There are Four sections in the remaining of this tutorial:
1. Introduction.
2. Finding EXEShield's OEP, bypassing Debugger detection trick.
3. Recovering our lost exe.
4. Running our unpacked exe.
5. Conclusion.

First off.. i want to thank my Home-Slice... Fatmike.. without him this tutorial wouldn't be possible.  The reason I label this as SiLENT is simple.  WIthout any debugger or Packer detector.. you would never know it was EXESHiELD.  There is no nag to go by.

EXEShield .... hmm lets see... trying not to write a book on the subject... here's a brief synopsis on it.

1. It wraps the exe in itself.

2. Writes the real exe to a tmp file created, bytes at a time.

3. when it is shutdown.. so is tmp file.

there was that brief enough.  also it has a few tricks.  they are nothing fancy.. just tricks.  If your Olly is hidden well enough you have nothing to worry about.

what we are gonna do now is execute the PUSH EAX instruction.

then follow ESP in dump:

Now we will hit F9 till we reach the end of the first encryption layer:

first break^

Second Break^

Third Break^

Fifth Break (also end of first encryption layer...after we execute the JMP EAX of course)

After executing the JMP EAX (by hitting F7) we land here:

After landing here by executing the PUSH EAX (by hitting F7) we now need to set another HW BP to get to end of second encryption layer.  To do this we will hit F7 till we execute the the PUSHAD.

Like above^

Now we will follow ESP in dump once again, and set a HW bp on it again.

Then we will Hit F9 till we land at the end of the second encryption layer.

Our encryption is coming to an end.  If we execute through the RETN using F7 we will land at a very recognizable spot:

But i might add.. this is not our OEP :(... i know.. know... This is EXEShield's OEP.  The app we are unpacking is written in VB P-Code.  So now what?  well we move on.  EXEShield will have to try to access/read from the real exe sometime right?  K.. lets move on.

The next step for this Chapter is to correct a problem EXEShield has with debuggers.. particularly Olly :). So what we will do now is search for all referenced text strings and look for the debug string it gives us.

So now right click in CPU window and "Search for - All referenced text strings".  And we will search for "crack".  Like below:

then scroll up to top of the output text strings:

search for "crack"

this is the detector if your Olly wasn't hidden enough.  So double click on the string:

the JBE is all we wanna change. Like above make it JMP.

Now set a BP on this jump.  But before we do that we need to erase our HW BP's we made to get here, or else we will break quite a few times more than we want to.

then hit the delete buttons on each one.

Now we can proceed.

So hit F9 and break on the JBE (now JMP).

Trace it out and get past this section (hit F7 once).

Now we have successfully tricked EXEShield.  Now all that's left is to find our real exe.

If you haven't already.. go smoke.  this next section is quite long :)

You follow?  prolly not..  but anyways here it goes.  Section 3.

Well we are now past the debugger check.  Now we need to find where EXEShield talks to the real exe so we can intercept the code flow.  Its sounds hard i know.  But believe me.. its very easy.

To accomplish this feat.. we will need to use 2 breakpoints, and only 2.  We could do this with only one, but for this tutorial I will show you this way.

Our 2 breakpoints are......

*drum roll*

WriteProcessMemory

VirtualProtectEx

there ya go.  You will soon see why...  But first here's a little info about the two API's I have chosen for this feat.

First things first.  Go to your installed directory and find a file labeled as *.tmp.  There should be one. (note: in v2.2 tmp file was named xshld***.tmp...... here it kept the name of the exe)

so now ladies and gentlemen... any ideas what this is?  Here's a hint.. In this same directory make another folder.....Call it say "new folder" and in this folder place a copy of the tmp file.  Now rename the file to the correct exe name "DvdCoverSearcherPro.exe".  Now what happened?

