Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Sentinel Manual Unpacking Question
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 08-03-2008, 21:38
bytexorer bytexorer is offline
Friend
  
Join Date: Mar 2005
Posts: 12
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
bytexorer Reputation: 7
Sentinel Manual Unpacking Question
Hi,

I'm trying to decrypt code section of an sentinel shell protected PE Exe file.

I have read Cyberheg Tutorial "Braking the shell" form CrackZ site

hxxp://www.woodmann.com/crackz/Tutorials/Cyberheg4.htm

as he mentioned in his document, decryption routine is like this in c

Code:
do
{
	tResponse += (((tResponse << 4) + tResponse) >> 9) ^ (tResponse << 5);
	*(lpUnCryptedBuffer) = *(lpCryptedBuffer) ^ tResponse;
	Sum += *(lpUnCryptedBuffer);
	tResponse ^= Sum;
	++lpCryptedBuffer;
	++lpUnCryptedBuffer;
	--iCounter;
} while ((iCounter+1) != 0);

As I learned from his tutorial, we need to find current response which is a DWORD.

First Encrypted DWORD of my code section is: 0x3698ECAA and I know that it will be 0x00000000 when decrypted.

so I should look for a initial Reponse which make 0x3698ECAA in next Response and after xoring it with first DWORD, decrypted result will become 0x00000000.

to find initial response I made a simple code to bruteforce it, here is my code:

Code:
uint result;
for (uint tResponse = 0; tResponse < 0xffffffff; tResponse++)
{
    result = tResponse + ((((tResponse << 4) + tResponse) >> 9) ^ (tResponse << 5));
    if (result == 0x3698ecaa)
    {
        // I found the right initial response
        break;
    }
}
but it will not find any valid response.

decryption block in my target is looks like this:

Code:
00F990B4                 align 10h
00F990C0                 mov     ecx, [esp+8]
00F990C4                 xor     eax, eax
00F990C6                 shr     ecx, 2
00F990C9                 mov     edx, ecx
00F990CB                 dec     ecx
00F990CC                 test    edx, edx
00F990CE                 jz      short locret_F99108
00F990D0                 mov     edx, [esp+4]
00F990D4                 push    ebx
00F990D5                 push    esi
00F990D6                 lea     esi, [ecx+1]
00F990D9                 mov     ecx, [esp+14h]
00F990DD                 push    edi
00F990DE
00F990DE loc_F990DE:                             ; CODE XREF: _0000007:00F99103j
00F990DE                 mov     edi, ecx
00F990E0                 mov     ebx, ecx
00F990E2                 shl     edi, 4
00F990E5                 add     edi, ecx
00F990E7                 add     edx, 4
00F990EA                 shr     edi, 9
00F990ED                 shl     ebx, 5
00F990F0                 xor     edi, ebx
00F990F2                 add     ecx, edi
00F990F4                 mov     edi, [edx-4]
00F990F7                 xor     edi, ecx
00F990F9                 mov     ebx, edi
00F990FB                 mov     [edx-4], edi
00F990FE                 add     eax, ebx
00F99100                 xor     ecx, eax
00F99102                 dec     esi
00F99103                 jnz     short loc_F990DE
00F99105                 pop     edi
00F99106                 pop     esi
00F99107                 pop     ebx
00F99108
00F99108 locret_F99108:                          ; CODE XREF: _0000007:00F990CEj
00F99108                 retn    0Ch

An I missing a point regarding CyberHeg tutorial ?
or is there anything else I should mention ?

-ByteXorer
Reply With Quote
 

Tags
sentinel, spro, unshell

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 10:02.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )