Log in

View Full Version : A New Project (Unpacking, Nag, Keyfile & More ;-)


Clandestiny
February 7th, 2001, 23:19
Hi All,

Hz recently brought to my attention a new target for our reversing pleasure. And man, this one has it all...

The name of the target is Globe Time and you can download it from:

h*tp://www.powerup.com.au/~marver/dl/globetime131.exe

Firstly, its packed (with PE-Crypt). Its not too difficult to unpack though (and thats coming from a complete unpacking newbie I should mention, however, that Proc Dump has some trouble rebuilding the import table and for this reason, you'll probably need to use IceDump's Pedump feature. Though its not really necessary, if you're new to unpacking like me, you might be interested in reading up on some of the PE docs... Iczelion has a number of tuts at win32asm.cjb.net on the portable executable (PE) format. Likewise, you may wish to research PE-Crypt a little... and there is at least 1 tut on PE-Crypt at Krobar's site: http://zor.org/krobar/

Secondly, you won't play with this little proggy too long before you encounter its nag (with a timer no less). IMO, its one of the most annoying ones I've encountered in a while and I think you'll agree with me that its necessary to do a small patch before we can fully enjoy this reversing experience

Lastly, and the heart of Globe Time's protection, is a keyfile.

...So basically there are 3 challenges here

1) Unpack it
2) Remove the nag and its accompanying timer
3) Generate a valid key file

Have Fun... ;-)

...and thanks Hz for the suggestion

Cheers,
Clandestiny

Kayaker
February 9th, 2001, 23:11
What, no screams, no cries of distress, no Eurekas?

SOMEBODY must've tried unpacking it by now, SMC got your tongues? Give it a shot if you haven't yet, this isn't beyond anyone's capabilities, but it IS a good learning opportunity. Where you at?

Kayaker ^_^

NeO
February 10th, 2001, 05:50
I try it with dump but it isn't so easy!!
It's more difficult then Latingo's !his text isn't meant for newbie but so fare it's the only one!

NeO

hz
February 10th, 2001, 09:28
Hi,
way to go man, the way to learn is give it
a try, I'm sure you will get it. Don't be shy
if you get stuck.

regards

Kayaker
February 10th, 2001, 18:02
Hi,

Don't get *too* caught up in Latigo's tut. While it's an excellent tut, and everything he talks about should be learned, most of it deals with rebuilding the Import table. As Clandestiny mentioned, /PEDUMP does all that work for you here. The number one thing is just to find *where* to dump it, just before the jump to the Original Entry Point (OEP). This is only alluded to in Latigo's tut.

You've got 2 reasonable choices here I figure. If you try tracing from the start of unpacking code you'll drive yourself crazy, get lost in Self Modifying Code (SMC), and still get nowhere because you'll probably end up in Kernel32 code and not be able to get back into unpacking code. So you need to jump into the middle of all the mess, and that means the Import table decryption routine, since PECrypt mangles the Imports. This is a constant, there will be a routine dealing with the Imports and you can use this to your advantage to get deep into unpacking code. Also applies to i.e. Asprotect. Latigo's tut will help get you here, or you may have heard of another, or come up with your own, method of dropping into the maw. Then you've got to get yourself OUT of it, and continue your tracing to try to find the OEP.

If you start tracing while you're in the Import decryption routine you'll notice you're in a loop. Watch the registers, display some addresses, and you should get a rough idea of what's happening with the Import names. This loop will continue for as many Imports as you have. Now you need to start paying attention to the jumps that might get you OUT of that loop. Set a few advanced breakpoints and see if they work. You may have set them on SMC code, in which case you're screwed. You need to find a few "solid" BP's that will kick you out of the loop.

Once that's done you can single step until you find that for which you seek.

There is another less painful, but also less instructive method of finding the OEP using the capabilities of a very powerful tool which is probably sitting in your SoftIce directory right now.

