en.txt

SDprotector Pro Edition v1.12脱壳技术资料 中英文翻译 Armadillo 4.01a (Public Build) 手动脱壳

SDprotector Pro Edition v1.12 Manually Unpacking Tutorial by KaGra

Download SDPR at www.sdprotector.com,till now is 1.12 pro edition the most recent ver.

  
  Hallo,hallo.Nice talking with U again.Well,this time the victim is SDprotector.
  Well,here I followed a little different approach to unpack this protector.What 
  I mean?HeRe it Comes...


  Tools Used: Olly v1.10 and ImpRec v1.6f,Ollydump Plug,HideOlly Plug (I will not refer to it)


  Well,I have checked all the Options of protection in SDprotector and protected the file.Those
  options are in Options->Left part of the screen.I didn't touch anything else.
  
  Load the exe target in Olly.In debugging options,check them all so that the execution
  of the programm will not be interrupted by any exception (and then ask U to press Shift+F9
  or Shift+F8 or Shift+F7 to continue).Run the exe.A messagebox appearz saying that debugger is
  detected.Well it is hard to find what exactly protection against debugger this may has.
  I found out that it detects a debbuger using CreateToolHelp32Snapshot to find out what windows
  are open and compere them with a default string list (in the list is also Olly).It also uses
  SetUnhandledException filter to find the debugger,but I really tried hard to find out how the
  exception occured after the calling of this API.But I didnt find it.So I thought this:Why just 
  run the exe,not under Olly,and then just attach to the process?

  Well,let's do so.I run the exe,a messagebox appears saying something of a demo version of
  the packer (don't worry,the features we enabled for protecting this file work),and then the
  screenbox of the exe process appears.Now,open Olly.Before U attach,a messagebox appears saying
  that a debugger is detected,and closes the debugger.Run the exe again,and open LordPE to dump it.
  Before U ever try to dump,it closes LordPE and exits.What is going on?

  Well,it can't be using SetUnhandledExceptionFiler or any other kind of exception trick,because
  it is not being debugged.So,the only thing that comes in my mind is that it has hardcoded
  strings refering to processes or Window handles.It also has a loop that checks all the
  running processes and windows handles with those strings,althought it is supposed to be
  in the original exe's code section.Well,it is but the packer has given him some extra code
  and this code still remains and makes this security check loop,althought we have passed the 
  OEP.

  And my quess is true.Rename LordPE.exe to something else.Run the exe.Now run the renamed
  LordPE.It does not closes LordPE.So,do the same with Olly.Damn,it still closes her.Well,this
  happens because Olly has inside her .data and .edata section strings that start with "Olly"
  chars,and all those are hardcoded in the security loop that I mentioned before.So,open Olly,and
  load Olly (yes,U hear right) in the first Olly.Click the "M" button and see the section of the
  loaded Olly,in first Olly:


Memory map
Address    Size       Owner      Section    Contains      Type   Access    Initial   Mapped as

00400000   00001000   OLLYDBG               PE header     Imag   R         RWE
00401000   000AF000   OLLYDBG    .text      code          Imag   R         RWE
004B0000   0005B000   OLLYDBG    .data      data          Imag   R         RWE
0050B000   00001000   OLLYDBG    .tls                     Imag   R         RWE
0050C000   00001000   OLLYDBG    .rdata                   Imag   R         RWE
0050D000   00002000   OLLYDBG    .idata     imports       Imag   R         RWE
0050F000   00002000   OLLYDBG    .edata     exports       Imag   R         RWE
00511000   00036000   OLLYDBG    .rsrc      resources     Imag   R         RWE
00547000   0000C000   OLLYDBG    .reloc     relocations   Imag   R         RWE


  Go to the .idata section and search for the string Olly,withought having the case sensitive 
  checked.U find this:


0050F780  6F 6C 6C 79 64 62 67 2E 65 78 65 00 5F 41 64 64  ollydbg.exe._Add
0050F790  73 6F 72 74 65 64 64 61 74 61 00 5F 41 64 64 74  sorteddata._Addt
0050F7A0  6F 6C 69 73 74 00 5F 41 6E 61 6C 79 73 65 63 6F  olist._Analyseco


  Change ollydbg.exe to something else eg. fffffff.exe.Search again in this section.
  We are lucky,because it is found just once.Go to the .data section and search again
  for the same string.Damn,here the string exists in many places.Well,change all the
  words that have this string inside them.

  When done,dump with OllyDump the process,without checking the Import Rebuild Option on.
  Well,Olly is now patched.Rename the dumped to anything that has not the string Olly in it.Now,
  run the protected exe again till the main window of the crackme appearz.Now,run the dumped
  new patched Olly.Wait a little (some seconds).

