MUP of

DotFix_NiceProtect_2.2

1
Yeah! Another unpacking tutorial from AoRE TEAM.

We will use: OllyDbg, ImpRec, LordPe and AnalyzeThis pluginby Joe Stewart.

This packer uses 2 ways to detect Olly, IsDebuggerPresent & the

UnhandledExceptionFilter trick, so as most of us are lazy, we will also use a
plug-in to hide OllyDbg such as HideDebuggerby Asterix.

Target: Here.

1- While trying to load the target to Olly(original not patched version), Olly will have
this message, take a look to the target with a PeEditor and you will know
why :

2- It’s because of the wrong number of RVA & Size. Change it to 10  save
and reload the app in OllyDbg:

3- Be sure these options are selected :

2
4- Now it’s better ;-):

5- So, let’s start real work. Go to memory window and have a look at the
beginning of the section located immediately before the last one: see
picture.

6- Go to this address & put a Hardware BP on execution on the first

instruction, then run with Shift+F9 (if you press just F9 you’ll have an
exception, if so, just rerun with Shift+F9 in this case )

3
 7- Now u must analyze the code(Use AnalyzeThis plugin) , then open the “search
command” window(by clicking Ctrl+F) and write “ret”, then keep searching(by
pressing Ctrl+L)
till u reach the last one.

The “Last ret” instruction is at address:

Another trick to reach this place directly is to search for the sequence of
commands: POPFD – PUSHAD: (Ctrl+S)

8- After putting a BP on the “ret”  Run with F9 then when U break  F7

to follow the “ret” and we’re at OEP.

4
This can’t be the real OEP. However, if we look down we’ll see some C++ usual
instructions and if you’re accustomed with MSV u can see that it’s a MSVC++
5/6. I advice to see a MSVC++ 5 or 6 app with Olly to see the OEP structure.

Anyway, we’ve missed the stolen code & have to restore it.

After some tracing I’ve found it merged with a lot of junk code just before the
“Last ret”.

9- CURRENTLY, REPEAT THE STEPS 5-6-7 TILL YOU REATCH :

Analyzewith AnalyzeThis and open the “Search command window”Ctrl+F then type
“mov dword ptr fs:[0], esp”.

Q - Why searching particularly for this command?

A – Because it’s present at the beginning of all entry points of MSVC++ 5/6
application and it will show us from where recuperating stolen code in this
particular case.

You will find it at address =

5
If you analyze a little the code you will see that:

- Between push ecx / pop ecx = junk code

- After each “pop ecx” there’s a jump one byte further  Obfuscation.
- Our stolen code comes immediately after this.
- Sometimes comes a jump over some junk code  also junk code
- And again push / pop ecx
- …

See the picture bellow for more explanation.

6
7
To recover our code we must remove the junk one. We’ll use a script that do this
automatically, & then recover it in “peace”. The problem is to locate from where
our code starts. One way is to search for the last “RTDSC” that immediately precedes “mov
dword ptr fs:[0], esp”.

The other fast & sure way is to search for this pattern: EB01??90. So Ctrl+B
and enter the pattern as it is: You’ll find it at 009543D4.

Q - You may ask why “EB01??90”?

A - The answer is simply COMPARISON. By comparing different apps coded

in different languages, I’ve found that this pattern proceeds immediately and
always the beginning of the stolen junked code.

Run the script named “DotFix_NiceProtect_2.2_dejunker_script”: (when porompted, enter the

address of pattern)

8
When finished, your code will be more VISIBLE, so all u have to do is scroll
down and collect it.
Here are parts of it:

Etc

Etc

9
But at address 009874B5 you’ll encounter an unusual thing, that code hold
instruction translated and executed by a virtual machine.

I will explain a little the principe of this VMNot really complicated in this case.

Bellow the screenshot shows how the virtual machine is called:

1) A call that is used as a pointer to fist byte of crypted code bellow it, it
jumps directly to the “push VM_EntryPoint” : in other words, when it’s
executed, the address of the instruction immediately below it is pushed on
the top of the stack(it will be used as a pointer to the first byte that follows it)
2) A push/ret instruction: used as a jump to VM_Entry_Point.
3) A piece of our original code: crypted and of course merged with some
junk useless code.
4) The most important part in all this: it’s our stolen instruction and it’s
equal to “mov ecx, eax”.

10
 AND HERE, THE SUMMURY OF THE VIRTUAL MACHINE
TRANSLATION:

REGISTERS INSTRUCTIONS
Eax  04
Ebx  08
Ecx  0C Xor reg, same_reg  01 Reg samereg 00
Edx  10 Mov reg1, reg2  01 Reg1 Reg2 00
Esp  Not used! Mov reg, Const  02 Reg Const 00
Ebp  Not used! Mov reg1, [reg2]  03 Reg1 Reg2 00
Esi  12
Edi  14

These are all instructions I’ve seen after trying the protector on 3 targets, but
theoretically there is more than this : xor reg, same_reg  01RegSame_Reg00

Here is an example:

Anyway, wait for next paper for more information about this VM.

11
 10- So now, and after having all knowledge about how to extract our
original stolen code, we will let a second script do all work, it unpacks +
dejunks + translates VM code + recovers metamorphic code + collects
all code + finally gives & takes to real OEP.not bad I think

“dot_Unfix_niceDeprotector.2.2.txt”
11- Restart the program and run the script and
wait for about 20 seconds.

You will have a message like this:

Now click Alt+C or click to go to OEP  open the “BinCode.txt” then

concatenate all bytes & remove “:”.

12
Copy all this  go to OEP  Open binary edit windowCtrl+E  binary paste 
OK.

You will notice that all relative instructions are wrong: i.e. direct address
CALLS and JUMPS. To fix this open “Mnemo.txt” and repair errors:

12- Now you can dump & fix IAT as usual.

13- Some esthetics is obligatory because of the unpacked file size :

packed file = 241Ko & unpacked one = 5.5Mo

13
Fire up LordPeThanks yoda and wipe section header of all sections between .rsrc
section(the protector doesn’t rename it) and the section added by ImpRecthanks MackT  save
and exit.

Make sure rebuilding options are like this:

Click and browse to your unpacked-IATfixed application.

Congratulations, you’ve unpacked

“DOTFIX_NICEPROTECT_2.2. ALL PROTECTIONS ENABLED”

14
NB: The script is tested OK for C/C++, DELPHI and VB app when all
protections are turned ON.

For ASM, the way to unpack is less complex.

Also for if the script doesn’t work, try this way:

1- Just run with F9

2- You’ll have an exception.
3- Put a BP on memory access on the first section(name doen’t matter)
4- Shift+F9
5- Ctrl+F9
6- Apply the dejunker
7- Then try : search for the FS:[0]/last ret or popfd/pushad or pattern
EB01??90
8- Enjoy.

15
Greeting to all AoRE team and forum members:
ColdFever, Nolimit, sgr2001, azmo and ‫كاتم السر‬.

Always special Thanks to GrandPa.

And also special thanks to Teddy Roger for the

great work he’s doing.

Thanks to all our friends all around the world

16