Extracting files from a temp directory

Hi,

I am looking at a target which has its own compression routine for compressing png files. When the program reads the compressed file it makes a temporary png file in the temp but it immediately deletes it. I found this out by using filemon.

If I could save this png file, my objective would be reached. I tried writing a small script to capture the file, but my script does not seem fast enough to capture the png file.

Here is the vbs script I put in the temp directory :

set fs=createobject("Scripting.FileSystemObject")
do while 1
if fs.fileexists("*.png") then
fs.copyfile "*.png", "\test\", true
end if
loop

Does anyone has tips how I can procede?

Thanks,

Kade

[Squidge]

Overwriting the DeleteFile API in the target process under debugger control comes immediately to mind so that the program can create files, but can't delete them afterwards.

However, that's probably just me going completely over the top again, as usual It'll definitely work though...

Well, it is not really going over the top, but then I have an additional problem. It detects softice (numega driver suite 2.6) and I am using windows 2000 server. I can't seem to find any tool which can hide this softice. Does anyone know? I already posted this yesterday in another thread.

And Squidge, I know that your preference would be to take out the softice detection in the target but I am not really familiar with that. But I want to learn though... I just need some tutorial on softicedetection and IDA disassembler I assume, or am I mistaking here?

Thanks,

Kade

[Squidge]

If the prog doesn't want anyone running SoftIce whilst it's running, then the second attack I use is Ollydbg.

Ok, I switched over to Ollydbg and now it is getting interesting because I get the following warning :

---------------------
"Module 'StarVW' has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breqdpoints!"
---------------------

Of course StarVW is the name of my target. If I click OK I get the following message box :

----------------------
Compressed code?

Quick statistical test of module 'StarVW' reports that its code section is either compressed, encrypted, or contains large amount of embedded data. Results of code analysis can be very unreliable or simply wrong. Do you want to continue analysis?

YES/NO
-----------------------

Does this mean that there is another file where the entry point resides?

Another stange thing I noticed is that the program makes a .tmp file in the temp directory and filemon shows that this file acts as a process, does this has anything to do with the encryption or compression?

[Squidge]

download PEID and see if it can recognise the packer.

I downloaded PEID v0.8 and it appears not to be packed

Entry point : 16A05Eh EP Section : stxt371
File Offset : F805Eh First Bytes : 055h,08bh,0ECh,060h
Linker Version : 6.0 Subsystem : Win32 GUI (0002)

Information : Win32 PE File - GUI

Or am I reading this wrong?

The OEP module answers 4AA856

[Squidge]

With a entry point section name of stxt371, it suggest the program is either compressed or encrypted. Combine this with Ollydbg's report of large amount of compressed/encrypted data and I think you found a packer than PEID does not recognise.

Try this webpage:

pmode.impazz.it/tuts/sr2cracking.htm

It describes what seems to be the same kind of protection.

I have to look a bit further at the link you provided. Filemon also shows that there is a process starVW.exe.local

What does that mean? Does it make a temporary unencryted exe?

[Squidge]

Well, only you have that particular exe, so there's only one way to found out isn't there?

Indeed, I know what to do

I am going to have some fun in the next weeks. I noticed that there also is a license.dat file with some flexlm features. Thanks for your help, i will post something when I have cracked it. It is a real challenge (for me at least)

Here's a super-crazy-idea-that-just-might-work. Since you're running Windows 2000 Server, if you happen to be running NTFS as well try modifying the permissions on the temp folder to deny Delete to every user including the system itself. The program may bomb out but at least you'll have your file

[Squidge]

Nice idea ! Tad overkill, but may just work Certainly something I'd not thought about.

I tried doing that, but it did not work It was a nice idea though.

But nevertheless, I made some progress, I discovered that it is protected with safedisc v2.80.011 (it needs an original cd-rom in the drive). I think it is not that easy to crack, but I am going to do some research and with a little persistence.......you never know

kade
Try IceExt by Sten to hide SoftICE (look it on xttu://protools.cjb.net)