'nuff said

Kayaker

Clandestiny
February 10th, 2001, 19:13
Hi Neo,

I hope Kayaker won't mind, but I'm going to clarify a couple of things he said since I just learned some of this stuff myself and I know how confusing it can be (already read Icezelion's import table tut +5X

Kayaker mentioned using breakpoints to break into the heart of the import table decryption part of the unpacking routine. For these bpx's you might want to try VirtualAlloc or GetProcAddress. VirtualAlloc does just what its name says...it allocates memory. It makes sense to bpx VirtualAlloc since you know the program must allocate memory to unpack itself into. GetProcAddress, on the other hand returns the address of a dll and would therefore presumably be found in the vicinity of the import decryption routine. Alas, I had some trouble getting Sice to accept these breakpoints (possibly the SMC though I'm not sure)...so I took the easy way out that Kayaker mentioned. Actually, I'm very curious if its *only* me that has trouble getting this proggy to break on VirtualAlloc and GetProcAddress. I tried several times but it just will not break so please let me know if you have any success with these.

RE: the easy way out -> get IceDump if you don't have it already and read about the tracex and pedump functions.

Good Luck,
Clandestiny

NeO
February 10th, 2001, 19:49
Hello!

Why i said that latingo tut is no good!I will explain!I am new at unpacking so as normally i started with Upx!I manage that one quickly!So i read some tut of risc(nut there are not for newbie)and Eltern Bliss(good he expalin everthing)Recommen to anyone) he wrote that way that i could get did!The problem for me was that LAtingo tut for someone that already knows what we were talking about!And of course it's good it gives you teh basic idea how to unpack!!


SO i was look Oep like made i was trying (latingo exe)But even if i used F8 or F10 evertime is doesn't matere how fare did i came i always got the Close Error shut down of prog..And never i can to Oep
to dump !SO from my point of you i can be great if you get but i didn't!So i aks Sv how to get to Eop and dont need to trace!So he explain me the /tracex command!Thanks SV!!!SO i used it am the computer found it for me !No tracing !The i use /dump when i was in Eop!And that was it !


But the problem for me in This target is that I don't get MZ!so the peheader is fuck!I don't i read about my to use /pedump??I don't know!
SO the realy problem is how to know how many bites do you have to copy from packed file!!


The real problem abput unapcking is that there are not many great tuts!So fare i did fine how to use ita rebilder ,use more tehnicks on one pack...and so one!SO it a problem to learn quicklY!!



NeO

NeO
February 10th, 2001, 19:51
What is the big difference betwen /dump /pedump!I read icedump txt but i don't get it!!


NeO

LaptoniC
February 11th, 2001, 16:24
Hi everybody,
For the first task I have used TRW2k.
a)Open trrw2k and load the globtime.exe
b)Write Pnewsec and enter it means stop when it enters new section.
c)wait for 1-2 minute TRW2k will stop
d)Write Makepe and enter.
e)your exe will be in C:\windows\desktop,trw2k or program directory.It works and can be dissambe with Dede as you know it is writen in Delphi

I have found that program looks Globetime.key but it does not look on program directory instead it use FindFirstFile api.So if you debug with Trw like me it will look this file in trw2k directory it is not problem when you start from start menu but if you use loader maybe it can confuse me like me
Regards and happy reversing

NeO
February 11th, 2001, 17:44
TRy it with Softice most people have it!!

NeO

Kayaker
February 11th, 2001, 23:30
Quote:
NeO (02-11-2001 06:44):
TRy it with Softice most people have it!!

NeO


Oh I don't know, I think it's good to get a new persepective. I know some people have problems with getting TRW to run on their systems, but for those who don't it's nice to know its features. I had never used the PNEWSEC command before and sure enough it works as well as /Tracex!

While we're on the subject, and I know this should be posted in the Tools Forum, but maybe Laptonic or someone else familiar with TRW can help, but I've never been able to get mouse support (Logitech cordless) with TRW. Fine, I can live with that, but I'd *like* to be able to scroll down in the Code window and see what lies ahead of me in the codewoods. I haven't been able to do this without using the U(nassemble) command and doing it page by page. It doesn't look like the Code window has a scroll bar anyway. IS there a way to get focus into the Code window so you can at least use the arrows keys, or is that window verboten anyway?

Neo, re /DUMP and /PEDUMP. Simply put, /DUMP [address] [length] [filename] allows you to dump any section of memory of whatever length you specify. It's a raw dump just as you see it. Handy for lots of things.