Yes the tmp file picked up the icon of the real exe.  Now don't go getting all wet in your panties just yet... Go ahead and open it up in Olly... What do you see?

yup just a empty frame for the exe.  But this is good we now know what exeshield is writing to.  Now lets use our evolved brains and try to think what API it would use to write the code over to the tmp file....  Also.. you will notice that our Imports aren't touched here :)

So all we need to do is recover the unwritten code.

If everyone is ready... lets get it on!

We are at the same location we were before.  The call we land at right after the JBE (JMP after patch)

In your command Box type in:

BP VirtualProtectEx

BP WriteProcessMemory

We first break on VirtualProtect.

All these are pretty much useless to us right now.  Continue to hit F9 till you see this:

As you can see (hopefully) our OEP is 00401204 (in our tmp frame you saw this) The things most important to us in this little picture is that our OEP is held by the "address" and our size is held by.. well the "size" (just in case you were lost), and we are gonna write 1229 bytes to the tmp file.  So now we need to do some math (it is very important that you calculate this correctly or else our tmp file will crash)

So:

00401204 + 1129 = 0040232D

so we know when our code ends.  All we have left is to find the code, rip the correct amount from it and paste it into our frame.

The next BP we use will be WriteProcessMemory.  From this BP we find our "OEP" of stolen code (by OEP I don't actually mean OEP.. but more or less our beginning of code.. make sense?)

So now hit F9 to break on WriteProcessMemory.

you should land here:

Now since we are crackers here.  You know a little bit about this API.  Its writing over 4 bytes here.  Starting from 0047BB00.  And the address its writing to is our OEP of the real exe.  So So how do we find our bytes?  Really easy.. just follow the buffer in disassembler.  Because our buffer is holding our real bytes.  So using again our superior math skills we add the OEP we get here and the size written, that we obtained from VirtaulProtectEx.

So:

0047BB00 + 1229 = 0047CD29

Now to find these bytes we will follow our buffer in Disassembler.

and then low and behold......

*insert any kind of dance music you like here*

I don't know about you but that looks like VB startup code to me.

So it looks like we found our missing code.  All we need to do now is copy it over from the protected exe to the tmp file.  So using the super cool formula I gave you before:

0047BB00 + 1229 = 0047CD29

So in other words.. highlight this "OEP" up until 0047CD29 ( or highlight 0047BB00 until 0047CD29)

then right click "binary - copy"

Then we open up our tmp/almost completed exe file in Olly and paste the code we just copied back.

Like so:

It isn't as important when u paste back the code as it is when u copy it.  It's easier to hold down shift and hit the "end" key.  Then just right click the selected code "binary - paste".  SO all that's left is to save our new exe file.  Hopefully you know how to save changes.

now ladies and gentlemen this concludes  this section.  In the following section we will run our rebuilt exe and then love life.

Doesn't this just bring tears to your eyes ?  Now if this is like last version.. It ain't over yet.  We successfully removed the protection from it, now our dear friends at cheapshareware are gonna make us crack it also.  (btw the exe is VB P-Code if I forgot to mention) I wont get into this since this is beyond the scope of this tutorial.  You now know how to remove the EXEShield protection.  I am very excited to see a new version come out (EXEShield I speak of)  This was a rather interesting protection.  I would like to give a "what's up" to the authors.  Nice protection guys. 

Well My job is done.  I hoped you learned something good from this, and are not just some newbee, who got a hold of daddies debugger and started reading tutorials.. and well.... you know...If anything at least understand it.  Don't just crack cause you read a tutorial on how to crack one thing.

This tutorial is meant as a learning guide for us "Experienced reversers"

1. You learned a lot here I hope.  Please.. Please... DO NOT CRACK (Kidding)

2. You learned EXEShield is a nice protection, but not impossible.  There is always a way.

3. If you already knew this info.. then i am sorry for taking up your time.

4. Last but not least.. if you "find" a better way.. do not create a tutorial using this idea (kidding again)

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr][Eggi] [EJ12N] [Stickman 373] [Bone Enterprise]

[TSRH] [some 0day grps] [BriteDream] [Exetools] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [Fatmike] (sup dude)