Request for EZCD x86 unpack Tutorial

[abhi93696]

Hi

Check this out(it might give u some reference)-:

Quote:

https://github.com/ThomasThelen/Olly...limination.txt

Also some little explanation-:

Quote:

www.reversing.be/article.php?story=20050929211351407&query=unpacking

Extra

Quote:

http://www.bit.ly/2yaIdjI

Regards

[Benten]

Quote:

Originally Posted by abhi93696

Hi

Check this out(it might give u some reference)-:

Also some little explanation-:

Extra

Regards

Mr Haggar is someone worth mentioning. Also Mr. Ricardo, did some good tutorials. I know it's against the rules but Thank you @abhi93696, may be I'll get banned for thanking your efforts, but that's a risk worth taking

[abhi93696]

Quote:

Originally Posted by Benten

Mr Haggar is someone worth mentioning. Also Mr. Ricardo, did some good tutorials. I know it's against the rules but Thank you @abhi93696, may be I'll get banned for thanking your efforts, but that's a risk worth taking

Aww... Thank you!
Btw there's No rule like that ,so you will not get banned
Actually That rule means ONLY "THANK YOU" posts are culprits not others!

Have A Nice day

Edit-: Really appreciate that you remove that post! Really nice of you

[Benten]

Guess what it's Complete Manual IAT fixing/rebuilding (whatever you wanna call it) And hell yeah, no tools except Scylla .

So I hope the same works for x86.. thanks for all the cheering up..

the dump is not polished still gets access violation errors and stuff but it runs (duh).. here goes the proof attached.

I know, I know... its fucked up.. but still better than struck at some Scylla imports ; well it's something way better to start with, if you ask me.

Don't forget to add some reputation to me if you like it.. I just need Rept. 11, to download that GIV script.. That's all I need for now.

Once again @abhi93696 thanks for the support man.. It's all about our actions, and actions speaks louder, isn't it buddy

[abhi93696]

Quote:

Originally Posted by Benten

Ok Guys EXCD x64 is almost down ,

Guess what it's Complete Manual IAT fixing/rebuilding (whatever you call it) And hell yeah, no tools except Scylla .

So I hope the same works for x86.. thanks for all the cheering up..

the dump is not polished still gets access violation errors and stuff but it still runs.. here is the proof attached.

I know, I know... its fucked up.. but still better than struck at Scylla and somewhere better to start guys..

Don't forget to add some reputation to me if you like it.. I just need Rept. 11, to download that GIV script.. That's all I need for now.

Congrats Man

Now tell me isn't this achievement better than if someone had provided you a tut & then you have reversed it??
Maybe ur dump is not a polished one but Now at least you can say "I DID IT! MYSELF" Take this in a positive way buddy

Quote:

Once again @abhi93696 thanks for the support man.. It's all about our actions, and actions speaks louder, isn't it buddy

No problem! Indeed its correct.... Also where there's a Will there's a WAY

BR

[mr.exodia]

@Benten I did some quick steps (7.0.6 32 bit):

1. You need a registered version (there are secure sections that determine which features you have, for example at 0x404D63)
- You can obtain this by buying the program and unpacking the registered version
- OR by brute forcing the symkeys and replacing the ECDSA parameters and unpacking that registered version (make sure not to click the update button)
2. Get to the entry point (standard protection, so quite easy), it is 0x4038C4
3. Fix the import elimination (redirect them with UIF to the section of size 0x10000 where the entry point originally is)
4. redirect the code splices (you can use another arma section near the end of the file)
5. dump+fix (make sure to check the 'use original thunk' option in Scylla or you'll get a crash)
6. now you will crash "Access violation at address 00536A4D in module 'ezcd_reg-dump_SCY.exe'. Read of address 00000000."
7. Hint to fix this and fully register: look into what ArmAccess.dll is.

[Benten]

Finally the Lord heard me...

Thank you Mr. Exodia, I put a lot of effort in to learning. You coming here to help means a lot. This is the best present ever. Don't know what to say, I am so excited. Thank you for your time.

I am a big fan of your work. You are amazing.

Respects,
Ben

[Benten]

As promised here is the x64 IAT Elimination - Manual Unpacking
This is actually the FFF Tutorial. I've just added a much needed video to it.

Also I've identified some patterns to make the search easy. There are crashes so the dump is not perfect, but the unpacking works fine. May be locked features are crashing the dump, as Mr. Exodia puts it, needs more work I guess. I can't do brute forcing, we don't have any PC that good around the Coffee shop.

Code:

A great tut by FFF
TrapZero.FFF.Armadillo.9.x64.Manual.Unpacking.ENG.Ben

Thanks and Respects,

[SmilingWolf]

Quote:

Originally Posted by Benten

May be locked features are crashing the dump

That's not how Secure Sections work. If the program works in trial mode but not once unpacked something got messed up in the process. Most likely it's the splices that haven't been fixed correctly. You can try to simply redirect them to the .pdata section instead of resolving/fixing them. Less likely it's because of some CALL or JMP to imports that for one reason or the other didn't make it into the final dump.

Quote:

Originally Posted by Benten

I can't do brute forcing, we don't have any PC that good around the Coffee shop.

