How to defeat Password Reminder 1.6 ? (An unknown protector)

[taos]

Quote:

Originally Posted by newbie_cracker

[CODE]

Code:

004FBB7A    8038 CC         CMP BYTE PTR DS:[EAX],0CC
004FBB7D    74 0A            JE SHORT PASSWORD.004FBB89

This code "maybe" a BP detection because CC is the opcode of INT 3.

Quote:

Originally Posted by newbie_cracker

Is there a fixed address in memory which used by OllyDbg for storing breakpoint addresses? How SDProtector detects them?

AFAIK when you set a BP, Olly puts a CC to use its handler, so I think no memory is used to store it, only wait until INT 3.
If you're talking about Hardware BP, I think Olly stores its addresses in a local var, so no fixed address...Ummh!! I know that Registers DR0-DR3 are for debug breakpoints and curiously Olly only can set 4 Hardware BP .
The protection can read and compare this registers.
Maybe that uses a code-execute time detection too.

Regards

[Newbie_Cracker]

Thanks taos.

Quote:

Originally Posted by taos
This code "maybe" a BP detection because CC is the opcode of INT 3.

When I set only hardware BP, SDProtector checks the presence of "int 3" ? The above mentioned CMP could not be done and...debugging will be finished. It's unusual !

How could I know where it reads dr0 to dr3 values?
There is a jungle of junk codes

I red somewhere about fs:[20h] and fs:[30h] tricks used by ACProtect. Maybe SDProtector uses them too. The question is method of finding them.
Is it possible using conditional tracing like this ?
TC EIP=="some opcodes"

Regards.

today i played with this target.. check if all is OK.
btw, it's marked as SD1.1 at start of 1st section??

original IT restored; OEP bytes restored from 00495C50h;
resource restored by PExplorer; there was 7 crypted code blocks,
wich decrypted on runtime;

..
shit, failed for attach!

at hxxp://www.angelfire.com/indie/zong


EnJoy

[hosiminh]

@newbie_cracker

For Imprec - it looks for file "ImportREC.exe" and for title "Import REConstructor v1.6..."

You can easy change title with Customizer or similar program.


For LordPE - SDpacker absolutely hates this tool . Apply the same steps as for ImpRec

btw. It shows wrong Image_Size of process ( 0x00036000 ). Use any other tools for dumping .



@KaGra

I like your tuts , but what would you do if your target is packed with regged version of packer and you don't have intro Nag to attach ?

well,if I don;t have a registered version in my hands,I cannot make any assumptions.But i'd like to have one...

[Newbie_Cracker]

Thanks hosiminh

My problem solved in patching the process in memory. Greetings to The Boss.

I bypassed LordPE detection and dumped the flle. But PE tools dumped better than lordpe, without any errors. Is there a good dumper except Lordpe and PE Tools?

The remaining problem is OllyDbg detection and Unpacking method.

Regards

[dyn!o]

It depends what you mean. The best dump is always a manual dump. The way of dumping running process simultaneously with its execution (like LordPE, PETools do) is a weak and not "clean" idea. Usually it forces you to keep redundant sections but most of all it makes unpacked executable a lot bigger than original one.

Anyway, it's only my private opinion and you can always work this way. For Delphi executables the best dumper is DeDe (with ability to find OEP).

Regards.