Cheat Engine

Bedopies · Newbie cheater Reputation: 0 Joined: 25 Feb 2019 Posts: 13

Im reversing an app and I got some problems.

I tried to use Scylla in x64dbg to dump binary but I got 0 valid apis and finally Imports in IDA are empty.
I tried pe-sieve64.exe /imp 3 and later 5 /shellc /pid 3096 but there's lack of imports in IDA too.
In CE -> Enumerate DLL's and Symbols there's a lot more DLLs and their functions (that's why I think there's lack of Imports in previous dumps)

(?) Also, if I check CE -> Enumerate DLL's and Symbols little bit later than usual, I can see DLL's only without any functions.
How can this thing be achieved?

Additionally (the app is multi-threaded), I tried to see where CreateThread is called and it's really weird for me. What is goin on here? Screen in attachment.

TsTg · Posted: Mon Apr 11, 2022 11:55 am Post subject:

seems like a very well obfuscated and packed executable file, you need to identify what the exe is actually packed with first, there are some tools (cant say the names, so please google exe detect tools) they might help with that. the picture you posted is a code starting with some junk code, used alot to prevent tracing and mislead the reverse engineering.
one question tho: is this location the entrypoint of the new thread, or it was supposed to be where CreateThread() API got called ?

Bedopies · Newbie cheater Reputation: 0 Joined: 25 Feb 2019 Posts: 13

Tools to identify (at least this one started with 'D' letter) said nothing (attachment). The code from the picture is showing the location where I got redirected when did "Step Out" / from callstack (the createThread lpStartAddress is diffrent address, forwarding to "normal", easier function).

Btw. The entry point of the binary seems like packer for me (thats why I tried to dump binary at runtime), but to be honest I dont know what is the visual diffrence between packer and virtualization.

TsTg · Posted: Mon Apr 11, 2022 12:24 pm Post subject:

can you post a picture with the section names (the > button on the left) and another for the entropy (button on the right), and there is a a tool ExeInfo Pe, give that a try.

Bedopies · Newbie cheater Reputation: 0 Joined: 25 Feb 2019 Posts: 13

I gave exeinfo a try, and that "Themida Debugger detected" was not a bait (I thought it was the bait because it was too easy to bypass CallBack / Terminate process / IsDebuggerPresent lol).

TsTg · Posted: Mon Apr 11, 2022 2:45 pm Post subject:

hmm so it is Themida protected, and that is a complex one that uses the virtualization technique, it can be "de-virtualized" but its far from being a easy task as far as i know, there are some tools that might be released one day for that, please have a look at this page https://ieeexplore.ieee.org/document/9139515 where it explains how such protectors work.

Bedopies · Newbie cheater Reputation: 0 Joined: 25 Feb 2019 Posts: 13

What do You think? Its packed or it's virtualized?
I picked this one (I mean target) because:
- I want to learn something more (First time I saw ObRegisterCallback),
- I want to know how this thing is working

Example function at lpStartAddress argument what at least looks normal (attachment, I censored "target name" just in case lol)

TsTg · Posted: Tue Apr 12, 2022 3:14 pm Post subject:

looks somewhat clean routine for sure (except for the int3 above, probably moves to a handler that do some checks, etc), it could be a simple packing, it could be also have some virtualization on some pieces of the code, cant tell unless you have a look at the entire file...
it may not be possible to fully unpack it, but i believe there is a way you can inline-patch it, as far as i know, you need to make a proper entrypoint after the anti-debug stuff was done, find some checksum values to bypass the crc checks.