUnCryptedBuffer) = *(lpCryptedBuffer) ^ tResponse;
	Sum += *(lpUnCryptedBuffer);
	tResponse ^= Sum;
	++lpCryptedBuffer;
	++lpUnCryptedBuffer;
	--iCounter;
} while ((iCounter+1) != 0);

As I learned from his tutorial, we need to find current response which is a DWORD.

First Encrypted DWORD of my code section is: 0x3698ECAA and I know that it will be 0x00000000 when decrypted.

so I should look for a initial Reponse which make 0x3698ECAA in next Response and after xoring it with first DWORD, decrypted result will become 0x00000000.

to find initial response I made a simple code to bruteforce it, here is my code:

Code:
uint result;
for (uint tResponse = 0; tResponse < 0xffffffff; tResponse++)
{
    result = tResponse + ((((tResponse << 4) + tResponse) >> 9) ^ (tResponse << 5));
    if (result == 0x3698ecaa)
    {
        // I found the right initial response
        break;
    }
}
but it will not find any valid response.

decryption block in my target is looks like this:

Code:
00F990B4                 align 10h
00F990C0                 mov     ecx, [esp+8]
00F990C4                 xor     eax, eax
00F990C6                 shr     ecx, 2
00F990C9                 mov     edx, ecx
00F990CB                 dec     ecx
00F990CC                 test    edx, edx
00F990CE                 jz      short locret_F99108
00F990D0                 mov     edx, [esp+4]
00F990D4                 push    ebx
00F990D5                 push    esi
00F990D6                 lea     esi, [ecx+1]
00F990D9                 mov     ecx, [esp+14h]
00F990DD                 push    edi
00F990DE
00F990DE loc_F990DE:                             ; CODE XREF: _0000007:00F99103j
00F990DE                 mov     edi, ecx
00F990E0                 mov     ebx, ecx
00F990E2                 shl     edi, 4
00F990E5                 add     edi, ecx
00F990E7                 add     edx, 4
00F990EA                 shr     edi, 9
00F990ED                 shl     ebx, 5
00F990F0                 xor     edi, ebx
00F990F2                 add     ecx, edi
00F990F4                 mov     edi, [edx-4]
00F990F7                 xor     edi, ecx
00F990F9                 mov     ebx, edi
00F990FB                 mov     [edx-4], edi
00F990FE                 add     eax, ebx
00F99100                 xor     ecx, eax
00F99102                 dec     esi
00F99103                 jnz     short loc_F990DE
00F99105                 pop     edi
00F99106                 pop     esi
00F99107                 pop     ebx
00F99108
00F99108 locret_F99108:                          ; CODE XREF: _0000007:00F990CEj
00F99108                 retn    0Ch

An I missing a point regarding CyberHeg tutorial ?
or is there anything else I should mention ?

-ByteXorer
Reply With Quote