ด้วยความที่สนใจด้าน Virtualization อยู่แล้วก็เลยได้ไปลอง Thinstall โปรแกรมทำ Portable binary
ทำไปทำมาเกิด สงสัยในเรื่องความสามารถการทำ Packing ของมันเลยให้คุณ Tummy ลอง
ก็เลยได้ทราบว่าเจ้าโปรแกรมนี้นอกจากทำ Portable แล้วมันยังมีความสามารถป้องกันการ Debug ได้ระดับนึงด้วย
มาดูกันว่ามันใช้หลักการอะไรและมีวิธีแก้อย่างไร บทความนี่ไม่ได้เขียนเองนำมาจากเว็บต่างประเทศ น่าสนใจเลยนำมาฝากกัน




Contributed by: haggar
Views: 3585

TutorialsLevel : intermediate

=======================
Thinstall 2.521 - manually unpacking
=======================




1. Introduction

Hi folks and welcome to new unpacking tutorial! Today we will see how can Thinstall with double process protection be easily unpacked. I was losing my nerves with this one, but after some time I realised that protection can be tricked with cheap trick. There is one tutorial for single process Thinstall on ARTEAM site http://cracking.accessroot.com/ written by MaDMAn_H3rCul3s which was helpfull to me, so you can also check that tutorial too.




Tools and target:

- OllyDbg 1.10
- ImpREC
- LordPE
- Target is here http://www.reversing.be/binaries/articles/...01004052979.rar

Target for this tutorial was taken from Teddy Rogers site who has nice collection of unpackmes for practice and fun http://tuts4you.com. Also, since I'm using his unpackme archive, this tutorial can be published on his site too.





2. Killing Debug Blocker and finding OEP

As I sad, thinstall has double process protection which is acting like debug blocker feature and it doesn't alowes us to debug process of unpacking. Thinstall own debugger (first process) is creating second process, a debugee, and that second proces is performing unpacking. We need to debug that process instead first one. I was busting my ass trying to figure out how to god damn detach processes, but thanks to my pathetic knowledge about debugging I couldn't find the way. But I was thinking a little; since thinstall can be single protection too, maybe there is way to force double process protection to single one? I was examning this thinstall target and notice that debugger process doesn't use ReadProcessMemory and WriteProcessMemory api's, so debugger proces is just for preventing debugging and it doesn't do anything else. Second process is one that is doing all job. And I found easy way to force thinstal to think that it is single process protection. Lets go

First, use some plugin to hide Olly from IsDebuggerPresent API because thinstall checks this one million times. Open target in Olly and place breakpoint on CreateProcessA. Run target and when you break in kernel return to user code. You will find your self in double process protection loop. Bellow snippet is that whole block of code. You can see that we are in some allocated memory block. Since we are in CreateProcessA part, double process protection has already started. What we need is to break before that API is called. Place hardware bp on execution on this first line below and reastart Olly. Run and you should break at start:
**Hidden Content: To see this hidden content your post count must be 30 or greater.**