Unwrapping PACE Interlok v5.5.0.2618 [Archive] - RCE Messageboard's Regroupment

View Full Version : Unwrapping PACE Interlok v5.5.0.2618

OHPen

May 3rd, 2007, 17:23

Hi,

actually im playing with PACE Interlok due to the fact that there isn't as much information as for many other commercial protections. So it seems to be a pretty nice target...

Im sitting in front of a dll which is protected with the PACE wrapper. My first step is to defeat the sice detection. The information for older versions of PACE iLOK seems not to work for my target.

For antidebug TPkd.sys of version v5.5.0.2618 is used which seems to be the newest i've ever seen. Only a few layers of the driver are crypted but most of its code remain unprotected.

Does someone have any suggestions for me where to start.

Regards,

OHPen

PS: If you are interested in the target im playing with, pm me.

OHPen

May 3rd, 2007, 17:36

The decryption of the main function of the dlls takes place in dllentrypoint. As you can see the code is not very readable due a that "jump"-obfusction, which is not really a obfuscation but it make the code less readable...
We start here:

Code:



_text:108EFD3E ; ііііііііііііііі S U B R O U T I N E ііііііііііііііііііііііііііііііііііііііі

_text:108EFD3E

_text:108EFD3E ; Attributes: bp-based frame fpd=6Ch

_text:108EFD3E

_text:108EFD3E ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)

_text:108EFD3E                 public DllEntryPoint

_text:108EFD3E DllEntryPoint   proc near

_text:108EFD3E

_text:108EFD3E var_A8          = dword ptr -0A8h

_text:108EFD3E var_28          = dword ptr -28h

_text:108EFD3E var_24          = dword ptr -24h

_text:108EFD3E var_C           = dword ptr -0Ch

_text:108EFD3E var_8           = dword ptr -8

_text:108EFD3E var_4           = dword ptr -4

_text:108EFD3E hinstDLL        = dword ptr  4

_text:108EFD3E fdwReason       = dword ptr  8

_text:108EFD3E lpReserved      = dword ptr  0Ch

_text:108EFD3E arg_C           = dword ptr  10h

_text:108EFD3E

_text:108EFD3E                 jmp     short loc_108EFD41

_text:108EFD3E ; ---------------------------------------------------------------------------

_text:108EFD40                 db 80h

_text:108EFD41 ; ---------------------------------------------------------------------------

_text:108EFD41

_text:108EFD41 loc_108EFD41:                           ; CODE XREF: DllEntryPointj

_text:108EFD41                 push    ebp

_text:108EFD42                 jmp     short loc_108EFD45

_text:108EFD42 ; ---------------------------------------------------------------------------

_text:108EFD44                 db 0D5h

_text:108EFD45 ; ---------------------------------------------------------------------------

_text:108EFD45

_text:108EFD45 loc_108EFD45:                           ; CODE XREF: DllEntryPoint+4j

_text:108EFD45                 jmp     short loc_108EFD4D

_text:108EFD45 ; ---------------------------------------------------------------------------

_text:108EFD47                 db 0D4h

_text:108EFD48 ; ---------------------------------------------------------------------------

_text:108EFD48

_text:108EFD48 loc_108EFD48:                           ; CODE XREF: DllEntryPoint:loc_108EFD58j

_text:108EFD48                 jmp     short loc_108EFD60

_text:108EFD48 ; ---------------------------------------------------------------------------

_text:108EFD4A                 dw 0C181h

_text:108EFD4C ; ---------------------------------------------------------------------------

_text:108EFD4C                 pushf

_text:108EFD4D

_text:108EFD4D loc_108EFD4D:                           ; CODE XREF: DllEntryPoint:loc_108EFD45j

_text:108EFD4D                 lea     ebp, [esp-6Ch]

_text:108EFD51                 jmp     short loc_108EFD5B

_text:108EFD51 ; ---------------------------------------------------------------------------

_text:108EFD53                 db 0E6h

_text:108EFD54 ; ---------------------------------------------------------------------------

_text:108EFD54

_text:108EFD54 loc_108EFD54:                           ; CODE XREF: DllEntryPoint:loc_108EFD5Bj

_text:108EFD54                 jmp     short loc_108EFD58

_text:108EFD54 ; ---------------------------------------------------------------------------

_text:108EFD56                 dw 0F967h

_text:108EFD58 ; ---------------------------------------------------------------------------

_text:108EFD58

_text:108EFD58 loc_108EFD58:                           ; CODE XREF: DllEntryPoint:loc_108EFD54j

_text:108EFD58                 jmp     short loc_108EFD48

_text:108EFD58 ; ---------------------------------------------------------------------------

_text:108EFD5A                 db 6Dh

_text:108EFD5B ; ---------------------------------------------------------------------------

Can someone tell me whether this is common for PACE iLok protected binaries ? If so i will write a IDA-Plugin to clear the unnecessary jumps.

FrankRizzo

May 4th, 2007, 20:09

Quote:

[Originally Posted by OHPen;65385]? If so i will write a IDA-Plugin to clear the unnecessary jumps.

In the mean time, you could take the code, and rearrange it without the jumps in a text editor to at least get a flavor for what's going on.

OHPen

May 5th, 2007, 12:03

I just started to remove the unnecessary jumps manually but this can't be the best solution because there are thousands of lines of code...
It would take ages to clear the code manually.

I concentrate on making the deobfuscation tool.

fr33ke

May 5th, 2007, 13:15

Probably you could write an IDC script to fix it. IDC is quite powerful and easier than writing a plugin.

OHPen

May 6th, 2007, 02:50

I was formerly looking at the syntax of the ida script language but in this point i dont agree with you. For me the idc seems to be as difficult as writing an own plug for ida.

Regrads,

OHPen

Exocist

July 3rd, 2007, 19:05

I have a large interest in this, having looked at it quite some time ago. It would be nice to unwrap the driver as you are doing. Quite a few traps exist however like playing with the SIDT and Keyboard interrupts.

My approach was different, having injected a dll into the target that logged the buffer input/output from DeviceIoControl between the TPkd.sys driver and the wrapped file. This allowed me to fake the driver responses to some extent. However, in later versions of PACE an interrupt call in the wrapped target invokes an unpacking procedure call from the driver.

Anyway, I would be interested in your progress in this and would like to hear of your success with the TPkd.sys driver. To date I have never fully unwrapped PACE and if the driver can be kept running minus the anti-debug bollocks then it might be the way to go

good luck!!

cEnginEEr

July 4th, 2007, 02:30

removing obfuscation from a driver needs hard work; I already have un-scrambled the drivers of SENTEMUL2007 & HASPHL2007 (both from www.software-key.org) and Hardlock.sys and I remember that it took me a hell of 4 days hard work to finish that of HASPHL2007; automatic detection of junk code( by means of IDC scripts) is not easy, but there some tricks; scrambling mostly is done by means of macros, so you can try to identify them from your target and then remove them by IDC scripts or by using DUP patcher; I used the second method.

Regards