Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Tools / ProcDump 1.6.2 / PROCDUMP.TXT < prev next >

Wrap

Text File | 2000-01-17 | 21.0 KB | 592 lines

────────────────────────────────────────────────────────────────────────────── ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ███╗ ███╗ ██████╗ ██╔══██╗ ██╔══██╗ ██╔═══██╗ ██╔════╝ ██╔══██╗ ██║ ██║ ████╗ ████║ ██╔══██╗ ██████╔╝ ██████╔╝ ██║ ██║ ██║ ██║ ██║ ██║ ██║ ██╔████╔██║ ██████╔╝ ██╔═══╝ ██╔══██╗ ██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║╚██╔╝██║ ██╔═══╝ ██║ ██║ ██║ ╚██████╔╝ ╚██████╗ ██████╔╝ ╚██████╔╝ ██║ ╚═╝ ██║ ██║ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ────────────────────────────────────────────────────────────────────────────── ProcDump version 1.6 (C) G-RoM, Lorian & Stone in 1998, 1999, 2000 ────────────────────────────────────────────────────────────────────────────── If you expect to print this dox, I suggest you use TERMINAL font with a height of 9. Summary License agreement.......................................... 2 Purpose.................................................... 3 Disclaimer................................................. 3 Requirements............................................... 3 ProcDump Configuration..................................... 4 ProcDump Integrated Process monitor/dumper................. 6 ProcDump integrated PE editor.............................. 7 ProcDump PE/RAW external dump autofix...................... 7 ProcDump unpacker/decryptor................................ 8 ProcDump Bhrama server..................................... 9 Limitations................................................ 10 Credits.................................................... 11 Greetings.................................................. 12 License agreement: ────────────────── ProcDump32 is (C) G-RoM, Lorian & Stone 1998, 1999, 2000. Plugins are copyrighted by their authors. You are allowed to use it freely for personnal use. Commercial use REQUIRES that you first contact us to gain a license. Warez releasing use implies that YOU MUST state clearly that you used ProcDump32 & its plugins. This is too easy to use it and claims that you did it by hand. If you disagree with this... Delete ProcDump32 and design your own code. Please notice that abusing of this license may involves that public distribution will be LIMITED OR EVEN STOPPED. We don't think credits is too much to ask. Contact informations : G-RoM : g-rom@innocent.com Lorian : lorian@gmx.net Stone : stone@miramax.cbs.dk Purpose : ───────── ProcDump is brand new type of tool that allows u to Dump, Unpack some Protected PE files without any need of debugger. What ProcDump can do : ■ Dump any 32 bits running process/module by using the CodeShot engine. ■ Phoenix engine can restore the Import table & PE header. ■ Phoenix engine can reoptimize a PE file and Dump made with CodeShot. ■ Shiva engine can start & unpack a given PE file (at least it tries !!). With the help of script language, u can unpack in a few secs well-known packers and learn to ProcDump how to unpack the others. ■ Alter a given file PE header, kill some object physically. ■ Bhrama server can wait a client send a PID to dump : Client tell to ProcDump when it is good to dump ;). Disclaimer : ──────────── We, the authors, are *NOT* responsible for any damage caused by the use of ProcDump. It was tested with success under Windows 95,98 and NT4 & 5.0. ┌───────┐ ┌─┤CAUTION├─────────────────────────────────────────────────────────────────┐ │ └───────┘ │ │ PROCDUMP32 is a tool help for people who want to unpack/decrypt PE files,│ │PLEASE NOTICE THAT IT IS NOT REALLY INTENDED FOR REAL BEGINNERS. If you are│ │a such person, I recommand that you read CAREFULLY the whole DOCUMENTATION,│ │and to use ONLY the DUMPER & UNPACKER with default OPTIONS. │ └───────────────────────────────────────────────────────────────────────────┘ Requirements : ────────────── This program works fine under : ■ Windows 95 ■ Windows 98 ■ Windows NT 4.0 with restrictions (depend on ur rights on the station). ■ Windows NT 5.0 with restrictions (depend on ur rights on the station). A good brain and some knowledge about the PE format and PE layer is required, if you expect to exploit ProcDump at his full power. ProcDump Configuration : ──────────────────────── Rebuilder options : ■ Recompute object size (DEFAULT ON) This option allow you to say to ProcDump to use Virtual Size for section as physical size. This is necessarry for PACKED PE, because the unpacked size of section is bigger than packed one. You can unselect this option if you are planning to work against a cryptor. ■ Optimize PE structure (DEFAULT ON) This option optimize the PE structure according to the object table in the way to reduce written PE file. If you unselect this