There are Four sections in the remaining of this tutorial:
1. Introduction
2. Finding EXESHiELD's OEP and bypassing Debugger Trick
3. Recover Our Lost EXE
4. Running our unpacked exe.
5. Conclusion.

First again I will start off by saying... Fatmike.. Thank you again for the info.  I am only making this as per the fact.. there are never enough tutorials being written.  This Tutorial is called NON-SiLENT simply cause you are greeted with a NAG.  So I decided to add another to the ARTeam arsenal.  Though this tutorial will almost be repetitive from the previous one.... Some info is changed, also we will use the same BP's to get to our goal.  So let us talk about EXESHiELD a bit more.  In this particular version instead of being a silent protection (like last tutorial) we are greeted with a nice reminder of the protection.  A nag!  The tmp file naming scheme I spoke of last tutorial is present in this one.  where it calls itself "xshld***.tmp"  the stars are representing numbers.  I am not sure if they are random cause I only did this on my PC.  i had 894 as the numbers.  So don't threat if you have a different number.  Anyways.. enough babbling from me.  lets get on with the tutorial.

Now what we need to do is let EXESHiELD decompress itself so we can make it to its OEP.  This protection sort of mimics PECompact.  So what we are gonna do to get there is to use the stack to get us there.  So we need to execute the PUSH EAX instruction which in turn will let us use the ESP register as our stack breakpoint.  So follow the pictures below and you will see:

executed the PUSH EAX instruction.

ESP is now ready for us to use it.

Right click - Follow in Dump (ESP)

There's our bytes to set a HW BP on.

Right click the first 2 bytes - Breakpoint - Hardware, On Access - Word.

Now our BP is set up.  Now we will hit F9 till we reach the end of this encryption layer.  Which will be categorized ( at least in this Protection by a JMP EAX).  So hit F9 and follow along:

We land here first.  Continue with F9.

Then here.. Continue with F9.

And here.. almost there people.. Continue with F9.

There the end of this encryption layer. 

Now we hit F7 once so we reach the beginning of the next layer.  So hit F7 now and you should be like below:

So what we will do now is use the stack once again to our benefit, to get to the OEP of EXESHiELD.  So in order to do this we need to execute the PUSHAD instruction.  So hit F7 till we are beneath it.  Like below:

Now we want to follow ESP again in dump.  Just follow along with the pictures:

ESP is ready again for us.

right click - Follow in dump.

Now we set our HW BP on these 2 bytes again.

Like before.. the first 2 bytes - right click - Breakpoint - Hardware, on Access - Word.

Now our BP is set.. o we now continue with F9 till we reach the OEP of EXESHiELD.  Follow along below:

We hit F9 one time and we reach the end of second encryption layer.

Now continue with F7 till we reach the OEP. Like below:

And there it is.. We made it this far. 

So now we need to kill the possible debugger detection ( I say "Possible" because if your Olly is hidden well.. no need to worry), but for the benefit of other readers.. we will pretend that Olly cant be hidden. :)  So first we need to remove our previously set HW BP's or else we will break continuously until we get pissed off.  So to remove our set BP's we will go to top of Olly and click on the Debug Menu.  Follow below:

So we click on the Hardware Breakpoints option.

Then we hit the "delete" button for each BP set.

So after our BP's should look like this above.

Now we are ready to proceed.  So in the CPU window - right click - Search for - all referenced text strings.  Like the picture below:

Now we need to scroll up to the top of the output strings.  And then search for the string "crack".  Like below:

Then once we find our reference:

we now double click the string...

k..... Now pay attention we are gonna make the JBE above into a JMP.  this is all we need to do.  Follow along below:

then set a BP where the JMP destination is (the CALL)

Now hit the F9 button and let it run till we break on the CALL:

K.. this is where this version gets a bit different.  But this I will get into the next section.. Now go smoke.. whatever your pleasure.  and come back in 10

So in last tutorial we learned that the Two API's we use are:

There the same info as last time.. only for those who didn't catch the last tutorial.  Now that you have the basic knowledge we continue on with the tutorial.  The basic idea is the same.. So set a BP on the 2 API's in your command box like below:

Now hit the F9 button and we seem to keep breaking until it stops.. and then nothing?  Now what?  Well if you haven't noticed yet.. The Nag I speak of has appeared...

Now to proceed we hit the "Try" button.

