lo all

this goes out to newbies and oldies alike

http://www.crosswinds.net/~nchanta/trnr_cme.zip

please have a go, and dont be afraid to abuse me in a post.

NchantA

err. i personally wouldnt refer this unpackme to the true newbies, i would however like you advanced crackers that sometimes look in on the rest of us, to have a look at it

and maybe even show me why i cant unpack my own damn unpackme eheehhehe *g*

have funnnnnnnn

NchantA

Hi Nchanta,

So you're looking for abuse, eh?

Well I haven't unpacked it yet, but I did find the process in memory it's looking for (or at least I found SOMETHING ;d

So, no nag, straight to the splash screen. I have a question though, I'm not familiar with trainers, is the 'Apply Memory Changes' supposed to do anything in your unpackme or is it just there for show as it seems? Does this button normally, well, apply memory changes in a real trainer?

Pretty cool. I'll work on the unpacking now, but I'm not holding my breath on figuring that one out... One more question. Couldn't you have loaded a few more system functions? I think you missed a couple of the Audio Compression Codecs

Cheers,

Kayaker

ehehe arguements sharpen the mind

ok well, the trainer was a novel idea (not entirely my own) one of the reasons i included it here. and i *was* going to submit this too the reversr forum but this is the mini project area, it says nothing about newbie project

and it is a small project so it fits the forum quite well

it search's for a dummy process on start up, patching shouldnt be hard, but i did have trouble unpacking myself!

its packed with neolite if that helps


im not sure what u want about the audio codecs??

and the apply changes in a real trainer *would* do something to the game yes, it could be fun to reverse hehe

NchantA

i just realized i do this way to much



hehehehehehe

Hi

I have a working unpacked exe except splash bitmap :-( and have found something too !!
I have really big prob with this splash bitmap.
How is it loaded in dialog ? Only in rsrc ?
I have saved a right bmp file (at least).

Thx SV

Hi SV,

I seem to be having a problem with the Splash screen as well. I got what I thought would be a working dump (JMP EAX in .crypt section, EAX = OEP in .text section) and the program runs fine. The problem is that the file size is only 224K and all it does is display the Splash screen, and without any image...

In Exescope the Splash screen Dialog Resource (ID 102) is there. You can edit a few things with it (Titlebar etc.) and it responds. FindResourceA with lpName properly points to it (66h = 102) and is called a few times. But there just ain't no image associated with it!!

So this was packed with what? AsNeolite? ^_^

Nchanta, I was joking about adding a few more functions via the codecs because it seemed you had loaded just about every other system dll via LoadLibraryA and GetProcAddress just to make things nice and confusing

Kayaker

OK, I sort of figured out what's going on. The program maps itself into memory with MapViewofFile then starts unpacking itself. If you trace for a while after this break and display the Virtual Offsets of each section you see them being unpacked at address 451D70 (and within that call at 45220A) each in turn -
.text 400000 - 423000
.rdata 423000 - 42B000
.data 42B000 - 42D000

There's one more Call to 451D70 for the .rsrc section but it seems to be unpacked into scattered parts of memory there and later. i.e. 470000 - 480000 contains some of the good stuff, the memory around 4F4F90 contains a ref. to "Nchanta" and a few of the string resources, etc.

I think if we could get a good dump of the .rsrc section it could be appended to a dump of the 1st 3 sections and work OK. I just haven't figured out where to dump the good bits.

Kayaker

hehe

a very unusual problem yes?

a simple splashscreen can cause so much problems

ah yes, kayaker, i notice the aha joke now ;P i dont usually find 'needle in the haystack' approach is worth using, but in this such experiment it proved usefull

keep going

NchantA

I have extract the splash screen from the crackme and find out which proccess the crackme wants to be loaded. The splash screen is at 47009Eh(Virtual Offset) size 84E76h(aka 531kb) and it has a BMP Header so i do not think it in the .rsrc sectionas. Far as i know all bmp in .rsrc have no header(that not 100% ture they can if you like).

PS.
What is a easy program to unpack? Then i will come back to this program. Kayaker thanks for the info will have to look in to.

http://csir.cjb.net is a good place to go for packing related stuff
http://zencrack2.cjb.net rox aswell

hi r!sc

NchantA

Hi 90h,

Your info on the size/location of the bmp makes sense. I have a dump of size 85029 addressed at 470080 which I got during the Neolite unpacking phase. The 1st 1E bytes contains a header which includes what seems to be an encryption string, the next 84e76 as you've confirmed is the bmp itself, which can be dumped and viewed, and the last 195 bytes contain more encryption strings associated with the rest of the resources. This seems to account for the whole of the "lost resources".

