1. What is the problem....
I cannot determine the packer of a certain binary, and thus, cannot unpack it automatically

2. What is the protection.....
Unsure as of yet, but would probably need to unpack first to find out

3. What tools are you using....
I have tried PEiD, TrID, Ollydbg, Winhex, and IDA Pro to get some idea of how it is packed -- but no luck

4. What tutorials have you read....
I have read some basic unpacking tutorials on common packers like UPX, ASPack, etc and have unpacked these on my own before

5. Show your output listing WITH comments....
PEiD v0.93 with all plugins on their site shows "Nothing Found *", with options Hardcore scan, recurse subdirectories, use external signatures, reg shell ext, min to sys tray, load plugins, allow mult instances.

TrID output:


6. NOW ask your question....
Are there any other tools that can help me identify the packer of this binary? I would like to investigate the underlying code itself, so I need to unpack it first. If manual unpacking is necessary, I would like to learn how to do this. However, since my situation is also time critical, would it be against the rules to offer monetary reward for an expert to help? This was not detailed in the FAQ.

I eagerly await your replies ;-)

netsniper

Autodesk? It might be dongle related...

my 2 cents

The exe is NOT an autodesk application. I think that TrID is identifying a file format that autodesk uses within my fakefile.exe app, which does video encoding (i'm hiding the name of the file on purpose). Anyways, are there any other ways to attack this?

netsniper

If PEiD couldn't detect it, chances are that other apps won't be able to either.


If your situation is time critical, then you may want to just run your target, dump its memory, and analyze the dump (as opposed to doing a perfect unpacking job).


If this is third-party (not written by you) commercial software, then you shouldn't offer such a reward here. However, if it is not commercial software or the software's EULA explicitly allows for reverse engineering, then please say so and you may get some offers to help.

I would try to do this, but the app also seems to have code that stops me from using Ollydbg in this way. Is there an easier way to dump the running process to memory? Also, even though I have tricked the program to letting Ollydbg run a few times, when I "attach to process" the code still looks like junk! I'm wondering if there is much SMC here that is screwing everything up. All I really want to do is analyze the "virgin" function structures, without jumping through all these fscking h00ps :-O Man, these guys are really trying to hide their source. It is about a $1000 program, which I also assume to have ripped code from GPL projects. I'll give a big hint. Their website has been posted on /. many times in recent weeks and this site went down today ;-P I think they are pressured by my analysis of their other "product"...

In conclusion, how can I dump the memory so I can analyze this file's functions?



If it is suspected that GPL code is within, would that be legal? I have already proven, very publicly, that this company's other "product" was stolen from GPL sources. I would like to do that again with this application that they are protecting so well. There must be something underneath, or else, why would they hide so well :-) I ask in the name of open source for help, and if none is available, I offer -- out of curiosity for the conclusion -- a monetary reward for unpacking, which should aid in proving the stolen source code. This is a big deal...

netsniper

Information required as follows:

HOw many sections in the PE file?

Names of PE file sections?

Is OEP in the final section?

Sizes of sections in file?

Any functions in the Import Table? If so, how many and what are their names?

When the program executes, is there only one "instance" running?

Can you simply dump the program from memory using LordPE while it's running? or does LordPE give you an error when trying to do so?


-nt20

seven sections...



In order by virtual address:
.text
xm618ywi
.data
.rsrc
bvium466
fbnk3hol
q7n4woxj



I don't know the OEP. and am a little naive to finding it since I don't have SoftICE. I am trying to get it installed after reading this fine tutorial and getting a good idea how to do it:
hxxp://www.woodmann.com/fravia/predator_unpacking.htm

Can I locate the OEP some other way? This application seems to have anti-debugging code so I don't know how to get around that to find the OEP. Is there some other way without the debugger? I mean, if I try to open Ollydbg, the protected application immediately closes it.

In PE Explorer, the listed "Address of Entry Point" is 003DB93B. But I am assuming that this is not the OEP...



From PE Explorer:
Name | Vrt Sz | Vrt Addr | Sz Raw Data | Ptr Raw Data | Chars | Ptr Dirs

.text | 000d2000h | 00401000h | 00000000h | 00000400h | e0000020h | --
xm618ywi | 00022000h | 004d3000h | 00000000h | 00000400h | e0000060h | --
.data | 0010f000h | 004f5000h | 00000000h | 00000400h | c0000040h | --
.rsrc | 00088000h | 00604000h | 0002b000h | 00000400h | c0000040h | Resource Table
bvium466 | 00016000h | 0068c000h | 00000000h | 0002b400h | e2000060h | --
fbnk3hol | 00054000h | 006a2000h | 00000000h | 0002b400h | e0000020h | --
q7n4woxi | 000e6000h | 006f6000h | 000e5d24h | 0002b400h | e0000060h | Import Table: TLS Table



I am not that familiar with packed programs messing with the import table. I am now reading this guide:
http://sandsprite.com/CodeStuff/Understanding_imports.html

However, still not sure how to detect how many fuctions there are and what the names are. I can say that the DLLs in the program folder seem to be msvc71*.dll files, so I am assuming a .NET application. Since the raw size of the q7n4woxj section seems large, I'm guessing that most of the code is in here...

