The
Cast of characters:
Crunch2.EXE
is the
Fraudster
Unsafedisc
is the
Victim
WinIce
is the
Investigator
Icedump
is the
Executioner
Kilby
is the
Malicious Bastard
Recently I
thought I would play with dumping some programs, I had no joy with Copylok, so I
thought a bit of practice on a packer would help.
I haven’t
seen any information about Crunch 2.0 from BitArts, it makes grand claims so I
thought here’s a challenge.
I was
disappointed as this package is Snake Oil of the worst kind
!
Why ?
Simple
!
I have not
been involved in any serious cracking for years, the last compressors I dumped
data from where on the Amiga back in 1990. (Well not quite I was forced to
return to the Sinclair Spectrum for a while when I had to sell my PC back in
92.)
The only
thing I like about the product and that’s the company name because it can be
separated out to read “Bi Tarts”, a lovely though sexist thought ;)
After 5
hours I had working dumps, I didn’t even have to rebuild the import tables, it
was an easy victory.
OK I
haven’t had it all my own way;
I have had
problems with the following 3 test apps,
Unreal
Tournament
Adobe
InDesign
Adobe
InCopy
None of them would dump properly, possibly this is because these packages (& games) are more accurately described as suite of DLLs, bound together with a small .EXE file.
The result
was that the programs appeared to start running before the packer had finished
unpacking the .EXE.
It could
also have been because it was 05:10 and I was tired and careless, I will return
to them in a few days.
---------------
UPDATE:
Unreal
Tournament now works 100%, if a valid .INI file exists for the
game.
The trouble
occurs when an attempt is made to run in SETUP Mode.
If the
valid .INI file doesn’t exist then for some reason the unpacked code repeatedly
returns to the Program_Entry_Point+E4 region, which jumps into the newly
uncompressed program.
I believe
this may be a minor fault in the packer, but I can’t be sure as Unreal
Tournament seems to do weird shit anyway (and their OpenGL mode still doesn’t
work, Yeucch DX & Glide.)
So I am
putting it down to a compatability problem, between th packer and
UT
---------------
Still I
wasn’t the only failure Cruncher2 couldn’t even pack the following two test
files;
Alien Vs
Predator Gold
Delta Force
1
It totally
failed :( didn’t even give a proper error message.
Though I
will quote this piece of PR Crap
Claim:
No other Windows PE compressor/encryptor has the power of compression, encryption and security.
Reality:
This is simply not true, the file is compressed, and as far as I can tell it is NOT encrypted.
There are
vastly superior packers/encryptors out there, and a lot of them are FREE
!
These Bi
Tart people are selling to the legions of “Visual Programmers” out there, the
majority of them haven’t a clue what the hell is going on in their programs. At
best they have only written about 10% of the code themselves, the development
package has generated the rest of it.
I have
personal experience of this situation, One fucker I have to put up with in work,
doesn’t even know what is in 2% of his code as he just robs code fragments of
web sites and stitches them together.
Fuckin
thieving Christian bastard !
Exactly the
sort of clueless individual who would purchase Cruncher2 and note the
price;
Priced
at $199 (per annum), contract is for one year (non-refundable).
He would
think that Cruncher2 would protect his program.
I must also
add that this is more of a proof of concept rather than a piece universal
truth.
The intent
is to:
1:
Give back something to the unpacking community.
2:
Give newbies something to learn from.
3:
Show you don’t have to be an Elite cracker to contribute to the unpacking
community.
4:
Encourage somebody out there to build a proper unpacker for Cruncher, as
I ain’t got the time
The demo
version is at http://www.bitarts.com/.
In addition
to being a 30 day demo, the packer will only create files called
bitarts_evaluation.exe, if the file is renamed it doesn’t work. This is easily
fixable but I simply cant be bothered.
I do not
wish to crack the packer itself, it’s simply not worth the effort, there much
better examples out there for free, however I would quite like to do some damage
to their reputation ;)
If anybody
out there has something packed with the registered version, I would like to get
a copy just to confirm that all the offsets are the same.
Here is
what Cruncher2 does up to when it’s packing;
Compresses
the data, (SURPRISE !!!)
Renames the
segments to Bit Arts and uses one import (Kernel32.DLL.)
Places it’s
own 2 segments on the end of the .EXE and sets the entry
point.
There are
no customisation options whatsoever, unless you count the output
filename.
