一款新壳ActiveMark-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
loveboom 雪币： 529 活跃值： (2278) 能力值： ( LV9，RANK：2130 ) 在线值：发帖 100 回帖 689 粉丝 11 关注私信	loveboom 53 2 楼呆:( ，下不了，哪位能下的，传一个过来 2004-6-22 17:07 0
pll823 雪币： 109 活跃值： (36) 能力值： (RANK：10 ) 在线值：发帖 26 回帖 134 粉丝 2 关注私信	pll823 3 楼不是壳，是个支持在线下载的安装制作程序，不必大惊小怪。 2004-6-22 17:43 0
菩提！雪币： 264 活跃值： (34) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 27 粉丝 8 关注私信	菩提！ 4 楼不好意思，pll823和pll621是亲戚不？:D 这个不是什么“在线下载的安装制作程序” http://get.games.yahoo.com/proddesc?gamekey=lemonadetycoon2 这个是用它加壳的一个程序这个是rce上的人分析的 1. Facts : It appears to be protected by ActiveMark from TryMedia. I had a look at it, dumped it, fixed import table, fixed relevant api calls. They actually emulate a few API for which u can find a translation table in memory (ie APINAME, Offset of garbaged emulation), hence u can easily fix those : call dword ptr is replaced by nop call emulatedAPI (90 E8 XX XX XX XX). jmp dword ptr is replaced by nop jmp emulatedtAPI (90 E9 XX XX XX XX). mov dword ptr is replaced by nop mov reg32, Offset emulatedAPI (90 BX XX XX XX XX). The following detection strings are used, it is easily bypassed : FilemonClass RegmonClass File Monitor - Sysinternals: www.sysinternals.com Registry Monitor - Sysinternals: www.sysinternals.com \\.\NTICE \\.\SICE \\.\SIWVID \\.\FROGSICE \\.\SUPERBPM INT3 backdoor is used too. Loader APIs are checked for softBP (1st and 2nd byte... sounds dangerous to me, ah well). Some API code is replicated in a buffer too (CreateThread for instance and Sleep). Entrypoint is easy to find as well (0x2958D), the image is using thread for doing some tasks, and you will find the UPX loader code to decompress, resolve API of some code inside (Sigh !!!) which is garbaged. 2. Problem : For some reason, it does an infinite loop after being fixed while accessing the file MAIN.ARF (Seek Offsets are different from trial and dumped version). I Looked at it for 2 days and I can't figure out what is the thing I missed. I'd be very glad to get any input from you guyz from this target. It must be a very stupid thing, coz the whole scheme looks plain dodgy (we are very far from a ProtectCD, ASPR, VBOX, or SafeDisc wrapping scheme). 他包含的算法和anti CRC32 loops, SHA-1 checks on the crypted-tunnel-VFS, Rijndael, anti debug threads, obfuscation and code-interleaving is the same. A lot of EBFF's to make Disasm'ing harder. Dumping is very easy, fixing the dump is harder (to hard for me ). I think generating a valid license file (<VID>.lcn) is still the proper way for an attack. But im not that Crypt-Wizard. 2004-6-22 22:50 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
loveboom 雪币： 529 活跃值： (2278) 能力值： ( LV9，RANK：2130 ) 在线值：发帖 100 回帖 689 粉丝 11 关注私信	loveboom 53 2 楼呆:( ，下不了，哪位能下的，传一个过来 2004-6-22 17:07 0
pll823 雪币： 109 活跃值： (36) 能力值： (RANK：10 ) 在线值：发帖 26 回帖 134 粉丝 2 关注私信	pll823 3 楼不是壳，是个支持在线下载的安装制作程序，不必大惊小怪。 2004-6-22 17:43 0
菩提！雪币： 264 活跃值： (34) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 27 粉丝 8 关注私信	菩提！ 4 楼不好意思，pll823和pll621是亲戚不？:D 这个不是什么“在线下载的安装制作程序” http://get.games.yahoo.com/proddesc?gamekey=lemonadetycoon2 这个是用它加壳的一个程序这个是rce上的人分析的 1. Facts : It appears to be protected by ActiveMark from TryMedia. I had a look at it, dumped it, fixed import table, fixed relevant api calls. They actually emulate a few API for which u can find a translation table in memory (ie APINAME, Offset of garbaged emulation), hence u can easily fix those : call dword ptr is replaced by nop call emulatedAPI (90 E8 XX XX XX XX). jmp dword ptr is replaced by nop jmp emulatedtAPI (90 E9 XX XX XX XX). mov dword ptr is replaced by nop mov reg32, Offset emulatedAPI (90 BX XX XX XX XX). The following detection strings are used, it is easily bypassed : FilemonClass RegmonClass File Monitor - Sysinternals: www.sysinternals.com Registry Monitor - Sysinternals: www.sysinternals.com \\.\NTICE \\.\SICE \\.\SIWVID \\.\FROGSICE \\.\SUPERBPM INT3 backdoor is used too. Loader APIs are checked for softBP (1st and 2nd byte... sounds dangerous to me, ah well). Some API code is replicated in a buffer too (CreateThread for instance and Sleep). Entrypoint is easy to find as well (0x2958D), the image is using thread for doing some tasks, and you will find the UPX loader code to decompress, resolve API of some code inside (Sigh !!!) which is garbaged. 2. Problem : For some reason, it does an infinite loop after being fixed while accessing the file MAIN.ARF (Seek Offsets are different from trial and dumped version). I Looked at it for 2 days and I can't figure out what is the thing I missed. I'd be very glad to get any input from you guyz from this target. It must be a very stupid thing, coz the whole scheme looks plain dodgy (we are very far from a ProtectCD, ASPR, VBOX, or SafeDisc wrapping scheme). 他包含的算法和anti CRC32 loops, SHA-1 checks on the crypted-tunnel-VFS, Rijndael, anti debug threads, obfuscation and code-interleaving is the same. A lot of EBFF's to make Disasm'ing harder. Dumping is very easy, fixing the dump is harder (to hard for me ). I think generating a valid license file (<VID>.lcn) is still the proper way for an attack. But im not that Crypt-Wizard. 2004-6-22 22:50 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复