Log in

View Full Version : Unable to unpack a file wrapped by Bit-arts


paco
March 22nd, 2004, 05:46
Hi,
First of all , I introduce myself as a newbie in unpacking. I read a lot of tutorials and forums but I'm still not able to unpack a file called Dont be lame. .This program is packed with bit-arts by Read the FAQ sofware wrapper (crunched/PE heuristic as checked by PEiD) . It has no evaluation possibility and you must to be connected to their server for validation before the software can be unpacked on the drive.
I tried to manually unpack it but the dumped file is always below the original weight ( 1.5Mb and the packed file weights 4.47Mb) . The Import segment is always destroyed each time I disassemble the file.When I use Ollydbg, it always warns that the Module Entry Point is outside the range... . This is very confusing to me and I can't find the OEP.

When I read Heathcliff tute about fusion v3 (bit-arts), I thought that I found my way. Unfortunately the approch was quite different because here I have no demo or evaluation version available.
I spent more than three months, using a lot of tools ( SI/PEiD/Revirgin/Ollydbg/IDA Pro...) without success, so questions :
1- Is it possible that an unpacked file weights lower than the packed one ?
2- How can I achieve this unpacking without connection to their server ?
3- Does anyone have experience with this kind of file or protection?
Any help will be highly appreciated.
Tks for helping me cause I'm really newbie . I came to this forum for education purpose and as French-speaking, it is also an opportunity to improve my English. So sorry for all the mistakes I made.
Regards
Paco

hobferret
March 22nd, 2004, 18:00
Quote:
[Originally Posted by paco] Hi,
First of all , I introduce myself as a newbie in unpacking. I read a lot of tutorials and forums but I'm still not able to unpack a file called I will not be lame .This program is packed with bit-arts by Read the FAQ sofware wrapper (crunched/PE heuristic as checked by PEiD) . It has no evaluation possibility and you must to be connected to their server for validation before the software can be unpacked on the drive.
I tried to manually unpack it but the dumped file is always below the original weight ( 1.5Mb and the packed file weights 4.47Mb) . The Import segment is always destroyed each time I disassemble the file.When I use Ollydbg, it always warns that the Module Entry Point is outside the range... . This is very confusing to me and I can't find the OEP.

When I read Heathcliff tute about fusion v3 (bit-arts), I thought that I found my way. Unfortunately the approch was quite different because here I have no demo or evaluation version available.
I spent more than three months, using a lot of tools ( SI/PEiD/Revirgin/Ollydbg/IDA Pro...) without success, so questions :
1- Is it possible that an unpacked file weights lower than the packed one ?
2- How can I achieve this unpacking without connection to their server ?
3- Does anyone have experience with this kind of file or protection?
Any help will be highly appreciated.
Tks for helping me cause I'm really newbie . I came to this forum for education purpose and as French-speaking, it is also an opportunity to improve my English. So sorry for all the mistakes I made.
Regards
Paco


Hey JMI

You are slipping here - Links to progs Wot next

/hobferret

Kayaker
March 22nd, 2004, 19:59
I agree any kind of link or proggy name should be unnecessary, will gladly delete it, but it all depends on what comes next, generic or target specific response(s). One stays, the other leaves

Woodmann
March 22nd, 2004, 21:02
Shit,

The bus is full for today.............

And Paco, you have already been warned about posting
like this. I did not realize that it was you who sent me an email
until after I re-instated you under your email nick.
Now I check the IP address and see that you were deleted
for being a lamer.

This will be your last chance to redeem yourself.

-cbo-

paco
March 23rd, 2004, 08:58
Hi Woodmann,
I sincerely apologize for having written the name of a file in my first post. I thought it was useful to people to have an

idea of wich kind of protection I am dealing with. Sorry, I'm faulty.
My concern about the mail I sent to you was related to a problem of registration. In fact, I didn't receive the e-mail

validation so I couldn't post my message.Thank for having validated it.
Anyway, I'm still trying to unpack this file, but as I said before, this protection seems unbeatable compared to the others

files I have been able to unpack or patch. This leads me to the conclusion that maybe it's the end of manual unpacking or

I've not enough experience to defeat the need of server connection before the file is unwrapped. Remember it's not a demo or

an evaluation or shareware version.
The last think I did is trying to dump the file using Ollydump plugin (with FrogIce active) . The problem encountered is that

the prog is lanched while tracing and ,again I have to face the need of internet connection .
I've not found any tute yet concerning this kind of protection , so I will keep on trying,
Hope you'll forgive me
Tks a lot ("Merci beaucoup" in French)
Paco

Woodmann
March 23rd, 2004, 20:40
OK,

So you have read some tuts and they do not help you in this situation.
I have an old saying: If a PERSON made it then another PERSON can take it apart.

Since this prog needs access to work, you need to find where it makes this "call".
Next, how do you find this information it desires?
Can you find it hidden in a validation routine?

But you say that you cant unpack it. You can, you just haven't found out
how to do it yet.

Woodmann

paco
March 24th, 2004, 20:39
Hello Woodmann,
Thanks for your wise advice. I'm still trying to find out the "call" concerning the access. I think it is hidden in a packed area of the file so it can't be accessed unless it is unpacked.
In the meantime, I dumped the memory map and the log data while tracing with Ollydbg. Both are attached to my post . You will notice the different system files .DLL/.OCX related to the net.
Hope it can help....
Regards
Paco

Woodmann
March 24th, 2004, 22:21
Mr. Jiggyfly.........

I have some bad news for you but, you already know this.

%UNDEFINED%
March 25th, 2004, 01:47
Eh paco, PM (Private Message) me with the target and URL, I'll take a look and see what advice I can offer.

paco
March 26th, 2004, 05:45
Quote:
[Originally Posted by Woodmann]Mr. Jiggyfly.........

I have some bad news for you but, you already know this.


HI Jiggy,
I've read a tute from Heathcliff in a thread called "Fusion v3 cracked, Titanium v3 defeated, Bit-arts fooled..." Perhaps you should read it and if by chance you can contact Heathcliff, maybe you'l have info about Fusion 3 by Bit-arts. Myself , I don't have it. GOOD LUCK
Paco

Jiggy
March 26th, 2004, 05:49
Quote:
[Originally Posted by paco]HI Jiggy,
I've read a tute from Heathcliff in a thread called "Fusion v3 cracked, Titanium v3 defeated, Bit-arts fooled..." Perhaps you should read it and if by chance you can contact Heathcliff, maybe you'l have info about Fusion 3 by Bit-arts. Myself , I don't have it. GOOD LUCK
Paco



Thank you very much, I'll search it and I'll find it. I'm really glad about your post !!!

Bye

paco
May 3rd, 2004, 13:13
HI,
I've not succeeded with manual unpacking of the file so I tried PEiD v0.92 .
I scanned the file using PEiD v0.92 and found the OEP at 00401F30. After that, I unpacked it with snaker's Generic Unpacker v0.1 ( wich is part of PEiD) and rebuild the imports with ImpREC. The unpacked file generated has a size of 1,16 Mb , while the original one was 4,47 mb .
When I launch the unpacked exe, I get a message saying that the file size is incorrect...
How can an unpacked file have a size smaller than the packed one ?
There is still something else to do but I don't know what !!!
Tks coop
Paco