OK, I took a look at the section in a hex editor and see only a few notable functions in here -- but everything else looks garbled:
GetModuleHandleA
LoadLibraryA
GetProcAddress
ExitProcess
MessageBoxA



It only runs one instance at a time.



I can dump the running process, but the dumped file does not run correctly. It hangs with a greyed out window and I have to end task it...

Thanks for your guidance, and hope to hear back from you soon :-)

netsniper

It looks to me Execryptor... one of the best toys in the market!
Regards, bilbo

Agree with Bilbo - looks like Execryptor: very hard but crackable. There is no SMC, but lots of junk code. Developer can also hide parts of his code in the junk code. There is huge performance hit for doing that, so usually only serial checking routine is "junked".

Execryptor does not support .NET applications, though. It might be normal application compiled with VS 2003.

Ahh... found it with http://www.google.com/search?btnI&q=netsniper+gpl ("http://www.google.com/search?btnI&q=netsniper+gpl")


I'm not a lawyer, but my guess would be no.


perhaps you should use half of that monetary award to pay a lawyer to determine whether or not unpacking it and reverse engineering it would be legal. if the lawyer confirms that it's legal, then come back here and offer the other half of the monetary award for unpacking it. (and of course provide references to the lawyer and their decision)

It seems they should have already talked to lawyers because they are collecting donations on the "PearPC Legal Suit Donation Page."

From everything I've read on the net, there is no legal prohibition on reverse engineering any software code for the purposes of examining it. As I understand the issue, the problem comes from "misappropriating" the intellectual property of another and "using" that work without the permission (or compensation) of the author. Examining the code of others is something which is done all the time in software companies.

California made some news a couple of years ago as part of the release and publication of the DeCSS code which allowed one to "access" movie CDs. California's Supreme Court eventually got involved in the controversy and issued a decision in the case, titled: DVD COPY CONTROL v. BUNNER. The United States (and California has it's own State regulation adopting the U.S. model) has Something called the "Uniform Trade Secrets Act (UTSA)."

According to that Act:

Trade secret misappropriation occurs whenever a person: (1) acquires another's trade secret with knowledge or reason to know "that the trade secret was acquired by improper means" (§ 3426.1, subd. (b)(1)); (2) discloses or uses, without consent, another's trade secret that the person "[U]sed improper means to acquire knowledge of" (id., subd. (b)(2)(A)); (3) discloses or uses, without consent, another's trade secret that the person, "[a]t the time of disclosure or use, knew or had reason to know that his or her knowledge of the trade secret was" (a) "[d]erived from or through a person who had utilized improper means to acquire it" (id., subd. (b)(2)(B)(i)), (b) "[a]cquired under circumstances giving rise to a duty to maintain its secrecy or limit its use" (id., subd. (b)(2)(B)(ii)), or (c) "[d]erived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use" (id., subd. (b)(2)(B)(iii)); or (4) discloses or uses, without consent, another's trade secret that the person, "before a material change of his or her position, knew or had reason to know that it was a trade secret and that knowledge of it had been acquired by accident or mistake" (id., subd. (b)(2)(C)).

But, for our purposes, here is the interesting part under both U.S. and California law:

Acquisition of a trade secret by "'[I]mproper means' includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." (§ 3426.1, subd. (a).) "Reverse engineering or independent derivation alone," however, is not "considered improper means."

It would seem that if one where seeking to sue another for "misappropriating" their intellectual property in the form of their code and incorporating it into their own software, reverse engineering the code would be "required" and the principle form of "proof" that a "misappropriation" had occurred. If the trade secret actually "belongs" to the person doing the reversing, it probably would be hard to successfully argue they were "misappripriating" their own code.

Regards,

Naive Observation. (Packing and unpacking IS NOT MY THING):

Even when the application is up and running, The code looks scrambled?

May be I misunderstood but have you done this?:

Get the app up and running.
The code should be unpacked in memory, at least some parts of it.
Using a dumping tool like PE Tools, find the process in the memory and dump it.

