Crunch

 

From BitArts 2.0.0.1 by Kilby

 

published by +Tsehp Feb 2001

 

The Cast of characters:

 

Crunch2.EXE          is the             Fraudster

Unsafedisc          is the             Victim

WinIce           is the             Investigator

Icedump          is the             Executioner

Kilby              is the             Malicious Bastard

 

 

Recently I thought I would play with dumping some programs, I had no joy with Copylok, so I thought a bit of practice on a packer would help.

 

I havenít seen any information about Crunch 2.0 from BitArts, it makes grand claims so I thought hereís a challenge.

 

I was disappointed as this package is Snake Oil of the worst kind !

 

Why ?

 

Simple !

 

I have not been involved in any serious cracking for years, the last compressors I dumped data from where on the Amiga back in 1990. (Well not quite I was forced to return to the Sinclair Spectrum for a while when I had to sell my PC back in 92.)

 

The only thing I like about the product and thatís the company name because it can be separated out to read ďBi TartsĒ, a lovely though sexist thought ;)

 

After 5 hours I had working dumps, I didnít even have to rebuild the import tables, it was an easy victory.

 

OK I havenít had it all my own way;

 

I have had problems with the following 3 test apps,

 

Unreal Tournament

Adobe InDesign

Adobe InCopy

 

None of them would dump properly, possibly this is because these packages (& games) are more accurately described as suite of DLLs, bound together with a small .EXE file.

 

The result was that the programs appeared to start running before the packer had finished unpacking the .EXE.

 

It could also have been because it was 05:10 and I was tired and careless, I will return to them in a few days.

 

---------------

 

UPDATE:

 

Unreal Tournament now works 100%, if a valid .INI file exists for the game.

 

The trouble occurs when an attempt is made to run in SETUP Mode.

 

If the valid .INI file doesnít exist then for some reason the unpacked code repeatedly returns to the Program_Entry_Point+E4 region, which jumps into the newly uncompressed program.

 

I believe this may be a minor fault in the packer, but I canít be sure as Unreal Tournament seems to do weird shit anyway (and their OpenGL mode still doesnít work, Yeucch DX & Glide.)

 

So I am putting it down to a compatability problem, between th packer and UT

 

---------------

 

Still I wasnít the only failure Cruncher2 couldnít even pack the following two test files;

 

Alien Vs Predator Gold

Delta Force 1

 

It totally failed :( didnít even give a proper error message.

 

Though I will quote this piece of PR Crap

 

Claim:

No other Windows PE compressor/encryptor has the power of compression, encryption and security.

 

Reality:

This is simply not true, the file is compressed, and as far as I can tell it is NOT encrypted.

 

There are vastly superior packers/encryptors out there, and a lot of them are FREE !

 

These Bi Tart people are selling to the legions of ďVisual ProgrammersĒ out there, the majority of them havenít a clue what the hell is going on in their programs. At best they have only written about 10% of the code themselves, the development package has generated the rest of it.

 

I have personal experience of this situation, One fucker I have to put up with in work, doesnít even know what is in 2% of his code as he just robs code fragments of web sites and stitches them together.

 

Fuckin thieving Christian bastard !

 

Exactly the sort of clueless individual who would purchase Cruncher2 and note the price;

 

Priced at $199 (per annum), contract is for one year (non-refundable).

 

He would think that Cruncher2 would protect his program.

 

Anyway now I have got all that off my chest hereís the dope on Crunch 2.0.0

 

I must also add that this is more of a proof of concept rather than a piece universal truth.

 

The intent is to:

1:         Give back something to the unpacking community.

2:         Give newbies something to learn from.

3:         Show you donít have to be an Elite cracker to contribute to the unpacking community.

4:            Encourage somebody out there to build a proper unpacker for Cruncher, as I ainít got the time

 

 

The demo version is at http://www.bitarts.com/.

 

In addition to being a 30 day demo, the packer will only create files called bitarts_evaluation.exe, if the file is renamed it doesnít work. This is easily fixable but I simply cant be bothered.

 

I do not wish to crack the packer itself, itís simply not worth the effort, there much better examples out there for free, however I would quite like to do some damage to their reputation ;)

 

If anybody out there has something packed with the registered version, I would like to get a copy just to confirm that all the offsets are the same.

 

Here is what Cruncher2 does up to when itís packing;

 

Compresses the data, (SURPRISE !!!)

 

Renames the segments to Bit Arts and uses one import (Kernel32.DLL.)