option, the PE file will take more space on disk. ■ Check Header Sections (DEFAULT OFF) This option check if PE header contains a non paged area. If it found one, the problem is corrected. ■ Rebuild header (DEFAULT OFF) This option force PE header section reconstruction. This is usefull if the protector clear PE header parts. ■ Import rebuilder method : * No rebuild Doesn't try at all to locate import section, leave the related import informations untouched. * Use import informations (DEFAULT) Read actual import informations, and use them to recreate a valid import table. * Rebuild import table. Detect import table using heuristical criterea and fixup the import ta- ble if found. * Full Import rebuild. Detect import table, generate a new import section, generate import function names & ordinals. There is a BIG chance that generated PE runs perfectly ;). In order to be 100% perfect, RUN PROCDUMP32 From Target di- rectory in this specific mode. Unpacker options : ■ Predump method : * Use external predump You will need to supply a PE/DUMP file with a Valid import table. Import Infos will be stamped in generated PE. * Predump (DEFAULT with delay 0) ProcDump will do the predump to gain the valid import table. There are 2 methods : 1) After user input (delay 0). 2) After a given delay (delay >0 in HEX). ■ EIP confirmation (DEFAULT OFF) When ProcDump reached the original CODE, It can prompt you if u think it is good or not. ■ Layer confirmation (DEFAULT OFF) When u validated the EntryPoint, U can say too that there was not only one protection layer. Generally, U may leave this option unchecked. ■ Ignore Faults (DEFAULT OFF) When a breakpoint/faults occurs, ProcDump32 normally handles the exception (Breakpoint most of the time because some protectors relocate their code). But sometimes, this is source of problems. Some applications indeed create volontary faults to do some special work. With this option set, ProcDump32 will simply ignore exceptions that are not made by itself. Applications that create faults volontary will run normally this way ;). ■ Trace API (DEFAULT OFF) Activate the trace in Ring 0 mode. PE/Raw loader options : ■ Force raw mode (DEFAULT OFF) This force ProcDump to consider input file for REBUILD tool as a dump file. Use only this if ProcDump crash when u try to supply a PE file. ■ Merge code section (DEFAULT OFF) REBUILDed file will have all the image in a single section. Can be usefull to analyze some PE loader. ProcDump Integrated Process monitor/dumper : ──────────────────────────────────────────── The monitor show you in two arrays, the actual Tasks running on your system. When tou select a task, the module list attached to this task is shown in 2nd array. The arrays have contextual menus. ■ Full Dumper The task or module is saved to disk using this name. The dumped file is reorganized and fixed. 1) Just select a task or a module in the arrays. 2) Click right. 3) Select "Dump (Full)". 4) Select the name of the dump. ■ Partial dumper The task or module is saved to disk in RAW format : NO Fixup are applied. 1) Just select a task or a module in the arrays. 2) Click right. 3) Select "Dump (Partial)". 4) Choose the range you wish to dump by editing Start & Length fields. 5) Select the name of the dump. Warning !! I do not recommend that u dump (9x): ■ ProcDump process itself (import trashed anyway). ■ Kernel32.dll process (Access Violation, System Kill). ■ And other system process (Access Violation). It may result in some obvious crash... U were warned. ■ Kill task Allow you to suppress a task from your system. 1) Just select the task you wish to kill. 2) Hit OK if you are sure. WARNING !! Killing KERNEL32.DLL or another system component is equal to system CRASH !! ■ Process Informations Will show you PE informations related to selected process such as : ■ Entrypoint. ■ Image size. ■ Image base. ■ PE directory RVA & Size. ■ PE sections informations. You can save a section to disk too. ■ Refresh list This option refresh task & module list. ProcDump integrated PE editor : ─────────────────────────────── The PE editor allow you to edit an existing PE file and to modify : ■ Entrypoint. ■ Image size. ■ Image base. ■ PE directory RVA & Size. ■ PE sections informations. ■ Save a section to disk. ■ Load a section from disk. You need to supply the file to edit. ■ To change Entry point, Image Base, Image Size Just edit the appropriate field(s) and hit OK. Changes can be applied to PE HEADER only or can be used to Rebuild a new PE file according to PE infos (ex : if you removed a section, it will be wiped in new PE ;). ■ To Edit Directory infos 1) Click on Directory button 2) Edit the fields you need. 3) hit ok ■ To alter section informations 1) Click on Section button 2) select a given section 3) click right 4) Select the appropriate action (EDIT or KILL). 