|
In this essay I 'm going to use this approach:
I. Unwrapping
1. Finding OEiP
2. Dumping
3. ReVirgin
4. Another unwrapping way
II. Cracking
Let's begin!
I. Unwrapping
************
1. Finding the OEiP
This is about always the first step for unpacking programs: finding the
Original Entrypoint. I already explained in previous unpacking essays
how to do this, but I'll repeat it for you with some more details and
an alternative method.
Program starts executing: the wrapper/packer unpacks the code in all the
sections, when done, the wrapper code jumps to the start of the unpacked
program (=OEiP). A scheme:
|
push ebp ; start of program
....instructions of the wrapper that unpack the program....
....
ret or jmp OEiP; wrapper jumps to the start of unpacked program
OEiP: real program starts here
|
Table 1: OEiP
To find the OEiP for Iris, run IceDump (to hide SoftICE for the basic
anti-softice), set a breakpoint on GetProcAdress. Now run the program,
SoftICE should popup. Press F5 three times (you can press it more too).
Now...from there on you're on your own. Just trace, set breakpoints to
get out of loops, and don't get nuts of the annoy-cracker instructions.
Well, that's the way I've found the OEiP. But there's an easier way. IceDump
has a feature named TraceX. Syntax: /tracex low eip high eip .
This makes SoftICE pop when the program executes an instruction lying
between your set 'low eip' and 'high eip'. The only difficulty is to set
the 'low eip' and 'high eip'. Well, let's take a look where we are in
SoftICE: somewhere at offset 560000. I 'd bet that the original program
lies somewhere between offset 400000 and 500000. Type: "/tracex 400000
500000"....be patient....SoftICE breaks on an instruction somwhere
at 420000. You can see that it jumps back to the wrapper code, so that's
not the OEiP. Trace with SoftICE until you're jumped back to the wrapper
code.
Type "/tracex 400000 500000" agao, and HAVE PATIENCE.
This can take quite some time!
When SoftICE pops, you're at offset 44717C
at instruction 'push ebp'. Voilà, that's our OEiP! Stay where you
are now......
2. Dumping
You still on that instruction? Now enter: "/dump 400000 130000 c:\progra~1\iris\dumped.exe"
. The 400000 is the Image Base, the 130000 is the Image Size. You can
get both of these values in PE Editor when loading the original Iris.exe
in it. Now you have to fix the sections by equalizing the Raw Size to
the Virtual Size (Raw Size=Virtual Size) and the Raw Offset to the Virtual
Offset (Raw Offset=Virtual Offset). In PE Editor, this can be quickly
done by right clicking on every section in the "Sections" menu
and click on "Dumpfixer". Start from the first section and work
your way down to the last.
After doing this, the Iris icon will appear on the dumped.exe file. Change
the OEiP to 4717C. Try to run it........it doesn't work. Why?
3. ReVirgin
When Iris wants to execute an API it works like this:
472000 call [4BA48C]
4BA48C=CDEC08
CDEC08 jmp kernel32!compareStringA
(in this case, the generated importtable jumps to the correct API)
or:
472000 call [4BA48C]
4BA48C=CDEC08
CDEC08 push DFEF04
CDEC09 call 18FFE4
(in this case, the generated importtable calls a decryption routine that
feeds the target's thunk import table with the right adress)
You can't find the original IAT before all this is generated at first,
because it doesn't exist anymore, so you can't use procdump or a IAT rebuilder
to make the app work, you have to rebuild everything this time. We *could*
do this manually, but that would take a lot of time. Nowadays we have
a new utility to reconstruct a *damaged* importtable. It's coded by +tsehp
and is named ReVirgin. We 'll use this program to rebuild our importtable:
Run ReVirgin and take a look at it. This util is not a "push-the-button-and-i'll-do-everything-for-you".
It is a Fravia's tool that needs understanding before you can use it.