On running
the packed .EXE they decompress the data, recreating the virgin .rdata section,
in the process.
Generate
the offsets to the .DLL calls.
Overwrites
the original .rdata data with zeros to make life a bit
harder.
JMP EAX to
the original .EXE file entry point
OK so
there’s some self modifying code in there, and there’s also some obfuscation in
there, but nothing that an average (and very out of practice) reverser such as
me couldn’t manage in about four to five hours.
The biggest
mistake they made is obvious even to me, the only things that change within the
decompression routine are;
1:
Number of Segments to decompress.
2:
The address of the actual data.
3:
The number of imports
Once you
have the base address of the decompression segment (hint it’s the Program Entry
point), all the important routines are ALWAYS AT THE SAME OFFSETS from that base
address.
The example
.EXE I will use is Unsafedisc.exe (V 1.5.5) by R!sc, as it’s easily obtainable,
and Microsoft don’t approve :)
This
example also shows that the compression isn’t too good as the file grew from
20KB to 46KB.
What to
do:
First hide
SoftIce, as the unpacker will get annoyed.
Icedump is
adequate, which in shows that PECrypt, gives better security against debuggers.
It’s also great for dumping on demand, no more having to edit out the jmp eip in
dump files.
OK load the
executable with Break & Enter (or whatever loader you prefer), and you will
find this;
00710000
start proc near
00710000 push
ebp
00710001 call
$+5
00710006 pop
ebp
00710007 sub ebp,
6
0071000A mov eax,
ebp
0071000C push
ebp
0071000D
pusha
0071000E mov [ebp+348Ah],
ebp
00710014 sub eax,
[ebp+3465h]
0071001A mov [ebp+2519h],
eax
00710020 push
ebp
00710021 mov ebx,
1ECDh
00710026 add ebx,
ebp
00710028 push
ebx
00710029 push dword ptr
fs:0
0071002F mov fs:0,
esp
00710035 cmp byte ptr
[ebp+3690h], 0
0071003C jnz short
loc_710047
0071003E mov byte ptr
[ebp+3690h], 1
00710045 jmp short
loc_71005C
A bit of
jumping around and nothing really worth paying attention to until the code turns
into soup.
007100E0 mov ecx,
eax
007100E2 repe
movsb
007100E4 mov eax,
[edi]
007100E6 aad
81h
007100E8 retn
15B6h
007100E8
start endp ; sp =
-54h
007100E8
007100E8
; ----------------------------------------------------------007100EB dd 3352000Eh,
0D88CC0h, 87404A8h, 1ACD02B4h, 0EBC28B1Dh
007100EB dd 33310F80h,
1CC069D2h, 0E19660Dh, 1CECD05h, 0FD858901h
This is
Program Entry Point (PEP) + E4
Place a
breakpoint on 7100e4 and hit F5.
You will
meet this address again when it will be much more interesting
:)
After the
breakpoint you will find the following;
:u
eip l 100
0167:007100E4
8BD5 MOV
EDX,EBP
0167:007100E6
81C2B6150000
ADD EDX,000015B6
0167:007100EC
52
PUSH
EDX
0167:007100ED
33C0 XOR
EAX,EAX
0167:007100EF
8CD8 MOV
AX,DS
0167:007100F1
A804 TEST
AL,04
0167:007100F3
7408 JZ
007100FD
0167:007100F5
B402 MOV
AH,02
0167:007100F7
CD1A INT
1A
0167:007100F9
8BC2 MOV
EAX,EDX
0167:007100FB
EB02 JMP
007100FF
0167:007100FD
0F31
RDTSC
0167:007100FF
33D2 XOR
EDX,EDX
0167:00710101
69C00D661900
IMUL EAX,EAX,0019660D
0167:00710107
05CD0D0100
ADD EAX,00010DCD
0167:0071010C
8985FD3D0000
MOV [EBP+00003DFD],EAX
0167:00710112
BB56340200
MOV EBX,00023456
0167:00710117
43
INC
EBX
0167:00710118
F7F3 DIV
EBX
0167:0071011A
8BC2 MOV
EAX,EDX
0167:0071011C
5A
POP
EDX
0167:0071011D
90
NOP
0167:0071011E
FFD2 CALL
EDX
0167:00710120
CC
INT
3
0167:00710121
CC
INT
3
0167:00710122
E86C150000
CALL 00711693
The two int
3 instructions are modified by the CALL EDX.
