The
Cast of characters:
Crunch2.EXE is the Fraudster
Unsafedisc is the Victim
WinIce is
the Investigator
Icedump is the Executioner
Kilby is
the Malicious
Bastard
Recently I thought I would play with
dumping some programs, I had no joy with Copylok, so I thought a bit of
practice on a packer would help.
I haven’t seen any information about
Crunch 2.0 from BitArts, it makes grand claims so I thought here’s a challenge.
I was disappointed as this package is
Snake Oil of the worst kind !
Why ?
Simple !
I have not been involved in any serious
cracking for years, the last compressors I dumped data from where on the Amiga
back in 1990. (Well not quite I was forced to return to the Sinclair Spectrum
for a while when I had to sell my PC back in 92.)
The only thing I like about the product
and that’s the company name because it can be separated out to read “Bi Tarts”,
a lovely though sexist thought ;)
After 5 hours I had working dumps, I
didn’t even have to rebuild the import tables, it was an easy victory.
OK I haven’t had it all my own way;
I have had problems with the following
3 test apps,
Unreal Tournament
Adobe InDesign
Adobe InCopy
None of them would dump properly, possibly this is because these packages (& games) are more accurately described as suite of DLLs, bound together with a small .EXE file.
The result was that the programs
appeared to start running before the packer had finished unpacking the .EXE.
It could also have been because it was
05:10 and I was tired and careless, I will return to them in a few days.
---------------
UPDATE:
Unreal Tournament now works 100%, if a
valid .INI file exists for the game.
The trouble occurs when an attempt is
made to run in SETUP Mode.
If the valid .INI file doesn’t exist
then for some reason the unpacked code repeatedly returns to the
Program_Entry_Point+E4 region, which jumps into the newly uncompressed program.
I believe this may be a minor fault in
the packer, but I can’t be sure as Unreal Tournament seems to do weird shit
anyway (and their OpenGL mode still doesn’t work, Yeucch DX & Glide.)
So I am putting it down to a
compatability problem, between th packer and UT
---------------
Still I wasn’t the only failure
Cruncher2 couldn’t even pack the following two test files;
Alien Vs Predator Gold
Delta Force 1
It totally failed :( didn’t even give a
proper error message.
Though I will quote this piece of PR
Crap
Claim:
No other Windows PE compressor/encryptor has the power of compression, encryption and security.
Reality:
This is simply not true, the file is compressed, and as far as I can tell it is NOT encrypted.
There are vastly superior
packers/encryptors out there, and a lot of them are FREE !
These Bi Tart people are selling to the
legions of “Visual Programmers” out there, the majority of them haven’t a clue
what the hell is going on in their programs. At best they have only written
about 10% of the code themselves, the development package has generated the
rest of it.
I have personal experience of this
situation, One fucker I have to put up with in work, doesn’t even know what is
in 2% of his code as he just robs code fragments of web sites and stitches them
together.
Fuckin thieving Christian bastard !
Exactly the sort of clueless individual
who would purchase Cruncher2 and note the price;
Priced at $199 (per annum), contract
is for one year (non-refundable).
He would think that Cruncher2 would
protect his program.
I must also add that this is more of a
proof of concept rather than a piece universal truth.
The intent is to:
1: Give
back something to the unpacking community.
2: Give
newbies something to learn from.
3: Show you don’t have to be an Elite
cracker to contribute to the unpacking community.
4: Encourage somebody out there to
build a proper unpacker for Cruncher, as I ain’t got the time
The demo version is at www.bitarts.com.
In addition to being a 30 day demo, the
packer will only create files called bitarts_evaluation.exe, if the file is
renamed it doesn’t work. This is easily fixable but I simply cant be bothered.
I do not wish to crack the packer
itself, it’s simply not worth the effort, there much better examples out there
for free, however I would quite like to do some damage to their reputation ;)
If anybody out there has something
packed with the registered version, I would like to get a copy just to confirm
that all the offsets are the same.
Here is what Cruncher2 does up to when
it’s packing;
Compresses the data, (SURPRISE !!!)
Renames the segments to Bit Arts and
uses one import (Kernel32.DLL.)
Places it’s own 2 segments on the end
of the .EXE and sets the entry point.
There are no customisation options
whatsoever, unless you count the output filename.