Some explanation of the editboxes you have to fill in yourself:
1. IAT Start RVA: offset where the generated
importtable starts
2. IAT Length: length of the generated importtable
3. IT RVA: where will the importtable be in memory, when we've
inserted it in the dumped.exe |
Table 2: Explanation of ReVirgin options
How they can be found:
1. Run the program with a breakpoint on UpdateWindow (or another
one), when SoftICE breaks, press F12 until you are back in Iris maincode.
Then trace into every call you come across until you turn out to be in
the jump table. A jump table looks like this:
Start partial code
015F:004469D8 JMP [004BAF4C]
015F:004469DE JMP [004BAF50]
015F:004469E4 JMP [004BAF54]
015F:004469EA JMP [004BAF58]
015F:004469F0 JMP [004BAF5C]
015F:004469F6 JMP [004BAF60]
015F:004469FC JMP [004BAF64]
015F:00446A02 JMP [004BAF68]
015F:00446A08 JMP [004BAF6C]
015F:00446A0E JMP [004BAF70]
015F:00446A14 JMP [004BAF74]
015F:00446A1A JMP [004BAF78]
015F:00446A20 JMP [004BAF7C]
015F:00446A26 JMP [004BAF80]
End partial code
Now, scroll through the jump table and try to find the lowest jump offset
(i.e. find the JMP xxxxxxxx where xxxxxxxx is the lowest value in the
whole jumptable). Note that this jump table can be divided by a lot of
other instructions, so you'll have to scroll to make sure you saw the
whole jumptable.
Another method to find the lowest offset, is to take a random offset in
the jumptable (like 4BAF80), type d 4BAF80 and scroll up in the datawindow
until there's no more data, but only zeros.
In Iris, the beginning of the IAT is @ offset 4BA48C. Fill in BA48C
in ReVirgin.
2. For the length of this table I usually choose a random (but
big) value, like 2000 or something. This may not always work. In that
case use the scroll-down method in the datawindow to find the end of the
importtable. The length in our case is 1308
3. Most of the time, we will insert the new importtable at the
end of the file in a new section. Just fill in the offset of the end of
the dumped file (image size), which is in our case 130000.
Now run the original Iris.exe, refresh the application list in ReVirgin.
Click on the Iris.exe process in ReVirgin. It should tell you that the
importtable is invalid. Now, with all values filled in, push the "IAT
Resolver" button. When it's finished push "Resolve again".
Voila, now you should see our newly created importtable. Push "IAT
Generator" and save the importtable under the file IT.BIN. Note the
IT Length (which is 194 in our case). You
can see the resolved importtable here and the
it.bin here. You can leave ReVirgin now and exit
Iris.
Next thing to do is to prepare our dumped.exe
for the new importtable:
- Open dumped.exe with PE Editor
- Click on "Sections"
- Right click on a section and choose "Add section"
- Name the section .idata (any other name is good too, like .BlackB)
- Rightclick on your section and change Raw and virtual size to
5000. Always make sure this value is at least the size of the
importtable!! Otherwise it will not work
- Rightclick on your section and click on "Dumpfixer"
- Leave the sections
- Click on "Directory"
- Change importtable rva to 130000 and the length to 194
- Change Image Size to 135000 (we added a section of 5000 =>
Image Size = Old Image Size + 5000 = 135000)
- If not yet done, change the entrypoint to 4717C
- Click on "Apply changes"
- Leave PE Editor
|
Table 3: Prepare the dumped EXE
Now open dumped.exe with a hexeditor, goto the very end of the
file and insert IT.BIN into it. Save the changes. Run the finally fixed
dump and it runs!
You can also use an utility named IT Add by SV. Just change the OEiP and
the Importtable RVA and length of your dumped.exe. Then run IT Add, and
the rest is done for you.
