bloodypriest
November 6th, 2003, 23:33
Hello there,
I've been trying to unpack activemark packed executables for a while and after seeing I'm not the only one who's interested in this protection, I've decided to start a thread about it.
First, I must say that I'm a lazy guy so I searched for a tutorial before trying to do the job myself. Found one in russian. The guy used TRW2000 as a debugger but when I tried, I wasn't able to unpack anything using that debugger. So I started working on it myself.
I started SoftICE. What a surprise! The game wouldn't even start up. So I searched on forums if I could find any info about any anti-debugger tricks it used (still lazy guy tendencies)
What I got now is this :
1. It uses MeltICE as it's primary SoftICE detection trick.
2. Next, it tries to find SoftICE using INT3.
3. It also uses the "Crush the Frog" variant of MeltICE to prevent FrogSICE from working.
(Thanks Buntus for the info).
So I fired up ICEDump. BTW, I never was able to get ICEDump to work until I installed Driverstudio 2.6 . Don't ask me why, it just wouldn't hook up with prior versions while it magically hooked up with Driverstudio 2.6 .
I tried again starting the game. Seemed to start but BOOM! Page Fault. I killed the process in SoftICE then GPF in Ring 0 so I did continue and YESSS, BSOD! But this BSOD was kind of harmless so I continued my debugging session.
What was the problem. SoftICE was well hidden. Why did it crash? So I searched and searched and searched. And then I found on hxxp://www.reverse-engineering.net a nice little proggie named BANG! And right in the readme were these lines :
And guess what : Activemark is using this kind of trick too. So I tried firing up BANG! but it wouldn't work with ICEDump already hiding SoftICE; so I unloaded ICEDump first and then I fired up BANG! and YESSS, the game started.
So what was left to do was to make a version of BANG! which wouldn't check whether SoftICE was loaded or not and would do it's trick anyway (in order to start BANG! on top of ICEDump).
The modification is fairly trivial since the source code is included and I leave that up as an exercise to you. Oh yeah, this program is for Win9x only. WinNT and Win2k users you're on your own (but I read on another topic that IceExt works). And WinXP users, what are you waiting to ditch that CrapOS
WARNING : The modification I suggested in the previous paragraph is dangerous and not fully tested. For instance, if you start BANG! two (or more) times in a row and then start an ActiveMark protected executable, there's a high chance your computer is gonna freeze (at least mine did). Fortunately, starting BANG! on top of ICEDump seems to work fine.
Oh yeah, I almost forgot : a great many thanks to r!sc for his program and his info about int01 and int03 displacement.
I've been trying to unpack activemark packed executables for a while and after seeing I'm not the only one who's interested in this protection, I've decided to start a thread about it.
First, I must say that I'm a lazy guy so I searched for a tutorial before trying to do the job myself. Found one in russian. The guy used TRW2000 as a debugger but when I tried, I wasn't able to unpack anything using that debugger. So I started working on it myself.
I started SoftICE. What a surprise! The game wouldn't even start up. So I searched on forums if I could find any info about any anti-debugger tricks it used (still lazy guy tendencies)
What I got now is this :
1. It uses MeltICE as it's primary SoftICE detection trick.
2. Next, it tries to find SoftICE using INT3.
3. It also uses the "Crush the Frog" variant of MeltICE to prevent FrogSICE from working.
(Thanks Buntus for the info).
So I fired up ICEDump. BTW, I never was able to get ICEDump to work until I installed Driverstudio 2.6 . Don't ask me why, it just wouldn't hook up with prior versions while it magically hooked up with Driverstudio 2.6 .
I tried again starting the game. Seemed to start but BOOM! Page Fault. I killed the process in SoftICE then GPF in Ring 0 so I did continue and YESSS, BSOD! But this BSOD was kind of harmless so I continued my debugging session.
What was the problem. SoftICE was well hidden. Why did it crash? So I searched and searched and searched. And then I found on hxxp://www.reverse-engineering.net a nice little proggie named BANG! And right in the readme were these lines :
Quote:
| another program i found uses the offset between int1 & int3 during small parts of unpacking itself . thus, if winice is running, or in your version of windows this figure is different to 10h, it crashes . . (ask webmasta Fusion & Softlocx v4 use this method.. hxxp://www.bit-arts.com/ |
And guess what : Activemark is using this kind of trick too. So I tried firing up BANG! but it wouldn't work with ICEDump already hiding SoftICE; so I unloaded ICEDump first and then I fired up BANG! and YESSS, the game started.
So what was left to do was to make a version of BANG! which wouldn't check whether SoftICE was loaded or not and would do it's trick anyway (in order to start BANG! on top of ICEDump).
The modification is fairly trivial since the source code is included and I leave that up as an exercise to you. Oh yeah, this program is for Win9x only. WinNT and Win2k users you're on your own (but I read on another topic that IceExt works). And WinXP users, what are you waiting to ditch that CrapOS
WARNING : The modification I suggested in the previous paragraph is dangerous and not fully tested. For instance, if you start BANG! two (or more) times in a row and then start an ActiveMark protected executable, there's a high chance your computer is gonna freeze (at least mine did). Fortunately, starting BANG! on top of ICEDump seems to work fine.
Oh yeah, I almost forgot : a great many thanks to r!sc for his program and his info about int01 and int03 displacement.