5) Hit ok Warning !! There is no backup made. All modifications apply as soon as you hit OK on PE header editor dialog box AND NOT on the sub dialog !! ProcDump PE/RAW external dump autofix : ─────────────────────────────────────── This allow you to fix an external Dump or to optimize a given PE file. Changes are made according to OPTIONS [rebuilder & Loader]. You just need to browse to your target ;). ProcDump PE unpacker/decryptor : ──────────────────────────────── This module allow you to TRY to unpack/decrypt PE file. ┌─READ THIS FIRST───────────────────────────────────────────────────────────┐ │ │ │Preliminary thing you need to know : Due to weird reason (thanx to M$), the│ │rebuilt of a valid PE file requires that the file is not launched with│ │control from ProcDump32 itself : As a direct concequence, ProcDump32 can't│ │guess if your target is initialized and running :(. That's why we have to│ │predump using user confirmation or after a given delay. The goal of predump│ │is to grab an usuable Import section. So, if u wish to use an external pre-│ │dump, that means that u fixed import table by yourself or by using an exis-│ │ting import table, or any other thing BUT with a valid Import Table. │ │ │ │IE: You can say the external predump is the file you wish to unpack if you │ │ are sure that import section is the same (Generally OK for cryptors). │ │ │ └───────────────────────────────────────────────────────────────────────────┘ Method to unpack/decrypt (AutoPredump): 1) Click the unpack Button. 2) Choose unpacker method : if you don't know the protector name, choose *unknown*.... but please notice that the processing WILL BE SLOW !! ┌─ Options ──────────────────────────────────────────────────────────────┐ │ │ │IF you check the User Conf. Box, Options will be taken from your actuals│ │settings and no more autoadjusted to the specific packer/protector you│ │chose. │ └────────────────────────────────────────────────────────────────────────┘ 3) Select the target. 4) Wait ProcDump request & look nifty output ;). 5) select a name for the unpacked PE file. 6) File is unpacked .... u should try & pray ;) Please note that you can cancel tracing at any moment. I do not recommend that u : ■ Enable Softice/NTICE i3here. Unpacker would miss all breakpoints !!!! ■ Run softICE for a few nifty protector that may detect it. I noticed that unpacking under NT is not that easy coz of some system hooks on a few functions. I didn't checked if it was due to NTICE or if that's NT itself that hooks those APIs. However, If you run both systems and that un- packing is not working under NT, try under 9x. Bhrama Server : ─────────────── Bhrama is a server that allows clients loto instruct when to dump a given task. The allowed possibilities are : ■ Dump Service (1) : Bhrama will grab the Entrypoint, the PID & Dump options. Then will ask you for a filename to save the dump. ■ Partial Dump Service (2) : Bhrama will grab the PID & Dump options. Then will ask you for a filename to save the dump. On the Bhrama dialog box you will see two check boxes : ■ User conf. : ProcDump will ignore uploaded Options & will use instead the one already defined in Options Dialog box. Such option is usefull if you use IceDump (C) The Owl if u need non default option set in. ■ AutoFix PE : If non checked, ProcDump will dump the task in RAW mode. No PE rebuilding will be done. This mode was intended for me to debug... but who knows ;). For details about plugins/clients code, check the bhrama SDK. ProcDump actual limitations : ───────────────────────────── * What ProcDump can't do (yet ?): ■ Restore a working DAtA section in Dump mode. ■ Restore REAL eip in dump mode. ■ Restore Packed Relocs (several converters have to be coded). ■ Unpack a DLL (it's possible but... I need time ;)). ■ Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array). -> for DOS apps, use Softice, cup386,TR or GTR. -> win16 apps.... who cares of those ? ;) To be done : ──────────── ■ Protectors/Packers detector for auto unpacking (project) ■ Reloc Table scanner & rebuilder. (project) ■ Module unpacker. (project) ■ Implement an API breakpoint system. (project) These points are in development... Any help would be appreciated. Especially if u can code : ■ A reloc detector/rebuilder - I wait even ideas ;). Credits : ───────── Project Coordinator : G-RoM Ideas: Tracer engine (orig): Stone Tracer enhancement : G-RoM Tracer Ring 0 (W9X) : Stone Tracer Enhancement : G-RoM with help of Hendr!x & The Owl ! Tracer Ring 0 (WNT) : Lorian Bhrama Server : Stone Rebuilder : G-RoM Low level fighter : Stone :) Interface design : Riz la+ Coding : Shiva engine : G-RoM Shiva engine ][ (9x): Stone with some additions from G-RoM. Shiva engine ][ (NT): Lorian Bhrama engine : Stone and G-RoM. Bhrama