You could analyze the dump for code patterns, strings, etc.
The API calls and communication with the system dlls is probably scrambled beyond recognition, but the code flow and the structure of the functions should be recognizable

Better than Silicon Realm's Armadillo/Software Passport?

netsniper

Great insight dude :-) Yes, I think that it is fine to reverse the software, but I will also speak with my lawyer and see what he says. I want to make sure that this is allowable. If that is the case, how much of a time investment would it be to "virginize" this application? I'm assuming that manual work would need to be done to get the code into a usable form for IDA Pro analysis (ie. unpack, recover from junk code blocks, remove anti-debug code, remove anit-trace, etc...). Let me know and then offer up a bid. After I talk to my lawyer I would love to speak with someone about doing this, and afterward, finding out how they went about their work. Maybe they could also write up an article on how they did it? I found someone else on the net that was doing similar research and seems to show that XVID and LAME code is in their product! I'm about to email him and talk some more about it. See for yourself here:
http://www.tliquest.net/ryan/cherryos/vx30/oldversion/

netsniper

Yeah, I did dump the process, but it still seems like junk! I am wondering wtf is going on here. I am new to this though, so I must be doing something stupid. Another guy on the net did happen to get a dump working correctly and analyzed the code a little bit. Maye I can just snag the resultant executables from him so I can do some IDA Pro analysis. This is getting very interesting...

netsniper

There's some discussion of this issue on DataRescue's bulletin board, as well as a link to this thread: http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/274.html ("http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/274.html")

Yea, its too bad I can't post to that forum to clear up the inconsistencies, so here goes:

The "analysis" is very basic, I know. Actually, I think the only IDA Pro feature I put to use was the function flow graphing. Everything else could have been researched in a disassembler. It was done using a demo version of IDA Pro, but be aware that I do plan to buy the product at some point.

I have also talked to Halvar about getting BinDiff via academic licensing. Does DataRescue offer such a discounted rate for students?

The "pirated" copy of software that you mention on my website is nothing of the sort. Maui X-Stream does not even have the right to distribute their own product (GPL violations), and since I have the OK from PPC, then I am also not breaking any rules -- since it is their code in the CherryOS product! However, coincidentally, I did remove it tonight in light of a strategic move on the part of the developers.

I do not condone piracy, so let that be known. I am contirubting much of my free time to make sure that Maui X-Stream is reprimanded for _their_ piracy. Surely this should be some indication. I also contribute to Open Source Software projects on Sourceforge...

netsniper

Armadillo doesn't use any ASM Obfustication so it's not really comparable to EXECryptor what I will say though is the one EXE Cryptor program I looked at simply wouldn't run on my PC (the previous versions of the prog before it was packed with it worked fine) but in the 'crypted' version just crashes. I wouldn't use EXECryptor for any of my own programs.

MrAnonymous has already answered this. I would add that Armadillo has some ASM obfuscation too, but more localized.

naides, I think you should study modern packers/encryptors, because they are becoming every day more interesting... They are changing IRREVERSIBLY the target, and not just for what is concerning DLL calls!

Armadillo (Nicolas Brulez) started with the NANOMITES idea: he replaced the conditional/unconditional JUMP opcodes with a CC opcode (INT 3), passing the control to an external debugger written ad hoc in order to solve at run time the jumps (and the jump solver is well obfuscated by the way ;-)), on the basis of pre-built tables. But the original jump code was thrown away, not just stolen or relocated.

Execryptor rebuild the code in another place, converting it to spaghetti code and adding here and there exceptions to confuse the debuggers. Furthermore the code is not localized in the same place, but scattered at many different addresses (with jumps/calls/SEH to tie one fragment with another) so the flow analysis cannot locate subroutines: it can only locate part of the iterations. Obviously this process is not performed on the whole executable for performance issues, as kao pointed out: the continuos jumping here and there nullifies the opcodes cache/pipeline.

Well, IRREVERSIBLY is anyway a too restricting word: it is possible to write some pseudo-intelligent stuff which attempts to revirgin back the target (obviously in another memory area and not necessary the same as the original - so not always suitable for a BinDiff analysis).

Best regards, bilbo

netsniper, can you list all DLLs used by main program? I was able to unpack GUI part, but main EXE just refuses to load..

You want all the DLLs in the program directory or all the DLL's it loads? I mean, there are tons of standard DLLs it loads for obvious functionality. Also, I dont know what version you are using -- I went back to trying to play with the 1.5.x.x version instead of 2.x since it seems to be using older execryptor...

netsniper

A list of all the DLLs that process loads would be nice. Perhaps I'm missing one of those "almost" standard ones, since process refuses to start and stops somewhere is Execryptor junkcode.


It's one of the latest 2.x versions. How/where can I check exact version number?