Code:

Global Information:
   TimeStamp : 522B6164
 First DWORD : BEB12B6C
  Project ID : EZ CD Audio Converter 5
     Website : http://www.poikosoft.com/buy.html
      Magic1 : A99D3A69
      Magic2 : 185F
        Salt : DDFD006F
  Crypt Seed : 3D1F87D1 (0xE, 0xF, 0x4, 0x4)

Public Certificate Information:
  Short V3 Level 10:
    Chk : 2C0F3520
    Sym : 2B7D0D69
  BaseP : 438743756 (Size=4F, Diff=2F67, MD5=32F5621D)
  Pub.X : 5166803264428898532848136302152315
  Pub.Y : 5885292780640973861494979822117782

  Short V3 Level 10:
    Chk : F4A58BED
    Sym : D25882FE
  BaseP : 2707316665 (Size=50, Diff=2FBC, MD5=EB410984)
  Pub.X : 9572786991591576323293497288923141
  Pub.Y : 7813891883224157983281644193935444

  Short V3 Level 10:
    Chk : D310A5F2
    Sym : F9B0ABB5
  BaseP : 3073286976 (Size=50, Diff=3012, MD5=5DD8378B)
  Pub.X : 8853314056135967505699477416912929
  Pub.Y : 2273504409043285102220298435426270

  Short V3 Level 10:
    Chk : 76B6BB27
    Sym : AA65E8AC
  BaseP : 3279749701 (Size=4F, Diff=3068, MD5=81777B0F)
  Pub.X : 3277174474704060691137745527117117
  Pub.Y : 308731733377103543808919722499418

Intercepted Libraries:
  -*

GIV's script v0.1 can be found on tuts4you just like *shameless plug* my Armadillo Factotum script. Never ask anyone but the original poster to mirror an attachment. It's against the rules.

[cybercoder]

It is possible to make a completely working copy (all features) without needing a key.. although it's easier that way... If I remember correctly you need to have a look into GetProtectionVariableA or something like that, there is a string reference to it might just help you to stop some crashing Not going to give it all away though..

[Benten]

Lords are blessing me like never before. First Mr. Exodia And now Mr. Smiling wolf...Its Xmas with lots and lots of presents... loving it

Thank you Mr. Smiling Wolf for the help as always.. I will try that splices redirection. Can't believe you took some time to do that brute forcing for me, you are so kind as always.

Oops, sorry guys I accidently break a rule, hope you guys will let this one pass. It won't happen again. I promise

Mr.CyberCoder, thats really interesting to know. I will definitly give it a try.

I am absolutely speechless.. I mean the Lord himself did the brute forcing for me and Mr.Exodia almost cracked it for me, how awesome is that for a Xmas

[Benten]

I was just fooling around the x86 code and struck upon this one. Thought you guys should see it.

There has been absolutely no luck building clean IAT till now, but I am trying. And no luck using tools either, I've hit my bottom and started using tools temporarily, that is.

The point is, I believe nop-ing the mov (below) inside the call that follows Push 0x100 unpacks the thing, correct me if wrong, and the errors are still there. If it were splices then that error shouldn't be there if I chose to run, right?

Code:

 mov byte ptr ds:[eax], dl

Anyway have a nice day. keep rocking...

Regards,
Ben

[mr.exodia]

I changed "push 100" to "push 0", put a breakpoint on the first occurrence of EB03, run, revert the patch to not trigger crc checks and you get a 'clean' IAT. You still have to move the IAT with a tool like UIF though...

The push 100 is a call that decrypts a buffer I believe, but I didn't look at it for a long time.

[Benten]

Hey guys,

We had hell of a party yesterday.

OK back to business, I believe the reason scylla won't find useful imports is because there is a memory bridge and the IT needs to be rebuild manually.

Code:

At the OEP there are no more splices jmp, and the seemingly innocent API Calls, 
like the one below:

At the OEP

Now if we follow the first call to GetModuleHandleA, we land at the bridge:

The Infamous Bridge

Now if you follow the first long Jmp we land here:

The thing I believe is an Emulation.

That's where I am right now. We have this thing discussed in the AndreaGeddon PDF, which I uploaded a while ago.

Code:

We get a description on how to defeat this and a program too, 
but the call's we saw are a new thing I guess,

AndreaGeddon IAT Rebuilding

May be this is where I should stop (A newbie's definitely not gonna make it), but I am definitely gonna try.
Also I am trying to replace the ECDSA parameters to register this app and then dump it. Like Mr.Exodia told me to do, but that takes a lot of learning as well.

Ok guys our FAQ lnk's down, if admin guys see this please fix it; Also can we have a shout box too, it's really cool to have one. And a signature too, I mean I have to edit and add that respect line every time I post

[mr.exodia]

Replacing the ECDSA parameters doesn't require you to know anything. AKT has a plugin that comes with the latest version, just drag your exe in the inline tab and let it do the work for you.

As for that 'bridge' it doesn't affect anything for me (seems to be a thing they did themselves, it's not an arma feature afaik). I used UIF to rebuild the imports and just checked the box for direct addresses and that did it.