These 'encryption strings', for lack of a better term, seem to be associated with each resource. i.e. *!mai!**!ScN!* seems to be associated with the Splash Screen bitmap, *!mai!**!MiS!* is associated with the 2 MessageBox strings, *!mai!**!but!* with the Apply Memory Changes' and 'Quit' buttons, etc.

I unpacked the program manually following a standard Neolite procedure, tracing until code similar to the following (may need to set a MapViewOfFile to break into the program initially)

MOV EAX,[ESP+04]
AND EAX,[xxxxxxxx]
CALL xxxxxxxx
INC BYTE PTR [xxxxxxxx]
JMP EAX ; eax is Original Entry Point of program = 40F2D3

set a jmp eip at the JMP EAX, F5 out of SI, full dump with Procdump, change Entry Point. Check out the tut by Eternal Bliss for an example with Notepad:
http://www.woodmann.net/fravia/text/eb_tut32.txt

I also dumped the unpacked memory image with TRW PEDUMP. In both cases the program ran OK but just shows a blank splashscreen then sits there. All resources except the icon, some default string resources, and some DialogBox templates are missing.

There's a call 0040EF00 statement which is used several times at different addresses which seems to make use of these encryption strings somewhere during the FindResource / LoadResource / CreateDialogIndirectParamA phase of the program. You can do a String Ref search in W32dasm for them or set a BPM on the strings in SI (i.e at memory address 470080 for the 1st one, 484E96 for the rest).

Why the encryption strings? Well, there's also a ref in the dumped exe file to Inflate 1.04 by Mark Adler. Turns out this is a GNU program used to 'inflate' compressed files. The public source code is now part of Info-ZIP software.

My thought was that Nchanta "borrowed" some of the source code and it is being used somehow to 'inflate' the corresponding 'deflated' resources. Though this doesn't really make sense in a way because the resources aren't actually compressed, just sort of separate from the regular exe structure. I looked briefly at the source code and there's no indication of these funny encryption strings, so I may be off-target here. ???

I've tried inserting the whole 85029 byte 'resource' structure into the dumped file in various ways and succeeded in getting the Apply Memory Changes and Quit buttons to show somewhat ghostly in the splashscreen, but that's all.

Assuming the code to deal with these encryption strings (if that's really what they are) is OK in the dumped file, then it *should* just be a matter of proper addressing of the bmp, messagebox and dialog box resources as a unit.

This is all fine in theory, but I still haven't put Humpty back together again. If Nchanta is being truthful in that he hasn't been able to unpack the file successfully himself, perhaps he may want to enter the discussions? ^_^

Regards,

Kayaker

thanks NchantA and Kayaker. Cool i was right about the JMP EAX is a jmp to the original code.

With bad/good luck i got it unpack with a splashscreen(but that's all). What i did was a standard Neolite dump. Then made a dump at 470080 size 85029(like Kayaker said). Add 85029 bytes with topo to my main dump then add the 470080 dump over my new bytes then run a test run(had a splashscreen). Yes it a bad dump but was makeing i for testing.

This what i was trying to do is use PEditor to add a new section with a VA of 470080(i do not think you can jump from 42D000 to 470080 now) then add 470080 dump to end of File. Did not work so i use topo to add the byte(/section) to it and was going to reedit with PEditor(but b4 i did that i run it).

Kayaker how did you get Apply Memory Changes and Quit buttons?

I did a new dump 470080 from 40D9E5(well a BPX 40D9E1 and i think the 2nd time) size 85F80h and add it to the end like i did b4 done it run find but it not 100% unpack i have a section .crypt! that i can not delete at this time.

Hi 90h,

I tried padding my dumped (TRW PEDUMP) file up to 70080h with zeroes, then adding a new section of size 85029 which contained the bitmap and other resource info. That's how I got the Apply Memory Changes and About buttons to show, but it's crap, not a good solution and the file is over 900k in size.

The Splash screen is a separate class in itself (Afx:400000) which uses a SetTimer value of EA60 (60000 msec) to destroy itself if you don't click on it. It's created within a CreateDialogIndirectParamA call which also creates the rest of the controls. Beforehand it's control class is registered with GetClassInfoA and RegisterClassA.

This all falls apart in the dumped file, GetClassInfoA on the Splash screen class fails and of course it's never created. I'm trying to figure out where in memory the program is looking for certain information. I don't know if the answer lies just with adding and correcting the pointers to that 'resource' dump, or whether there's a problem in the .crypt section as well.

Cya,

My dump(size 760k) has a Splash screen(timer works too) and Apply Memory Changes and Quit buttons....(like it was win it was pack). But i have .crypt section.(and i can not delete/0 that section)

PS
size 85F80 was only a test my new one is 85029(and work find too)

2 more thing the Import Table may b bad(program may only run on the pc it was unpack on...) in IDA(v4.14) i have 2 _crypt_ section the 1st _crypt_ has a list of dll/api. In Procdump i have 1 .crypt section.