The Cast of characters:
Crunch2.EXE is the Fraudster
Unsafedisc is the Victim
WinIce is the Investigator
Icedump is the Executioner
Kilby is the Malicious Bastard
Recently I thought I would play with dumping some programs, I had no joy with Copylok, so I thought a bit of practice on a packer would help.
I havenít seen any information about Crunch 2.0 from BitArts, it makes grand claims so I thought hereís a challenge.
I was disappointed as this package is Snake Oil of the worst kind !
I have not been involved in any serious cracking for years, the last compressors I dumped data from where on the Amiga back in 1990. (Well not quite I was forced to return to the Sinclair Spectrum for a while when I had to sell my PC back in 92.)
The only thing I like about the product and thatís the company name because it can be separated out to read ďBi TartsĒ, a lovely though sexist thought ;)
After 5 hours I had working dumps, I didnít even have to rebuild the import tables, it was an easy victory.
OK I havenít had it all my own way;
I have had problems with the following 3 test apps,
None of them would dump properly, possibly this is because these packages (& games) are more accurately described as suite of DLLs, bound together with a small .EXE file.
The result was that the programs appeared to start running before the packer had finished unpacking the .EXE.
It could also have been because it was 05:10 and I was tired and careless, I will return to them in a few days.
Unreal Tournament now works 100%, if a valid .INI file exists for the game.
The trouble occurs when an attempt is made to run in SETUP Mode.
If the valid .INI file doesnít exist then for some reason the unpacked code repeatedly returns to the Program_Entry_Point+E4 region, which jumps into the newly uncompressed program.
I believe this may be a minor fault in the packer, but I canít be sure as Unreal Tournament seems to do weird shit anyway (and their OpenGL mode still doesnít work, Yeucch DX & Glide.)
So I am putting it down to a compatability problem, between th packer and UT
Still I wasnít the only failure Cruncher2 couldnít even pack the following two test files;
Alien Vs Predator Gold
Delta Force 1
It totally failed :( didnít even give a proper error message.
Though I will quote this piece of PR Crap
No other Windows PE compressor/encryptor has the power of compression, encryption and security.
This is simply not true, the file is compressed, and as far as I can tell it is NOT encrypted.
There are vastly superior packers/encryptors out there, and a lot of them are FREE !
These Bi Tart people are selling to the legions of ďVisual ProgrammersĒ out there, the majority of them havenít a clue what the hell is going on in their programs. At best they have only written about 10% of the code themselves, the development package has generated the rest of it.
I have personal experience of this situation, One fucker I have to put up with in work, doesnít even know what is in 2% of his code as he just robs code fragments of web sites and stitches them together.
Fuckin thieving Christian bastard !
Exactly the sort of clueless individual who would purchase Cruncher2 and note the price;
Priced at $199 (per annum), contract is for one year (non-refundable).
He would think that Cruncher2 would protect his program.
I must also add that this is more of a proof of concept rather than a piece universal truth.
The intent is to:
1: Give back something to the unpacking community.
2: Give newbies something to learn from.
3: Show you donít have to be an Elite cracker to contribute to the unpacking community.
4: Encourage somebody out there to build a proper unpacker for Cruncher, as I ainít got the time
The demo version is at http://www.bitarts.com/.
In addition to being a 30 day demo, the packer will only create files called bitarts_evaluation.exe, if the file is renamed it doesnít work. This is easily fixable but I simply cant be bothered.
I do not wish to crack the packer itself, itís simply not worth the effort, there much better examples out there for free, however I would quite like to do some damage to their reputation ;)
If anybody out there has something packed with the registered version, I would like to get a copy just to confirm that all the offsets are the same.
Here is what Cruncher2 does up to when itís packing;
Compresses the data, (SURPRISE !!!)
Renames the segments to Bit Arts and uses one import (Kernel32.DLL.)
Places itís own 2 segments on the end of the .EXE and sets the entry point.
There are no customisation options whatsoever, unless you count the output filename.
On running the packed .EXE they decompress the data, recreating the virgin .rdata section, in the process.