/PEDUMP [imagebase] [EIP] [filename] allows you to create a working PE file from the image in memory. [imagebase] is (usually) 400000. [EIP] is the Original Entry Point as a *relative* Virtual Address, i.e. if you find the OEP is 401000 then you use 1000 here.

You can convert a /DUMP [imagebase] [length of file] to a working PE as well afterwards using Procdump, PEditor or some other util. Assuming of course the packer hasn't pulled some other trick such as corrupting the Import table or the PE Header

Regards,
Kayaker

hz
February 12th, 2001, 01:00
Hi,

On the subject of annoying things about trw, no cut and paste, thats really annoying. Maybe we all send our "borrowed" registrations back to the author in protest.

regards

its a joke, its a joke

NeO
February 12th, 2001, 08:42
Very good answer Kayaker !I mean very good!I know what i made wrong with /pedump !!I will try to dump it!

Thanks man really!

NeO

LaptoniC
February 12th, 2001, 12:06
Quote:

Oh I don't know, I think it's good to get a new persepective. I know some people have problems with getting TRW to run on their systems, but for those who don't it's nice to know its features. I had never used the PNEWSEC command before and sure enough it works as well as /Tracex!


Trw works fine on me I have PS2 mouse, when I was navigating code menu I use cursors with Alt,Shift and Ctrl combinations ie Shit+UP vs..
I know icedump tracex is good but you should give range for possible OEP and I couldnt managed to use it on upxed exe so, I dont try anymore lazy me.Trw2k's pnewsec is just pure command.Regards.

NeO
February 12th, 2001, 17:02
Ok !I used /tracex and /pedump like you said and Pedump does all the work for you!SO it upacks our taget!

For Kayaker or evenone with ideas!

So i have one another Pecryp 1.02 the problem is not normal !If you opened it with Peedit you get .ficken in every section!In normal Pecrpy it's only in the last one!So i you use PeCrpy unapcker it opens it and at the he gets an eRROR!SO i have to unpack it manually!

[imagebase] 400000 ,OEP is 401000 , after /tracex command i used /pedump 400000 1000 D:\kl.exe!
And he says 400000 is not original Pehead!
Where should i find it???
If i use /dump 400000 1000 D:\kl.exe! it dumps it but the problem is that there is no Pehead so no MZ!!

You can convert a /DUMP [imagebase] [length of file] to a working PE as well afterwards using Procdump, PEditor or some other util. Assuming of course the packer hasn't pulled some other trick such as corrupting the Import table or the PE Header
Kayaker did you mean you the bhrama server!If i use bhrama server on Pecrpty 1.02 I get shut down off Loader!!

Thanks for helpinG!!

NeO

Kayaker
February 13th, 2001, 02:50
What's the target Neo?

PECrypt 1.02 messes with the NumberOfSections in the File Header section of the PE Header. It changes the #sections to FFFF. Check in a hex editor if your PE Header section is actually in your dump, then check somewhere around bytes 80-100h or so (just after the text "PE" and see if there's an FFFF which shouldn't be there kicking around

NeO
February 13th, 2001, 06:39
I Can send to you if you give me email!Because it the old crackme!Or if you like you can email to me!!You decide!!

NeO

mustapha
February 19th, 2001, 20:56
Hi to All,
I do not try this packed prog because I have not the time yet. Yesterday I read some +Splaj tuts and the GetProcAddress api appears like you said. I always use the method explained in Volatility's tut(unaspack.txt). It is a great tut, all is detailed in it.
The bytes of the end of the unpacker-routine depends on the packer. Yesterday I found Discompress, there you can find the +spla tut and the secuence of bytes to look for the end of the unpacker-routine.
Well, now my time is over. Tomorrow I will ask some things about iat.
By
Mustapha

NeO
February 21st, 2001, 05:59
Where did you get Volatility's tut(unaspack.txt). uRl!!

mustapha


NeO

mustapha
February 26th, 2001, 13:14
Hi to all,
I checked Globe and I have problem(s). I used bpx FreeLibrary, some F12 until Clobe.rsrc, bpx here and 14 F5 and then some F10 until

00490E02 8B83CC1F0000 MOV EAX, [EBX+01FCC] ; EAX=400000
00490E08 038308200000 ADD EAX, [EBX+02008] ; EAX=463318
00490E0E FFE0 JMP EAX ; go to Globe.CODE

After the jump, I land in Globe.CODE, everything seems right, no jump to the middle of the code.
I made a script to procdump and when I try to use it, I have an error. So I dumped (with jmp eip....) the code and changed the entry point to 63318. After that I have some access-error and a runtime error if i try to use my globeunpakced?.exe.
Now I know that I am in the wrong direcctions.
Like always: Any suggestion?