I would give the exact DLLs, but for some reason, in the latest VX30 2.x version, WinHex does NOT see the VX30Encoder process!!?!?? This is weird. Are they trying to hide their own process? Using WinHex I am usually able to dump the list of loaded DLLs it it using. You have another way to do it? See if WinHex works for you -- you can try using the "Open RAM" function...



Help -> About? I forget the exact place where it is shown -- perhaps it is not even shown in newer versions anymore. I think I had this problem too. Hrmm, sorry dude. I am really just going back to the 1.x version, because I think it is easier to crack...

netsniper

Heh, GdiPlus.dll was missing on my Win2K and it caused the nasty crash.

2.0.0.3452 is unpacked and working (on my computer only...). There are 2 areas (780 and 2350 bytes) protected with Execryptors junk code - they look terrible and will cause crash on other PCs. Everything else looks and works beautiful.

Has anyone ever recovered original code from Execryptors junk code?

Can you do me a favor? Can you scan the running process or hex edit the unpacked executable and search for the strings "xvid", "lame", and "ogg"? I would really appreciate it...

netsniper

Some people never change... The following interesting strings are present and probably relevant to your research:



These 2 are there for some unknown reason:

paco.net is Ukrainian ISP. "Privet is Odessi" translates as "Hello from Odessa". And I thought those guys are from US..

Check PM for more details.

kao

Wow is there anymore news on this I was looking for more information on unpacking and read through this thread. Gives me another Idea although I do not know if our current source code law is enforceable in china and korea I would have to see if there is a treaty and determine if it is worth it since I will really tick off about 70% of the Americans still playing the game using the mod I am attempting to reverse.

h*tp://www.egrupos.net/grupo/rvlcn/ficheros/5/verFichero/25/RDGPackerDetectorv0.5.8.rar
is the best packer identifer

Hey cool site and it was good to know that there was others working
on this issue of this company at the same time as I. See my post here
http://forums.h80571.serverkompetenz.net/viewtopic.php?t=1237&postdays=0&postorder=asc&start=1710

My method of unpacking That works for all of MSX stuff. Quick for finding strings. Event Horizon made a nice Tutorial here. http://information.networkessence.net/mxs/vx30/analysis2.html

Mine was version1.

For the new one in this list From the company that is posted about.
See my post above for quick unpacking. It also works on this one.
Some of the strings found inside the new app.

@ 1% bug in LAME encoding library
00514EB4 00914EB4 0 9% Your system is overclocked
00514ED8 00914ED8 0 90% LAME compiled with buggy version of gcc using advanced optimizations
00515188 00915188 0 http://www.mp3dev.org/
005151A8 009151A8 0 LAME3.96


004BF450 008BF450 0 cool a new vlc code ,contact the ffmpeg developers and upload the file
004D90C8 008D90C8 0 Vorbis id header packet corrupt (no vorbis signature).
004D9104 008D9104 0 Vorbis id header packet corrupt (illegal blocksize).
004D913C 008D913C 0 Vorbis id header packet corrupt (framing flag not set).

The above post was for ZENTU from MSX there is the same things in
there as VX30. Needs to be compared with the version that came out on
june 3 and later. Because it is a modified version of VX30.

It's MXS, not MSX - which was my favorite home computer back in the 80s & 90s ... brilliant platform it was and I learnt to program Z80 ASM on it, without it I wouldn't be reversing nowadays, I'd just be bragging about my leet VB skills or something

But on-topic: Any news on the legal part; is the company being ripped apart ?

And what about de-obfuscating the ExeCrypter junk-code, is there any news on that ? I recall unpacking some (small) ExeCrypter-protected programs without any real hassle, they but they didn't have 'real' code obfuscated after unpacking, so I'm curious about that particular feature

MXS-MSX-VX30-Merry Xmas-they all have been Xed.
Don't know what this means but it sounds neat.

Anywho, the legal stuff I don't know about. So I can't really say anything
about that cause I would most likely be wrong. However MAUI is still in
business and Zentu can be downloaded from their site and also the live
app.

As far as the junk code I am also not sure on that since when I unpacked
the targets with only one way that worked I did not really study these any
further other than various strings and resources.

I have not tried this on other ExeCrypter-protected programs since this was
not the main goal. Just a quick unpack and off we go.

Hmmzz, too bad that MAUI is still in business, I hope that they get their behinds sued for making money over someone else's back/work. NOFI with the MSX-MXS part; I just wanted to express my love for the old system

Guess I'll have to try & find out for myself wether this junk-code is 'fixable' ...

I always get these three letters backwards. M X S. I want to type MXS but then I start thinking about MSX. So then I end up typing MSX.
NOFI with this part I have always done this weird typing thing.

Terrible thing about the legal system is when you get your day in court it could be a year or three years later. Its sloooow.

Also sorry I could not have been of more help in the Junk Code solution.