Client (asm) : Stone with clean up & addition by G-RoM. Bhrama Client (C) : CyndiG. CodeShot engine : G-RoM Phoenix engine : G-RoM Interface lame code : G-RoM Various : Artworks : ZeCreator & Riz la+ This lame dox : G-RoM How to Contact : G-RoM : G-RoM@innocent.com Lorian : lorian@gmx.net Stone : Stone@miramax.cbs.dk Riz la+ : GOD@WINDOWS.GUI.ASM32.ELITE.CODER.COM ZeCreator : GOD@GRAPHICS.DESIGNER.COM Please note that we don't mail ProcDump32 , We can "eventually" answer to unpacking problem. I precise eventually Coz I already got mails from people who didn't read the dox at all and asked stupids questions. I (G-RoM) won't explain either how I designed ProcDump32 engine. Don't ask for source code either : Even if you saw Stone in coding team, that doesn't mean all his advanced work is for PUBLIC. Moreover, MY CODE is not !! We spent too much time on it to make it public ;). MAJOR POINT : don't mail us to ask TUTORS, we don't have the time to write some. In the same idea, don't contact us to ask HOW to write scripts. Regardless of this, I can answer to technical problems u may encounter with PE format handling, unpacking/protecting. But I suggest you analyze fucking Well PE format DOX before to mail us about such thing. Unless you are ready to pay for my technical assistance, in this case any stupid question can be asked ;). [I doubt a company will contact me... but who knows]. => If (question==TOO_STUPID)│If (question=TOO_STUPID) │cmp question, TOO_STUPID { │then begin │jnz reply NO_ANSWER(); │ NO_ANSWER ; │call NO_ANSWER MOVE_TO_RECYLE_BIN();│ MOVE_TO_RECYLE_BIN;│call MOVE_TO_RECYLE_BIN } │ end; │call exitprocess, 0 │ │reply : Greetings from G-RoM (packed version ;): ──────────────────────────────────────── EliCZ : Thanx for NT2K/NT bugs report... Finally it works (I Think :). Pedro : Good works with all your release ;) Keep on finding such holes ;). NetWalker: Thanx for the dox & for the others infos. Good luck with ur actual stuff ;). Bunter : That fucking TimeZone pb suxxx !! Argghh !! Please move closer to Europe ;). The Owl : Dumper rulez !! I'll try to keep avoiding you to update it too often :). Iceman.ro: Thank you for ur support. I'll check a lot the Suspend & resume thread in IceDump ;). Liu TaoTao : TRW rulez !!! Very good debugger ! Awesome piece of code !!!! Waiting with impatience for your next improvements ;). Lorian : Hummmm... really sad we haven't enough time to code all ours ideas. Bah... We do what we can ;). Stone : Hummm... We are so much busy we don't meet that often in IRC. Bah each time we talk that's kinda interresting and innovative even ;). Keep on thinking/coding this way ;). BeoWulf : Nice work on PE. Keep on working on it... As always major pb is the Time... Damn. VTec : Thanx for all ur reports... I code so much bugs ;). Random : Humm.. long time not updated this greetings. What should I write ? Ah yes... Good luck with chicks ;) Acpizer : Continue ur work with the Win console and, start to work on Ring 0 hardware breakpoint ;). It will kick ass when it will be done. Can u try a idle a bit less ?? ;). Marquis : Tssskk... no new PELock until this summer ? Oh you are lazier or busier than I am ;). Anyway, good luck ;) Jammer : U were the precursor... Thanx for ur support ;) J0B : Deshrink rulez !! However try to fix shinker34 crap ;) Good luck ! Killa : Nice GUI.... Never forget that NT has weird things & reactions ;). I may ask you one day how to do tooltips... if I can't find ;). Hendrix : Thank you very much for the help !! I appreciated a lot !! Iceman.de: Good luck with your PECRYPTOR.... U will need much ;). LordByte : Hummm.... Was time to update here.. Dunno what to type ;). MrNop : You are in suspend mode those days and u plan to resume in Septem- ber : Are you sure that's good for you ? ;) Enjoy your holidays !! Riz la+ : Interface in ASM32 rule like da hell !!! Your skill in this domain is fucking awesome... I may think about CatchNewTCB ;). Ryder : I hope it helped you quite much ;). If you find again a cryptor, tell me. Devil : Keep on cracking with a such Class ;). Miramax : Trainers Rulezzzzzz !!! Design too !! Hey seems my virus is kinda under controllllllllllllllllllll................. (shit!!) Protector Coders : I suggest that you really think about something nice & compatible. Never forget that we are under an instable OS ;). Never forget too that If your code run, It can be defeated/unpacked/uncrypted. So I suggest you really think of the other side too... How would you do to unpack/decrypt ;). BetaTeam : Thanx for all bugs report guys ! Without ur test, ProcDump32 would not be as efficient as it is. hiho to : #real<censored>, #ukc Other groups I am in, Groups I were in, NuMega technologies (Softice owns but well... fear TRW :), guys & girls I may know somewhere in the world ;).