Tutorial - wassup ?
 

May I remind the involved once of the announced Tutorial ? Excuse my inpatience....

Uban.

well...IMHO exeshield v2.8a downloaded from their server is NOT xprotected.

size of my exeshield.exe: 1111478 bytes (2003/08/18 13:21)

xprotector (v1.05):
- clears interrupt 1 (set offset to 0xFFFFFFFF)
- clears interrupt 3
- hooks interrupt 0e (page fault)

- hooks NT service 0xba (NtReadVirtualMemory)
- hooks NT service 0x101 (NtTerminateProcess)

- creates file %windir%\\system32\\drivers\\xprotector.sys if not exists
(ring0 driver)

- creates a lot of (20+) threads, beside the original ones.
Exeshield.exe have only 1 thread.

To bypass this exeshield.exe's protection, you only have to change
kernel32!IsDebuggerPresent API's return value.

See attachment.
I have WinXp, used windbg.

OK girls and guys.... Sorry for the looong delay with tutorial... Check the "General Discussion Forum" within one hour. I'll post there whole tutorial. Also, I see there are still some questions like: "it's Xtreme Protected"? To make You sure, within one hour I'll upload my version to the FTP under ExeShield2.8.
Taipan: my version creates more than 20 threads.
Gorge: everything is just fine, I think we are missing the points sometimes... :)

Regards.

The tutorial was posted. I'm still encountering problems with uploading ExeShield 2.8a to FTP (password doesn't work). I'll be still trying.

Taipan:
The ExeShield.exe file I'm talking about and describing in tutorial is 2.629.632 bytes long.

And guess what? I've visited their site now and they have removed Xtreme Protector envelope in 2.8b. I dunno why??

I'll upload the version I'm talking about to the FTP.

Quote from the X-Protector site: -

"As special offer, we give you the opportunity to get your program fully protected for free with Xtreme-Protector and release your product on internet and see the results that you get. If after a month or so you are satisfied with the results, you can buy Xtreme-Protector, if you are not happy you give us NOTHING."

I guess their trial ran out ;)

Exactly, man.... and I suppose they have heard (or maybe read this forum) that 2.8a was pulled out of Xtreme Protector. Anyway, I'm still VERY surprised they used XProtector.

Greetings.

LOL. What a challenge they put forth, kinda egotistic...especially if they were prior cracker themselves (dyn!o's hint in the tute). Perhaps Daemon? or +Splaj from Fravia board? hmm...

-Lunar

Lunar Dust: You missed :):).

Of course I could be wrong because HE DON'T KNOW ME, nor I don't know him... But I'm pretty sure I've traced him... :) If You know reversers/crackers scene for at least 3-5 years You should guess him too... He always wanted to be on the top (and he did it) also he was VERY OFTEN OFFENDED. Please don't ask me... :)

Regards.

I can still dump xprotected app using a little trick up my sleeve :) of course still has some junk bytes. All in good time

also, they are not the only ones who can write system drivers

-Lunar

Sure they don't.
Also this is not impossible to write an unpacker... The driver should only gain the lowest control, it don't need to be full of procedures - I see using this level only for initialization, then giving back full control to main thread. Most of the people are scaried with XProtector because SoftIce extensions doesn't hide this debugger - Then legends about XProtector are being written... :)
Syd (Stripper author) was the first one writing efficient ASprotect unpacker with device driver routines. And I have a big respect for him for that.