Thread: Tages.5.5.Generic.Unpacker-iND
View Single Post
  #6  
Old 06-11-2006, 19:41
TippeX's Avatar
TippeX TippeX is offline
zeroes and ones.....
  
Join Date: Jan 2003
Posts: 3,842
Thanks: 2
Thanked 33 Times in 23 Posts
TippeX is on a distinguished road
Quote:
Originally Posted by caki View Post
Actually, I was thinking of something a bit different TippeX... like logging all access in between protection API and game, and then figuring stuff out from there
well if you have the beginning, the middle and the end all recorded in a nice log file, you can see the instruction 'flow' and what its actually doing...

example :

[p] Probable. Sf3 Protect.dll as -> c:\Program Files\Breed\Run\PROTECT.DLL
... Analysing ***
[!] Protect.dll Found @ va : .000DA0000h -> Profiling.. please wait
... Export Table : 0014F1200h | Size : 00000008Eh
... IAT : 0014F02D4h | Size : 000000078h
... Import Table : 0014F0000h | Size : 0000002D4h
[i] StarForce Version : 3.03 | Build : 3.03.033.006, 19.02.04

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetProcAddress
-> Retp .000DA4038h
. . Module : 077E60000h -> IsDebuggerPresent
. VA Returned : .001B868A4h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : IsDebuggerPresent
-> Retp .000DA403Eh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetModuleFileNameA
-> Retp .000DA41A4h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetSystemDirectoryA
-> Retp .000DA41C5h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CompareStringA
-> Retp .000DA5644h
. . String #1 : (00000001Bh) -> c:\Program Files\Breed\Run\
. . String #2 : (000000014h) -> C:\WINDOWS\System32\
. . Result (01) : String #1 < String #2

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetWindowsDirectoryA
-> Retp .000DA41EEh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CompareStringA
-> Retp .000DA5644h
. . String #1 : (00000001Bh) -> c:\Program Files\Breed\Run\
. . String #2 : (00000000Bh) -> C:\WINDOWS\
. . Result (01) : String #1 < String #2

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA21AEh
. FileName : \\.\PROSYNC1 | Axs : Read/Write
. . File Handle : 0000000A0h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : DeviceIoControl
-> Retp .000DA22B9h
. . File Handle : 0000000A0h | Control Code : 092002400h
In : .000000000h | Size : 000000000h
Out : .00012F9BCh | Size : 000000004h

*** Before DIoC ***

--- DIoC [OUTPUT] DataGram Start ---

.00012F9BCh: 01 00 00 00 | ....

--- DIoC [OUTPUT] DataGram Finish ---

*** After DIoC ***

--- DIoC [OUTPUT] DataGram Start ---

.00012F9BCh: 05 00 00 00 | ....

--- DIoC [OUTPUT] DataGram Finish ---

. DIoC Return Code : 000000001h

APi -> tID : 0000000E0h -> cs:0001Bh -> ADVAPI32.dll : RegOpenKeyA
-> Retp .000DA8022h
. . Key : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NTice
.x. Return Error -> Eax : 000000002h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\NTICE0000 | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\NTICE | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\WINICE | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\SICE | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetProcAddress
-> Retp .000DA4038h
. . Module : 077E60000h -> IsDebuggerPresent
. VA Returned : .001B868A4h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : IsDebuggerPresent
-> Retp .000DA403Eh

APi -> tID : 0000000E0h -> cs:0001Bh -> msvcrt.dll : __set_app_type
-> Retp .0004EDC07h

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

*** First Api Hit @ VA : .0004EDC07h -> True Ep Nearby... Profiling

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

[S] Sf3 Hooked Api Scan Report

[s] -> Scanning d3d8thk.dll
[s] -> Scanning d3d9.dll
[s] -> Scanning protect.dll

r .0004EE048h -> Unknown.. Attempting Calculation
... Sf3 Api Reroute . 001D50D4Ah -> .000DA9000h
.001D50D4A 6883FF9DB3 push B39DFF83 ô¿Ø
.001D50D4F E9AC8205FF jmp 00DA9000 ô¿Ø
.000DA9000 EB14 jmp short 00DA9016 ô¿Ø
.000DA9002 EB04 jmp short 00DA9008 ô¿Ø

r .0004EE04Ch -> Unknown.. Attempting Calculation
... E9 Reroute .001D6043Ah -> 001D603C0h .. Analysing
... Looks like a copier.. -> KERNEL32.dll -> Ord : 00327h -> SetThreadPriority

r .0004EE050h -> Virgin -> KERNEL32.dll -> Ord : 00138h -> GetCurrentThreadId

r .0004EE054h -> Unknown.. Attempting Calculation
... Looks like a copier.. -> ntdll.dll -> Ord : 0023Eh -> RtlFreeHeap
forwarded -> KERNEL32.dll -> Ord : 00202h -> HeapFree

just some examples (from starforce)...

and so on...
__________________
bleh
DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you...
Reply With Quote