 

Places itís own 2 segments on the end of the .EXE and sets the entry point.

 

There are no customisation options whatsoever, unless you count the output filename.

 

On running the packed .EXE they decompress the data, recreating the virgin .rdata section, in the process.

 

Generate the offsets to the .DLL calls.

 

Overwrites the original .rdata data with zeros to make life a bit harder.

 

JMP EAX to the original .EXE file entry point

 

OK so thereís some self modifying code in there, and thereís also some obfuscation in there, but nothing that an average (and very out of practice) reverser such as me couldnít manage in about four to five hours.

 

The biggest mistake they made is obvious even to me, the only things that change within the decompression routine are;

 

1:         Number of Segments to decompress.

2:         The address of the actual data.

3:         The number of imports

 

Once you have the base address of the decompression segment (hint itís the Program Entry point), all the important routines are ALWAYS AT THE SAME OFFSETS from that base address.

 

The example .EXE I will use is Unsafedisc.exe (V 1.5.5) by R!sc, as itís easily obtainable, and Microsoft donít approve :)

 

This example also shows that the compression isnít too good as the file grew from 20KB to 46KB.

 

What to do:

 

First hide SoftIce, as the unpacker will get annoyed.

 

Icedump is adequate, which in shows that PECrypt, gives better security against debuggers. Itís also great for dumping on demand, no more having to edit out the jmp eip in dump files.

 

OK load the executable with Break & Enter (or whatever loader you prefer), and you will find this;

 

 

00710000 start proc near

00710000          push ebp

00710001          call $+5

00710006          pop ebp

00710007          sub ebp, 6

0071000A          mov eax, ebp

0071000C          push ebp

0071000D          pusha

0071000E          mov [ebp+348Ah], ebp

00710014          sub eax, [ebp+3465h]

0071001A          mov [ebp+2519h], eax

00710020          push ebp

00710021          mov ebx, 1ECDh

00710026          add ebx, ebp

00710028          push ebx

00710029          push dword ptr fs:0

0071002F          mov fs:0, esp

00710035          cmp byte ptr [ebp+3690h], 0

0071003C          jnz short loc_710047

0071003E          mov byte ptr [ebp+3690h], 1

00710045          jmp short loc_71005C

 

 

A bit of jumping around and nothing really worth paying attention to until the code turns into soup.

 

007100E0          mov ecx, eax

007100E2          repe movsb

007100E4          mov eax, [edi]

007100E6          aad 81h

007100E8          retn 15B6h

007100E8 start endp ; sp = -54h

007100E8

007100E8 ; ----------------------------------------------------------007100EB      dd 3352000Eh, 0D88CC0h, 87404A8h, 1ACD02B4h, 0EBC28B1Dh

007100EB      dd 33310F80h, 1CC069D2h, 0E19660Dh, 1CECD05h, 0FD858901h

 

This is Program Entry Point (PEP) + E4

 

Place a breakpoint on 7100e4 and hit F5.

 

You will meet this address again when it will be much more interesting :)

 

After the breakpoint you will find the following;

 

:u eip l 100

0167:007100E4 8BD5            MOV EDX,EBP

0167:007100E6 81C2B6150000      ADD EDX,000015B6

0167:007100EC 52              PUSH EDX

0167:007100ED 33C0            XOR EAX,EAX

0167:007100EF 8CD8            MOV AX,DS

0167:007100F1 A804            TEST AL,04

0167:007100F3 7408            JZ 007100FD

0167:007100F5 B402            MOV AH,02

0167:007100F7 CD1A            INT 1A

0167:007100F9 8BC2            MOV EAX,EDX

0167:007100FB EB02            JMP 007100FF

0167:007100FD 0F31            RDTSC

0167:007100FF 33D2            XOR EDX,EDX

0167:00710101 69C00D661900      IMUL EAX,EAX,0019660D

0167:00710107 05CD0D0100      ADD EAX,00010DCD

0167:0071010C 8985FD3D0000      MOV [EBP+00003DFD],EAX

0167:00710112 BB56340200      MOV EBX,00023456

0167:00710117 43              INC EBX

0167:00710118 F7F3            DIV EBX

0167:0071011A 8BC2            MOV EAX,EDX

0167:0071011C 5A              POP EDX

0167:0071011D 90              NOP

0167:0071011E FFD2            CALL EDX

0167:00710120 CC              INT 3

0167:00710121 CC              INT 3

0167:00710122 E86C150000      CALL 00711693

 

The two int 3 instructions are modified by the CALL EDX.

