Professional Documents
Culture Documents
Unpacking DotFix NiceProtect v2 2 (TallfaZ)
Unpacking DotFix NiceProtect v2 2 (TallfaZ)
DotFix_NiceProtect_2.2
1
Yeah! Another unpacking tutorial from AoRE TEAM.
We will use: OllyDbg, ImpRec, LordPe and AnalyzeThis pluginby Joe Stewart.
Target: Here.
1- While trying to load the target to Olly(original not patched version), Olly will have
this message, take a look to the target with a PeEditor and you will know
why :
2- It’s because of the wrong number of RVA & Size. Change it to 10 save
and reload the app in OllyDbg:
2
4- Now it’s better ;-):
5- So, let’s start real work. Go to memory window and have a look at the
beginning of the section located immediately before the last one: see
picture.
3
7- Now u must analyze the code(Use AnalyzeThis plugin) , then open the “search
command” window(by clicking Ctrl+F) and write “ret”, then keep searching(by
pressing Ctrl+L)
till u reach the last one.
Another trick to reach this place directly is to search for the sequence of
commands: POPFD – PUSHAD: (Ctrl+S)
4
This can’t be the real OEP. However, if we look down we’ll see some C++ usual
instructions and if you’re accustomed with MSV u can see that it’s a MSVC++
5/6. I advice to see a MSVC++ 5 or 6 app with Olly to see the OEP structure.
Anyway, we’ve missed the stolen code & have to restore it.
After some tracing I’ve found it merged with a lot of junk code just before the
“Last ret”.
Analyzewith AnalyzeThis and open the “Search command window”Ctrl+F then type
“mov dword ptr fs:[0], esp”.
A – Because it’s present at the beginning of all entry points of MSVC++ 5/6
application and it will show us from where recuperating stolen code in this
particular case.
5
If you analyze a little the code you will see that:
6
7
To recover our code we must remove the junk one. We’ll use a script that do this
automatically, & then recover it in “peace”. The problem is to locate from where
our code starts. One way is to search for the last “RTDSC” that immediately precedes “mov
dword ptr fs:[0], esp”.
The other fast & sure way is to search for this pattern: EB01??90. So Ctrl+B
and enter the pattern as it is: You’ll find it at 009543D4.
8
When finished, your code will be more VISIBLE, so all u have to do is scroll
down and collect it.
Here are parts of it:
Etc
Etc
9
But at address 009874B5 you’ll encounter an unusual thing, that code hold
instruction translated and executed by a virtual machine.
I will explain a little the principe of this VMNot really complicated in this case.
1) A call that is used as a pointer to fist byte of crypted code bellow it, it
jumps directly to the “push VM_EntryPoint” : in other words, when it’s
executed, the address of the instruction immediately below it is pushed on
the top of the stack(it will be used as a pointer to the first byte that follows it)
2) A push/ret instruction: used as a jump to VM_Entry_Point.
3) A piece of our original code: crypted and of course merged with some
junk useless code.
4) The most important part in all this: it’s our stolen instruction and it’s
equal to “mov ecx, eax”.
10
AND HERE, THE SUMMURY OF THE VIRTUAL MACHINE
TRANSLATION:
REGISTERS INSTRUCTIONS
Eax 04
Ebx 08
Ecx 0C Xor reg, same_reg 01 Reg samereg 00
Edx 10 Mov reg1, reg2 01 Reg1 Reg2 00
Esp Not used! Mov reg, Const 02 Reg Const 00
Ebp Not used! Mov reg1, [reg2] 03 Reg1 Reg2 00
Esi 12
Edi 14
These are all instructions I’ve seen after trying the protector on 3 targets, but
theoretically there is more than this : xor reg, same_reg 01RegSame_Reg00
Here is an example:
Anyway, wait for next paper for more information about this VM.
11
10- So now, and after having all knowledge about how to extract our
original stolen code, we will let a second script do all work, it unpacks +
dejunks + translates VM code + recovers metamorphic code + collects
all code + finally gives & takes to real OEP.not bad I think
“dot_Unfix_niceDeprotector.2.2.txt”
11- Restart the program and run the script and
wait for about 20 seconds.
12
Copy all this go to OEP Open binary edit windowCtrl+E binary paste
OK.
You will notice that all relative instructions are wrong: i.e. direct address
CALLS and JUMPS. To fix this open “Mnemo.txt” and repair errors:
13
Fire up LordPeThanks yoda and wipe section header of all sections between .rsrc
section(the protector doesn’t rename it) and the section added by ImpRecthanks MackT save
and exit.
14
NB: The script is tested OK for C/C++, DELPHI and VB app when all
protections are turned ON.
15
Greeting to all AoRE team and forum members:
ColdFever, Nolimit, sgr2001, azmo and كاتم السر.
16