Generate the offsets to the .DLL calls.
Overwrites the original .rdata data with zeros to make life a bit harder.
JMP EAX to the original .EXE file entry point
OK so thereís some self modifying code in there, and thereís also some obfuscation in there, but nothing that an average (and very out of practice) reverser such as me couldnít manage in about four to five hours.
The biggest mistake they made is obvious even to me, the only things that change within the decompression routine are;
1: Number of Segments to decompress.
2: The address of the actual data.
3: The number of imports
Once you have the base address of the decompression segment (hint itís the Program Entry point), all the important routines are ALWAYS AT THE SAME OFFSETS from that base address.
The example .EXE I will use is Unsafedisc.exe (V 1.5.5) by R!sc, as itís easily obtainable, and Microsoft donít approve :)
This example also shows that the compression isnít too good as the file grew from 20KB to 46KB.
What to do:
First hide SoftIce, as the unpacker will get annoyed.
Icedump is adequate, which in shows that PECrypt, gives better security against debuggers. Itís also great for dumping on demand, no more having to edit out the jmp eip in dump files.
OK load the executable with Break & Enter (or whatever loader you prefer), and you will find this;
00710000 start proc near
00710000 push ebp
00710001 call $+5
00710006 pop ebp
00710007 sub ebp, 6
0071000A mov eax, ebp
0071000C push ebp
0071000E mov [ebp+348Ah], ebp
00710014 sub eax, [ebp+3465h]
0071001A mov [ebp+2519h], eax
00710020 push ebp
00710021 mov ebx, 1ECDh
00710026 add ebx, ebp
00710028 push ebx
00710029 push dword ptr fs:0
0071002F mov fs:0, esp
00710035 cmp byte ptr [ebp+3690h], 0
0071003C jnz short loc_710047
0071003E mov byte ptr [ebp+3690h], 1
00710045 jmp short loc_71005C
A bit of jumping around and nothing really worth paying attention to until the code turns into soup.
007100E0 mov ecx, eax
007100E2 repe movsb
007100E4 mov eax, [edi]
007100E6 aad 81h
007100E8 retn 15B6h
007100E8 start endp ; sp = -54h
007100E8 ; ----------------------------------------------------------007100EB dd 3352000Eh, 0D88CC0h, 87404A8h, 1ACD02B4h, 0EBC28B1Dh
007100EB dd 33310F80h, 1CC069D2h, 0E19660Dh, 1CECD05h, 0FD858901h
This is Program Entry Point (PEP) + E4
Place a breakpoint on 7100e4 and hit F5.
You will meet this address again when it will be much more interesting :)
After the breakpoint you will find the following;
:u eip l 100
0167:007100E4 8BD5 MOV EDX,EBP
0167:007100E6 81C2B6150000 ADD EDX,000015B6
0167:007100EC 52 PUSH EDX
0167:007100ED 33C0 XOR EAX,EAX
0167:007100EF 8CD8 MOV AX,DS
0167:007100F1 A804 TEST AL,04
0167:007100F3 7408 JZ 007100FD
0167:007100F5 B402 MOV AH,02
0167:007100F7 CD1A INT 1A
0167:007100F9 8BC2 MOV EAX,EDX
0167:007100FB EB02 JMP 007100FF
0167:007100FD 0F31 RDTSC
0167:007100FF 33D2 XOR EDX,EDX
0167:00710101 69C00D661900 IMUL EAX,EAX,0019660D
0167:00710107 05CD0D0100 ADD EAX,00010DCD
0167:0071010C 8985FD3D0000 MOV [EBP+00003DFD],EAX
0167:00710112 BB56340200 MOV EBX,00023456
0167:00710117 43 INC EBX
0167:00710118 F7F3 DIV EBX
0167:0071011A 8BC2 MOV EAX,EDX
0167:0071011C 5A POP EDX
0167:0071011D 90 NOP
0167:0071011E FFD2 CALL EDX
0167:00710120 CC INT 3
0167:00710121 CC INT 3
0167:00710122 E86C150000 CALL 00711693
The two int 3 instructions are modified by the CALL EDX.
