SVKP, Armadillo or SDProtector

Quote:

Originally Posted by Jay

throw us a quick tut together then will you.

It will be really short.
Go to the end of packed stream and look for code like this

Code:

pop edx
pushad
mov ebx, PackedStreamSize
mov esi, offset PackedStream
lea   edi, RawDataOffset

Just rip decompress function (or use lzo1x from Oberhummer's UCL) and postfilter (only if relocs present). To decrypt imports you will need RC4 key from protector runtime context. And near the key there are original OEP address, ImageBase, IAT address, etc.

P.S. There is an original PE header at the end of unpacked stream . So as I told before it looks like UPX-based product ;)

[Jay]

Could just be me but I fail to see how that description of how to unpack sd can be described as simple or compared to unpacking upx. Still if you don't have time for a more in-depth tutorial then to bad for us.

nothing is impossible,
give to an dumped program what it needs, it is my
philosophy

[ricnar456]

armadillo with copymem2 and nanomites are not hard to unpack, is only hard mechanichal work.
If you have the correct scritps made for help you in the task, the hard task is made by your machine and you go to sleep and when you return the 90% of the work is made automatically and with injects and scripts.
I unpack the armadillo.exe (3.77 version), make the dump takes 10 minutes with known methods, repair the table is a little more slow for the found of magic call is more difficult than previous versions but in 30 minutes the table is repaired and you are in the oep with all table perfect.
The last task is the nanomites, the first time is difficult for is needed write the scrits and injects to make the work this take me 1 or 2 days, but this will be write one only time, for the futures armadillos you have the hard work maded.
Next you put the injects and scripts to work for bruteforce the original program to try injecting in the nanomite routine starting in GetThreadContext and ending in SetThreadContext) you inject the address of the first nanomites and try for this value the 8 flag conbination for look all posibilities and store the results for each nanomite and posibilities of combination of flags,the second phase, with other script with the values stored you determine what type of jump is, where go to jump, and is ready, the last script acomodate the correct values in the dumped.
Is the better solution to the hard encription of the tables 1 to 4 than in newer versions are imposible to find and look for the values.
With this method you only need adjust your scripts to the new version (slightly changes) and the machine work for you, only you need a little manual adjust and the dumped is running.

Ricardo Narvaja

[ricnar456]

sofdefender is very easy to unpack only work with times.

if you look the api GetTickCount the program take the time, but in a moment compare the time witha previous time and decide if create the second process or not.
In this form altering only one jump or playing with the times you can run in one single process mode and the unpack is very easy.

armadillo is very more difficult obviously.

Ricardo

Ricardo

Quote:

if you look the api GetTickCount the program take the time, but in a moment compare the time witha previous time and decide if create the second process or not.
In this form altering only one jump or playing with the times you can run in one single process mode and the unpack is very easy.

armadillo is very more difficult obviously.

Have you ever tried the lastest version - SDProtector 1.16? It's not so easy as you said; soft defender is just a very old version of SDProtector, it seems the author has already switched to SDProtector and given up soft defender.

Quote:

Originally Posted by iwill

Have you ever tried the lastest version - SDProtector 1.16? It's not so easy as you said; soft defender is just a very old version of SDProtector, it seems the author has already switched to SDProtector and given up soft defender.

Very interesting, can you provide setup or sample?