  Well,it dooesn't detect Olly!Well,if in this part U have done something wrong,or make
  something wrong in the following steps,next time will detect Olly,and U will need to change
  the patched strings ALL to something else,again.I think that the protected exe,if once find
  an exe string signature that may be a possible debugger or any other "hostile" program for
  it,it put it somewhere (registry,memory,I don't know) and rembers it.So,just do the patch right
  and follow every single instruction of the next linez.But there are pacthes that will patch Olly
  against this protected exe once and for all.Such a patch is putting Fh 's in all strings that will
  be replaced.I don't really know why this string makes this good thing for us,but it works.So,patch Olly
  with Fh 's where U should patch (Hey,Fh ascii not chars!).

  Now,in patched Olly that is running,check all the options of exceptions in Debugger Options,and in 
  option of Ignore also following custom exceptions should be nothing.
  
  Now select the process of the protected exe that runs and attach to it.Do not open any other window
  becuase the protected exe may detect Olly.Just the Debugging options and then the attach window.U are
  HeRe:


77F767CE   C3               RETN
77F767CF > CC               INT3
77F767D0   C3               RETN
77F767D1   8B4424 04        MOV EAX,DWORD PTR SS:[ESP+4]
77F767D5   CC               INT3
77F767D6   C2 0400          RETN 4
77F767D9 > 64:A1 18000000   MOV EAX,DWORD PTR FS:[18]
77F767DF   C3               RETN
77F767E0 > 57               PUSH EDI
77F767E1   8B7C24 0C        MOV EDI,DWORD PTR SS:[ESP+C]
77F767E5   8B5424 08        MOV EDX,DWORD PTR SS:[ESP+8]
77F767E9   C702 00000000    MOV DWORD PTR DS:[EDX],0
77F767EF   897A 04          MOV DWORD PTR DS:[EDX+4],EDI
77F767F2   0BFF             OR EDI,EDI
77F767F4   74 11            JE SHORT ntdll.77F76807
77F767F6   83C9 FF          OR ECX,FFFFFFFF
77F767F9   33C0             XOR EAX,EAX
77F767FB   F2:AE            REPNE SCAS BYTE PTR ES:[EDI]



  Now,press the "M" button and set a memory breakpoint on access in .text section.In this section 
  is the original code of the protected exe.Go to your clock and change the hour.Make it one hour
  less or one hour more.This is done,because changing it we stop the loop of the anti-debugging feature
  that the running protected exe has.It seems that this loop checks periodicall the hour-mins-secs and
  then performs the detection of debugger check.Really nasty,I made 2 hours to understand this!Now press 
  F9 to run the process.The debugger pauses at the breakpoint we have just set,HeRe:



0040111B   C8 000000        ENTER 0,0
0040111F   53               PUSH EBX
00401120   56               PUSH ESI
00401121   57               PUSH EDI
00401122   817D 0C 11010000 CMP DWORD PTR SS:[EBP+C],111
00401129   0F84 AB000000    JE sdprotec.004011DA
0040112F   817D 0C 10010000 CMP DWORD PTR SS:[EBP+C],110
00401136   0F84 86000000    JE sdprotec.004011C2
0040113C   837D 0C 10       CMP DWORD PTR SS:[EBP+C],10
00401140   0F84 B5000000    JE sdprotec.004011FB
00401146   B8 00000000      MOV EAX,0


  
  
  If u hadn't check the time of your clock,an exception that could not be handled would occur,and
  after some tracing U would have made (u cann't stay in a place forever!) the exe would have traced
  Olly and exit.If u fail and try again,change accordinglt the time clock every time U try.  

  
  Yes,we are at the unpacked,original code of the exe.But where is the OEP?As U will know,we have
  passed the OEP becuase we run the exe before patched Olly.But,becuase the exe is just appearing
  a screen that asks for a Name and Registration code,it is in a loop,and not far "after" the OEP,
  because no basic routine has been executed,that will make the flow of the programm to go much away
  from the OEP.Now,we are at 0040111B paused.Just check a few lines up.We see this place:



004010C2   6A 00            PUSH 0
004010C4   E8 E1010000      CALL sdprotec.004012AA                   ; JMP to kernel32.GetModuleHandleA
004010C9   A3 F3204000      MOV DWORD PTR DS:[4020F3],EAX
004010CE   C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003
004010D8   C705 CB204000 89>MOV DWORD PTR DS:[4020CB],sdprotec.00401>
004010E2   C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0
004010EC   C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0