On running the packed .EXE they
decompress the data, recreating the virgin .rdata section, in the process.
Generate the offsets to the .DLL calls.
Overwrites the original .rdata data
with zeros to make life a bit harder.
JMP EAX to the original .EXE file entry
point
OK so there’s some self modifying code
in there, and there’s also some obfuscation in there, but nothing that an
average (and very out of practice) Fravia such as me couldn’t manage in about
four to five hours.
The biggest mistake they made is
obvious even to me, the only things that change within the decompression
routine are;
1: Number
of Segments to decompress.
2: The
address of the actual data.
3: The
number of imports
Once you have the base address of the
decompression segment (hint it’s the Program Entry point), all the important
routines are ALWAYS AT THE SAME OFFSETS from that base address.
The example .EXE I will use is
Unsafedisc.exe (V 1.5.5) by R!sc, as it’s easily obtainable, and Microsoft
don’t approve :)
This example also shows that the
compression isn’t too good as the file grew from 20KB to 46KB.
What
to do:
First hide SoftIce, as the unpacker
will get annoyed.
Icedump is adequate, which in shows
that PECrypt, gives better security against debuggers. It’s also great for
dumping on demand, no more having to edit out the jmp eip in dump files.
OK load the executable with Break &
Enter (or whatever loader you prefer), and you will find this;
00710000 start proc near
00710000 push ebp
00710001 call $+5
00710006 pop ebp
00710007 sub ebp, 6
0071000A mov eax, ebp
0071000C push ebp
0071000D pusha
0071000E mov [ebp+348Ah], ebp
00710014 sub eax, [ebp+3465h]
0071001A mov [ebp+2519h], eax
00710020 push ebp
00710021 mov ebx, 1ECDh
00710026 add ebx, ebp
00710028 push ebx
00710029 push dword ptr fs:0
0071002F mov fs:0, esp
00710035 cmp byte ptr
[ebp+3690h], 0
0071003C jnz short loc_710047
0071003E mov byte ptr
[ebp+3690h], 1
00710045 jmp short loc_71005C
A bit of jumping around and nothing
really worth paying attention to until the code turns into soup.
007100E0 mov ecx, eax
007100E2 repe movsb
007100E4 mov eax, [edi]
007100E6 aad 81h
007100E8 retn 15B6h
007100E8 start endp ; sp = -54h
007100E8
007100E8 ;
----------------------------------------------------------007100EB dd 3352000Eh, 0D88CC0h, 87404A8h,
1ACD02B4h, 0EBC28B1Dh
007100EB dd 33310F80h, 1CC069D2h, 0E19660Dh, 1CECD05h, 0FD858901h
This is Program Entry Point (PEP) + E4
Place a breakpoint on 7100e4 and hit
F5.
You will meet this address again when
it will be much more interesting :)
After the breakpoint you will find the
following;
:u eip l 100
0167:007100E4 8BD5 MOV
EDX,EBP
0167:007100E6 81C2B6150000 ADD EDX,000015B6
0167:007100EC 52 PUSH EDX
0167:007100ED 33C0 XOR
EAX,EAX
0167:007100EF 8CD8 MOV
AX,DS
0167:007100F1 A804 TEST
AL,04
0167:007100F3 7408 JZ
007100FD
0167:007100F5 B402 MOV
AH,02
0167:007100F7 CD1A INT
1A
0167:007100F9 8BC2 MOV
EAX,EDX
0167:007100FB EB02 JMP
007100FF
0167:007100FD 0F31 RDTSC
0167:007100FF 33D2 XOR
EDX,EDX
0167:00710101 69C00D661900 IMUL EAX,EAX,0019660D
0167:00710107 05CD0D0100 ADD EAX,00010DCD
0167:0071010C 8985FD3D0000 MOV [EBP+00003DFD],EAX
0167:00710112 BB56340200 MOV EBX,00023456
0167:00710117
43 INC
EBX
0167:00710118
F7F3 DIV
EBX
0167:0071011A 8BC2 MOV
EAX,EDX
0167:0071011C 5A POP EDX
0167:0071011D 90 NOP
0167:0071011E FFD2 CALL
EDX
0167:00710120 CC INT 3
0167:00710121 CC INT 3
0167:00710122 E86C150000 CALL 00711693
The two int 3 instructions are modified
by the CALL EDX.