4. Another unwrapping way
There is another way of unwrapping this protection which is much much
easier and much much shorter than the previous one. Then why
making it difficult when it is easy? Because this method doesn't work
most of the time with such protections. You will be able to use this method
to break all PCGuard protections, but it won't work with ASProtect.
Anyway, how does it work? First of all, find the OEiP.
When you're AT the OEiP with SoftICE and IceDump loaded, type: /pedump
400000 44717C c:\progra~1\iris\iris_dump.exe.
After that, leave SoftICE and change the OEiP in iris_dump.exe
to 4717C with PE Editor. Exit PE Editor, run your dumped file and it works.
Easy huh? ;-)
Okay, last thing to do....cracking it.....
II. Cracking Iris
**************
There's a 15-day limit and a nagscreen. I tried removing the nag by setting
breakpoints on UpdateWindow and SendMessageA, but it didn't work out quite
well (it did, but I found a better and much easier way). Just disassemble
your dumped/fixed file and search for any ", 0Fh" occurence.
You should see this:
Start partial code
004308AF loc_4308AF: ; CODE XREF: sub_430730+16B�j
004308AF mov dword ptr ds:498A88h, 0
004308B9 call sub_446144
004308BE mov eax, [eax+4]
004308C1 push 46295Ch
004308C6 push 462954h
004308CB push 46294Ch
004308D0 mov ecx, eax
004308D2 call sub_446444
004308D7 call sub_446144
004308DC mov eax, [eax+4]
004308DF push 46295Ch
004308E4 push 46293Ch
004308E9 push 46294Ch
004308EE mov ecx, eax
004308F0 call sub_446444
004308F5 call sub_446144
004308FA mov eax, [eax+4]
004308FD push 46295Ch
00430902 push 462934h
00430907 push 46294Ch
0043090C mov ecx, eax
0043090E call sub_446444
00430913 mov ecx, esi
00430915 call sub_431570
0043091A test ebp, ebp
0043091C jle loc_4309F0
00430922 cmp ebp, 0Fh
00430925 jg loc_4309F0
End partial code
This is where our time trial is checked. We could patch this, but the
nag won't be gone and the program will display it's a demo version. Although
it's a demo version it can be registered, so there must be a 'registered-or-not-flag'.
If that flag is set to 'registered', the piece of code above is _never_
executed. So let's take a look where the program jumps to the 'check-trial'
routine above (@ 0043089B = 430730 + 16B)
Start partial code
00430890 loc_430890: ; CODE XREF: sub_430730+148�j
00430890 push 0
00430892 mov ecx, esi
00430894 call sub_431660
00430899 test eax, eax
0043089B jnz short loc_4308AF
0043089D push 1
0043089F mov ecx, esi
004308A1 call sub_431660
004308A6 push 0Fh
004308A8 mov ecx, esi
004308AA call sub_431210
End partial code
Whatever we'll do here, we will still end-up at the time-trial check.
Let's go to the jump that jumps to this code (@ 00430878= 430730+148)
Start partial code
00430868 loc_430868: ; CODE XREF: sub_430730+134�j
00430868 lea ecx, [esp+30h+var_14]
0043086C mov byte ptr [esp+30h+var_4], 2
00430871 call sub_44611A
00430876 test bl, bl
00430878 jz short loc_430890 <- If not registered jump, else don't jump
0043087A mov ecx, esi
0043087C mov dword ptr ds:498A88h, 378Dh <- Set registered flag
00430886 call sub_431570
0043088B jmp loc_430A14
End partial code
Pretty obvious now: just nop out the jz short loc_430890
with your favorite hexeditor. When done, run your dumped/fixed/cracked
file and it works, without the nag, without the time trial!
To make it registered to your name and company, change following keys:
HKEY_CURRENT_USER\Software\eEye Digital Security\Iris\User\Nume (note
that this is not a typo)
HKEY_CURRENT_USER\Software\eEye Digital Security\Iris\User\Company
This is (of course) easily found with RegMon. That's it, we're done!
|