Kill the
breakpoint at this point in time and set a breakpoint on LoadLibraryA then hit
F5
F11 till
take you back to where LoadLibraryA was called from.
Basically
every time a library is imported this bit of code is
executed.
I also
suggest that every time the breakpoint is encountered hit F11 to check that you
are still in the target program, my gravis joypad driver and SB Live control
panel really get in the way if I forget to disable them before I start with
softice.
In the case
of unsafedisk.exe this breakpoint will occur 3 times when the following are
being recreated, KERNELl32.dll, USER32.dll &
COMDLG32.dll.
When the
last one is imported the following code is then moved into
place;
:u
710000+4121
0167:00714121 MOV
ECX,00000013
0167:00714126 MOV
EDI,ESI
0167:00714128 MOV
EAX,00000000
0167:0071412D REPZ
STOSB
0167:0071412F ADD
ESI,14
0167:00714132 MOV
EDX,[EBP+00002519]
0167:00714138 JMP
0071403D
0167:0071413D CMP BYTE PTR
[EBP+0000194D],01
0167:00714144 JZ
0071417F
0167:00714146 CMP DWORD PTR
[EBP+00001963],34303030
0167:00714150 JZ
0071417F
Use bpx
0071412F
---------------
Update:
This piece
of code appears after the third LoadLibraryA, every time I tested the cruncher
with three or more DLLs being imported.
Once this
code appears remove the BPX LoadLibraryA, and stick with this
breakpoint.
This
breakpoint will trigger for every DLL imported, I really should find out where
the counter for this routine is, but to be honest I’m too
lazy.
Anyway
first time through the packer count the number of times the code breaks here
(for unsafedisk.exe 3 times.)
Next time
you run the program, allow the break to occur the appropriate number of times,
step past the REPZ STOSB and dump.
I may get a
neater way to do this later.
---------------
When you
are at this stage you have an image of the entire unpacked executable in memory,
which allows you to dump the decompressed file.
With
icedump you can use the following commands to dump to disk
/pedump
loadaddress OEP filename
On my
machine that would be /pedump 400000 29b6 f:\dump.exe
Though you
can use Procdump32 or whatever your favourite dumper is.
Why dump at
this point, well simply because the import routines are mangled after this
point, to prevent the script kiddies from doing what I have just
done.
But there’s
a problem with this cunning plan, where do I get the OEP (Original Entry Point)
from ?
Well
remember I mentioned that you would be meeting 7100e4 again well here’s what it
contains now;
:u
7100e4
0167:007100E4
POPAD
0167:007100E5
POP
EBP
0167:007100E6
MOV
EAX,[EBP+00003486]
0167:007100EC
POP
EBP
0167:007100ED
JMP EAX
Simply BPX
7100ed and get use the value of EAX - Image Base to get the OEP
value
EAX
=
4029b6
Image
Base
=
400000
OEP
value
=
29b6
Then simply
double click on the resultant dump et voila no more rebuilding
required.
Things to
remember,
The
decompression routines will be the same on every packed
program
Breakpoint
on LoadLibraryA
Entry Point
+ E4
Entry Point
+ 4121
Once again
I must state that the information contained in this file only applies to the
demo version I used. But if somebody can supply me with a file packed with a
registered version, I will be happy to check out the situation and reissue an
updated version of this file, if necessary.
I have
tried this on around 15 .exe files and only three failed to
work.
I suggest
that you use the compressed version of Unsafedisc.exe that I enclose, and
notepad as tests, before attempting anything larger.
A couple of
the larger tests where PFE (Programmers File Editor) with 9 imports, and Cover
Editor (which comes with Nero the CD burning package) which has 8
imports.
Well
there’s not much more to say other than a hello or two:
JTH,
Still alive after all these years
Jrok,
Still playing with arcade machines
R!sc,
Victim of his own success ;)
Fravia+
Even I have to acknowledge reality exists now
Stealth
Thanx for the ftp access
Duke
For replying about CopyloK and remembering the Amiga
scene.
The ICEDUMP
Team For
Icedump
If anybody
out there can give me some decent info on Copylok please let me know as I am
having problems with the IAT rebuilding, it’s most likely something dumb. I
thought working on this packer would help but it was way too
simple.
Regards,
Kilby…
I haven’t
got an Email address that I can publish happily, but I can be found lurking on
the quality reversing sites.
Oh fuck
it,
Kilby@cta102.free-online.co.uk