Kill the breakpoint at this point in
time and set a breakpoint on LoadLibraryA then hit F5
F11 till take you back to where
LoadLibraryA was called from.
Basically every time a library is
imported this bit of code is executed.
I also suggest that every time the
breakpoint is encountered hit F11 to check that you are still in the target
program, my gravis joypad driver and SB Live control panel really get in the
way if I forget to disable them before I start with softice.
In the case of unsafedisk.exe this
breakpoint will occur 3 times when the following are being recreated,
KERNELl32.dll, USER32.dll & COMDLG32.dll.
When the last one is imported the
following code is then moved into place;
:u 710000+4121
0167:00714121 MOV ECX,00000013
0167:00714126 MOV
EDI,ESI
0167:00714128 MOV
EAX,00000000
0167:0071412D REPZ
STOSB
0167:0071412F ADD
ESI,14
0167:00714132 MOV
EDX,[EBP+00002519]
0167:00714138 JMP
0071403D
0167:0071413D CMP
BYTE PTR [EBP+0000194D],01
0167:00714144 JZ 0071417F
0167:00714146 CMP
DWORD PTR [EBP+00001963],34303030
0167:00714150 JZ 0071417F
Use bpx 0071412F
---------------
Update:
This piece of code appears after the
third LoadLibraryA, every time I tested the cruncher with three or more DLLs
being imported.
Once this code appears remove the BPX
LoadLibraryA, and stick with this breakpoint.
This breakpoint will trigger for every
DLL imported, I really should find out where the counter for this routine is,
but to be honest I’m too lazy.
Anyway first time through the packer
count the number of times the code breaks here (for unsafedisk.exe 3 times.)
Next time you run the program, allow
the break to occur the appropriate number of times, step past the REPZ STOSB
and dump.
I may get a neater way to do this
later.
---------------
When you are at this stage you have an
image of the entire unpacked executable in memory, which allows you to dump the
decompressed file.
With icedump you can use the following
commands to dump to disk
/pedump loadaddress OEP filename
On my machine that would be /pedump
400000 29b6 f:\dump.exe
Though you can use Procdump32 or
whatever your favourite dumper is.
Why dump at this point, well simply
because the import routines are mangled after this point, to prevent the script
kiddies from doing what I have just done.
But there’s a problem with this cunning
plan, where do I get the OEP (Original Entry Point) from ?
Well remember I mentioned that you
would be meeting 7100e4 again well here’s what it contains now;
:u
7100e4
0167:007100E4
POPAD
0167:007100E5 POP EBP
0167:007100E6 MOV EAX,[EBP+00003486]
0167:007100EC POP EBP
0167:007100ED JMP EAX
Simply BPX 7100ed and get use the value
of EAX - Image Base to get the OEP value
EAX = 4029b6
Image Base = 400000
OEP value = 29b6
Then simply double click on the
resultant dump et voila no more rebuilding required.
Things to remember,
The decompression routines will be the
same on every packed program
Breakpoint on LoadLibraryA
Entry Point + E4
Entry Point + 4121
Once again I must state that the
information contained in this file only applies to the demo version I used. But
if somebody can supply me with a file packed with a registered version, I will
be happy to check out the situation and reissue an updated version of this
file, if necessary.
I have tried this on around 15 .exe
files and only three failed to work.
I suggest that you use the compressed
version of Unsafedisc.exe that I enclose, and notepad as tests, before
attempting anything larger.
A couple of the larger tests where PFE
(Programmers File Editor) with 9 imports, and Cover Editor (which comes with
Nero the CD burning package) which has 8 imports.
Well there’s not much more to say other
than a hello or two:
JTH, Still alive after all these years
Jrok, Still playing with arcade machines
R!sc, Victim of his own success ;)
Fravia+ Even I have to acknowledge reality
exists now
Stealth Thanx for the ftp access
Duke For replying about CopyloK and
remembering the Amiga scene.
The ICEDUMP Team For Icedump
If anybody out there can give me some
decent info on Copylok please let me know as I am having problems with the IAT
rebuilding, it’s most likely something dumb. I thought working on this packer
would help but it was way too simple.
Regards,
Kilby…
I haven’t got an Email address that I
can publish happily, but I can be found lurking on the quality reversing sites.
Oh fuck it,
Kilby@cta102.free-online.co.uk