Saludos
Mustapha

Lord Rhesus
February 28th, 2001, 19:12
I haven't actually had a go at unpacking this program, but it seems to me that most people fail at this point. And I think that it puts them off, so I suggest that in order to keep people interested that someone posts the OEP. Any critics?

Kayaker
February 28th, 2001, 20:27
Hi Mustapha,

This problem with Procdump not being able to rebuild the Import table that PECrypt corrupts is mentioned in the first post. You can either use (/PEDUMP 400000 63318 filename) and a new IT will be sitting in a new section at the end of the file, or you can try out Revirgin and rebuild it manually.

Procdump is still a great tool, but not being able to handle corrupted Import tables or PE Headers limits its use now. PEDUMP is the simplest way to go. However if the pointers to the IT are redirected, as in Asprotect, then you need something like Revirgin.

Even for "regular" packed dumps where the image of the file in memory looks just as the original unpacked file would, I prefer to raw dump the file and fixup the PE Header with PEditor over using Procdump. At the OEP you would use
/DUMP Imagebase SizeofImage filename
where Imagebase is (usually) 400000 and the Size you can get from PEditor as well.
Then you use the Dumpfixer feature to make the Virtual Size and Virtual Offset equal to the Raw Size and Raw Offset of all the sections, fix the OEP, change the code characteristics of the 1st section to E0000020 if necessary, check that the Imports are all OK, and viola, you've got a working PE file. If the Imports *aren't* OK, you can still use this raw dumped file as a base to add a rebuilt Import table on to the end of it.

Just caught Lord Rhesus' post as I was about to post this one. Actually, Mustapha just did show the OEP. A simple BPX 490E0E should get SoftIce to break there bypassing all the crap. /Tracex should also find the OEP, good chance here for people to try it out.

Hope this helps,

Kayaker

mustapha
March 2nd, 2001, 20:10
Hi to all,
Yes, with PEditor I can make the prog run, I used Rebuild Import Table option. I am gonna install it in another machine to see what happends.....

Mustapha
March 3rd, 2001, 19:12
Hi to all,
Well, I used PEditor to rebuilt the import table and Globe load fine in my computer but I try it in a Windows ME machine it does not works.
I used Icedump (the fisrt time i use it, it impressed me) and Globe works fine in both, Win98 & WinME.

Saludos
Mustapha

Mustapha
March 12th, 2001, 07:43
well, a made a mistake, there wasn't a WinMe machine, Sorry

Mustapha.

+SplAj
March 13th, 2001, 04:32
Hi guys,

may I input a little help for you who are STUCK re dumping/rebuilding the IAT/IT for this target ?....

If not CLOSE this message immediately !
and sorry for poking my nose into this thread. :'(


If so the first thing to do is a bpx LoadLibraryA and when SI pops then after F12 look at where EDI points to..... this is in the middle of the IAT/IT section at 4671AC - hint scroll up to the first thunk <Alt-PgUp> and see the first API memory is at 467118.
Now get to your OEiP at 463318, dump with PEditor1.7, (after E EIP EB FE) then kill the task. Edit the DUMPED.EXE with PEditor1.7 and change the Entry Point to 63318 and the Import table to 67118.
Then REBUILD with the following parameters selected :-
Rebuild Import Table + make PE Header WinNT compatible. NO realign etc.

Now you should see the IT address has changed to 67000 and if you click 'imports' ... I think it's fixed now......erm change the EB FE back to 55 8B at raw 63318 !

see, no icdeump to worry about or strange PE header section entries or redirected API's. Just plain vanilla dump and rebuild the traditional way.

Thats all , no help with the 3 timezones or closing timer nag ...
unless you want that to ? don't think so.

Have fun

SplAj