 

Kill the breakpoint at this point in time and set a breakpoint on LoadLibraryA then hit F5

 

F11 till take you back to where LoadLibraryA was called from.

 

 

Basically every time a library is imported this bit of code is executed.

 

I also suggest that every time the breakpoint is encountered hit F11 to check that you are still in the target program, my gravis joypad driver and SB Live control panel really get in the way if I forget to disable them before I start with softice.

 

In the case of unsafedisk.exe this breakpoint will occur 3 times when the following are being recreated, KERNELl32.dll, USER32.dll & COMDLG32.dll.

 

When the last one is imported the following code is then moved into place;

 

:u 710000+4121

0167:00714121      MOV ECX,00000013

0167:00714126     MOV EDI,ESI

0167:00714128     MOV EAX,00000000

0167:0071412D     REPZ STOSB

0167:0071412F     ADD ESI,14

0167:00714132     MOV EDX,[EBP+00002519]

0167:00714138     JMP 0071403D

0167:0071413D     CMP BYTE PTR [EBP+0000194D],01

0167:00714144     JZ      0071417F

0167:00714146     CMP DWORD PTR [EBP+00001963],34303030

0167:00714150     JZ      0071417F

 

 

Use bpx 0071412F

 

 

---------------

Update:

 

This piece of code appears after the third LoadLibraryA, every time I tested the cruncher with three or more DLLs being imported.

 

Once this code appears remove the BPX LoadLibraryA, and stick with this breakpoint.

 

This breakpoint will trigger for every DLL imported, I really should find out where the counter for this routine is, but to be honest Iím too lazy.

 

Anyway first time through the packer count the number of times the code breaks here (for unsafedisk.exe 3 times.)

 

Next time you run the program, allow the break to occur the appropriate number of times, step past the REPZ STOSB and dump.

 

 

I may get a neater way to do this later.

 

---------------

 

 

 

When you are at this stage you have an image of the entire unpacked executable in memory, which allows you to dump the decompressed file.

 

With icedump you can use the following commands to dump to disk

 

/pedump loadaddress OEP filename

 

On my machine that would be /pedump 400000 29b6 f:\dump.exe

 

Though you can use Procdump32 or whatever your favourite dumper is.

 

Why dump at this point, well simply because the import routines are mangled after this point, to prevent the script kiddies from doing what I have just done.

 

But thereís a problem with this cunning plan, where do I get the OEP (Original Entry Point) from ?

 

Well remember I mentioned that you would be meeting 7100e4 again well hereís what it contains now;

 

:u 7100e4

 

0167:007100E4     POPAD

0167:007100E5     POP EBP

0167:007100E6     MOV EAX,[EBP+00003486]

0167:007100EC     POP EBP

0167:007100ED     JMP EAX

 

Simply BPX 7100ed and get use the value of EAX - Image Base to get the OEP value

 

EAX                  =            4029b6

Image Base            =            400000

 

OEP value            =            29b6

 

Then simply double click on the resultant dump et voila no more rebuilding required.

 

Things to remember,

 

The decompression routines will be the same on every packed program

 

Breakpoint on LoadLibraryA

Entry Point + E4

Entry Point + 4121

 

Once again I must state that the information contained in this file only applies to the demo version I used. But if somebody can supply me with a file packed with a registered version, I will be happy to check out the situation and reissue an updated version of this file, if necessary.

 

 

I have tried this on around 15 .exe files and only three failed to work.

I suggest that you use the compressed version of Unsafedisc.exe that I enclose, and notepad as tests, before attempting anything larger.

 

A couple of the larger tests where PFE (Programmers File Editor) with 9 imports, and Cover Editor (which comes with Nero the CD burning package) which has 8 imports.

 

 

 

Well thereís not much more to say other than a hello or two:

 

JTH,                              Still alive after all these years

Jrok,                             Still playing with arcade machines

R!sc,                             Victim of his own success ;)

Fravia+                         Even I have to acknowledge reality exists now

Stealth                          Thanx for the ftp access

Duke                             For replying about CopyloK and remembering the Amiga scene.

The ICEDUMP Team    For Icedump

 

If anybody out there can give me some decent info on Copylok please let me know as I am having problems with the IAT rebuilding, itís most likely something dumb. I thought working on this packer would help but it was way too simple.

 

 

Regards,

 

KilbyÖ

 

I havenít got an Email address that I can publish happily, but I can be found lurking on the quality reversing sites.

 

Oh fuck it,

 

Kilby@cta102.free-online.co.uk