Like in last Tutorial we will break, but what we are looking for is after a few breaks.  So continue to hit F9 till we land at a area similar to this:

Like before we know our OEP of real exe is 00401158 (we know this from the "address" ).  Also So we don't forget... we need to go into the installed directory and retrieve the tmp file.

Copy this to another folder and change the file from tmp to exe.

We see the icon has been picked up, but is kind of darkened.  This will change as soon as we replace the missing code. :)

Now back to our debugging session.  We know the OEP is = 00401158

The size is = 117D

So math skills here:

00401158 + 117D = 004022D5

Now we have the basic's for the real exe output.  Now all that's left is the Stolen Code.  To get it we will use the WriteProcessMemory API to catch it as it writes the bytes over to the tmp file.  Since it writes only 4 bytes at a time... (which is not enough) we need to rip the rest.  So now we are at the VirtualProtectEx BP that we want... Our next break will be WriteProcessMemory.  From this API we will get our Real code plus its "Temp. OEP" .  From this we will take the Temp. OEP and add the size we got before to it, thus getting us our end code.  So we copy from the Temp. OEP till our calculated end.  And copy it from the protected exe to the tmp file we renamed.  Look below for some pictures and notes on each picture... We hit F9 once again now to break on the API:

So from this we know our "temp. OEP" plus we will get our stolen code from the buffer which contains it all.  So take note of the temp. OEP and then right click the buffer - follow in disassembler.

Then we will land at our temp. OEP.

Now what we will do now is calculate the end of the real code by using the formula we used earlier.

00474AD8 + 117D = 00475C55

S o now we just simply copy from the temp. OEP till end or:

0047AD8 till 00475C55

So just (while holding down the shift key) start from 004AD78 and hit "Page Down" till you get close to the end then finish it up with the "down arrow".

then we right click this - Binary - Binary Copy

K now that the code is copied, we open up another instance of Olly and load the tmp file we renamed.

Then we (while holding down the shift key) we hit the "page down" key till we reach the end we calculated.

Then we will just paste back the code.

then just right click - Binary - Binary Paste.

Now our exe is fixed :)

We now need to save changes so it keeps the code.

then save it as whatever u want.  Congrats.. you did it :)  But now the question remains...?  How do I recover the imports?  Well like last tutorial, the imports remain intact...like below (while on OEP of tmp file scroll up and you'll see):

:)

You unpacked EXESHiELD yet again.  Now our next objective is to make sure our exe runs okay.

So now before we do that.. lets take another smoke break.. shall we?

Now our mission is almost complete.  The last thing we need to do is to run our exe and make sure it works, with no problems.  But before we even think about running it.. Let me warn you.. This particular app calls home.  So (I know its p-code), but we can still use Olly for this one.  Open up the fixed exe into Olly and then search for http.

Right click in CPU window, then Search For - All referenced Text Strings.

Then scroll up to the top of the strings and search for "http"

This first string is not the right one we are looking for. So hit CTRL+L and search again.

This is the right one :)

You see it calls a URL to tell you its cracked.  This URL will log your IP address.  So all we will do is change the URL from this one to Yahoo.  So double click the selected string and then we will follow it in dump.

Now that we are in the CPU window.... Right click the string and follow it in dump.

Okay... then in the dump:

All we need to do now is change it from this to another URL we know is friendly.  So highlight the string in dump and then hit the spacebar.

then hit spacebar.

now just alter it a bit...(but keep in mind you need the "." between each character)

There now we have no worries about our IP's being logged here. :)

So just save the changes and then it is safe to run it.

There... see it now directs us to Yahoo.com.  Very nice huh.  And you see it runs too.

Now this isn't a cracking tutorial only a unpacking one.  The app is in P-Code.. which is a bit tough itself.  But maybe its time everyone learns a new thing huh? :)

Well I hoped you enjoyed this tutorial.. I hope to bring you many more like it.

Take care and have fun!

1. Well this was mainly for the purpose of showing the "other" breed of EXESHiELD running around wild out there.  I hoped it helped to better clarify any issues from the last tutorial on this very subject.

2. Remember that ARTeam is only here for the education of the public.  This is a free thing.  In no way did this tutorial intentionally mean to hurt anyone. 

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr] [Eggi] [EJ12N] [Stickman 373] [Bone Enterprise]

[TSRH] [some 0day grps] [BriteDream] [Exetools] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [Fatmike] (sup dude)