CGSoftLabs Forum

Problem while compressing a x64 DLL from the command line

CGSoftLabs — Thu May 06, 2010 5:19 am

Author: CGSoftLabs

Posted: Thu May 06, 2010 5:19 am

Only if you are a registered user.

Working status on v 1.8.x

CGSoftLabs — Thu Jan 28, 2010 2:38 pm

Author: CGSoftLabs

Posted: Thu Jan 28, 2010 2:38 pm

I'm working at an 32bit Advanced Protection Engine which will use between other a VM implementation;

for a given function, the engine should perform:
1. disassembling and building of a linked list of instructions;
Then perform per instruction (a kind of plug-ins for the engine):
-2. per instruction expander (metamorphism; replace 1 instr with other: one ore more similar) ;
-3. random virtualization of a set of handled instructions (this requires a VM);
-4. obfuscation; insertion of junk (ie ebo1xx) instructions which will make harder analyzing of disassembled code;
-5. anti-cracking; small blocks inserted on the fly between instructions; anti-tracing, seh etc;
7. rebuild the code; link instructions in other order; use jmps between; link virtualized instructions with VM;

the engine should accept customization of how much obfuscation,virtualization,metamorphism to apply;

this engine will help protecting:
- almost every functions in the protection stub;
- EP;
- code inside target;
...making disassembling a pain, mostly to myself

To AV developers

CGSoftLabs — Wed Jan 20, 2010 9:48 am

Author: CGSoftLabs

Posted: Wed Jan 20, 2010 9:48 am

Please contact me for older vesions of eXPressor, or any other questions.

About fake virus detection of your packed/protected software

CGSoftLabs — Wed Jan 20, 2010 9:40 am

Author: CGSoftLabs

Posted: Wed Jan 20, 2010 9:40 am

Yesterday I have contacted some AV companies: McAfee, Sophos, F-prot regarding this problem; they are lazy companies which doesn't handle all packer/protectors; it's true that eXPressor isn't such popular but this is not a reason not to learn your software to scan inside protected files; that's why, first virus found packed with eXPressor becomes a signature in their database and after that, all apps protected will be seen as that virus; in other words virustotal.com shows you which av software is good and which is bad;

If your software is fake detected as a virus I advise you (if you wish to help) to contact av companie and complain that their av. block your protected software; they will fix the problem at some moment.

Working status on v 1.7.x

CGSoftLabs — Wed May 27, 2009 5:32 am

Author: CGSoftLabs

Posted: Wed May 27, 2009 5:32 am

I was occupied with something else during last weeks so I had to cancel the programming session; last days I did some progress and I hope I'll finish the features I've planned for this version.

Virtual Size = Raw Size (Why?)

CGSoftLabs — Thu May 21, 2009 7:45 pm

Author: CGSoftLabs

Posted: Thu May 21, 2009 7:45 pm

you can edit later virtual size...since it's just a dword inside section's header

Help!!

CGSoftLabs — Wed Dec 17, 2008 2:07 am

Author: CGSoftLabs

Posted: Wed Dec 17, 2008 2:07 am

sorry but you must first learn some english; I can't understand really what are you trying to say.

Crash on "about" and "protection" dialog

CGSoftLabs — Tue Oct 21, 2008 9:36 pm

Author: CGSoftLabs

Posted: Tue Oct 21, 2008 9:36 pm

problem fixed.

About he future of IETools (msie7 and later)

CGSoftLabs — Fri Apr 18, 2008 7:04 pm

Author: CGSoftLabs

Posted: Fri Apr 18, 2008 7:04 pm

Well since m$ brooked the msie continuity with latest ie7 adding tabbed browsing the IETools won't work anymore; with the intrinsic PopUp blocker this feature doesn't have sense (90%) inside IETools (don't forget that IETools started as a popup blocker)

Since I have limited time, although some time ago I started the basic skeleton of the BHO for msie7, I don't see in the actual circumstances, when I'll continue this project again. It was a failure regarding benefits (one or 2 licenses sold). I would love having more time, recoding IETools again, just for my pleasure, but for the moment all my energy goes enhancing eXPressor.

Meanwhile you can use http://www.ie7pro.com, it seems a nice plugin, and the interface looks quite similar to IETools

And btw, Firefox beats msie (I'm writing this from fox )

Solutions & remedies

CGSoftLabs — Fri Apr 18, 2008 6:37 pm

Author: CGSoftLabs

Posted: Fri Apr 18, 2008 6:37 pm

Hope this will help some other people

While switching eXPressor's sourcecode from vc6 to vc8 I came across a number of problems; one of them was that vc8 linker won't let us merge anymore all sections in one as we want, he sticks IAT at the very beginning of first section; and since my source code relies on that I was forced to find a hack in order to skip recoding which in the particularly case of building stubs is very hard due limited debugging options.

In my stubs I do modifications for some global vars after building; since now I don't have my vars at the beginning of the firsts section I have 2 alternatives:

1.Enable /MAP file and build a simple parser to retrieve variables and functions VA. once I have VA I know where to apply the patch.

2.Find a hack and use the old method: structures stored inside specific PE directories like below:

Code:

#pragma data_seg ( ".A$A" )
DWORD dwVal1 = 1;
DWORD dwVAl2 = 2;
//...etc
#pragma data_seg()

Now I know for sure that those vars are placed at the beginning of section .A and you can access them later via section[.A].VirtualAddress.

The linker will always put teh IAT table (which lies in .idata$5) at the very beginning of teh first section which normally starts at 0x1000, and since I merge all my stub sections in .A I have problems modifying my globals. I found a hack to force having global variables at the very beginning of first section for easy access (we don't even need the /MAP file); in the code above, replace ".A$A" with ".idata$5"

where i can down the tools?

CGSoftLabs — Tue Apr 15, 2008 3:53 pm

Author: CGSoftLabs

Posted: Tue Apr 15, 2008 3:53 pm

what tools?

Feel free to post in here

haileyuxin — Sat Apr 12, 2008 7:21 am

Author: haileyuxin

Posted: Sat Apr 12, 2008 7:21 am

谢谢你们我会支持你们的！