Kill the breakpoint at this point in time and set a breakpoint on LoadLibraryA then hit F5
F11 till take you back to where LoadLibraryA was called from.
Basically every time a library is imported this bit of code is executed.
I also suggest that every time the breakpoint is encountered hit F11 to check that you are still in the target program, my gravis joypad driver and SB Live control panel really get in the way if I forget to disable them before I start with softice.
In the case of unsafedisk.exe this breakpoint will occur 3 times when the following are being recreated, KERNELl32.dll, USER32.dll & COMDLG32.dll.
When the last one is imported the following code is then moved into place;
0167:00714121 MOV ECX,00000013
0167:00714126 MOV EDI,ESI
0167:00714128 MOV EAX,00000000
0167:0071412D REPZ STOSB
0167:0071412F ADD ESI,14
0167:00714132 MOV EDX,[EBP+00002519]
0167:00714138 JMP 0071403D
0167:0071413D CMP BYTE PTR [EBP+0000194D],01
0167:00714144 JZ 0071417F
0167:00714146 CMP DWORD PTR [EBP+00001963],34303030
0167:00714150 JZ 0071417F
Use bpx 0071412F
This piece of code appears after the third LoadLibraryA, every time I tested the cruncher with three or more DLLs being imported.
Once this code appears remove the BPX LoadLibraryA, and stick with this breakpoint.
This breakpoint will trigger for every DLL imported, I really should find out where the counter for this routine is, but to be honest Iím too lazy.
Anyway first time through the packer count the number of times the code breaks here (for unsafedisk.exe 3 times.)
Next time you run the program, allow the break to occur the appropriate number of times, step past the REPZ STOSB and dump.
I may get a neater way to do this later.
When you are at this stage you have an image of the entire unpacked executable in memory, which allows you to dump the decompressed file.
With icedump you can use the following commands to dump to disk
/pedump loadaddress OEP filename
On my machine that would be /pedump 400000 29b6 f:\dump.exe
Though you can use Procdump32 or whatever your favourite dumper is.
Why dump at this point, well simply because the import routines are mangled after this point, to prevent the script kiddies from doing what I have just done.
But thereís a problem with this cunning plan, where do I get the OEP (Original Entry Point) from ?
Well remember I mentioned that you would be meeting 7100e4 again well hereís what it contains now;
0167:007100E5 POP EBP
0167:007100E6 MOV EAX,[EBP+00003486]
0167:007100EC POP EBP
0167:007100ED JMP EAX
Simply BPX 7100ed and get use the value of EAX - Image Base to get the OEP value
EAX = 4029b6
Image Base = 400000
OEP value = 29b6
Then simply double click on the resultant dump et voila no more rebuilding required.
Things to remember,
The decompression routines will be the same on every packed program
Breakpoint on LoadLibraryA
Entry Point + E4
Entry Point + 4121
Once again I must state that the information contained in this file only applies to the demo version I used. But if somebody can supply me with a file packed with a registered version, I will be happy to check out the situation and reissue an updated version of this file, if necessary.
I have tried this on around 15 .exe files and only three failed to work.
I suggest that you use the compressed version of Unsafedisc.exe that I enclose, and notepad as tests, before attempting anything larger.
A couple of the larger tests where PFE (Programmers File Editor) with 9 imports, and Cover Editor (which comes with Nero the CD burning package) which has 8 imports.
Well thereís not much more to say other than a hello or two:
JTH, Still alive after all these years
Jrok, Still playing with arcade machines
R!sc, Victim of his own success ;)
Fravia+ Even I have to acknowledge reality exists now
Stealth Thanx for the ftp access
Duke For replying about CopyloK and remembering the Amiga scene.
The ICEDUMP Team For Icedump
If anybody out there can give me some decent info on Copylok please let me know as I am having problems with the IAT rebuilding, itís most likely something dumb. I thought working on this packer would help but it was way too simple.
I havenít got an Email address that I can publish happily, but I can be found lurking on the quality reversing sites.
Oh fuck it,