Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Unusual UnPackMe

  1. #1
    NchantA
    Guest

    Unusual UnPackMe

    lo all

    this goes out to newbies and oldies alike

    http://www.crosswinds.net/~nchanta/trnr_cme.zip

    please have a go, and dont be afraid to abuse me in a post.

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    NchantA
    Guest
    err. i personally wouldnt refer this unpackme to the true newbies, i would however like you advanced crackers that sometimes look in on the rest of us, to have a look at it

    and maybe even show me why i cant unpack my own damn unpackme eheehhehe *g*

    have funnnnnnnn

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    Hi Nchanta,

    So you're looking for abuse, eh?

    Well I haven't unpacked it yet, but I did find the process in memory it's looking for (or at least I found SOMETHING ;d

    So, no nag, straight to the splash screen. I have a question though, I'm not familiar with trainers, is the 'Apply Memory Changes' supposed to do anything in your unpackme or is it just there for show as it seems? Does this button normally, well, apply memory changes in a real trainer?

    Pretty cool. I'll work on the unpacking now, but I'm not holding my breath on figuring that one out... One more question. Couldn't you have loaded a few more system functions? I think you missed a couple of the Audio Compression Codecs

    Cheers,

    Kayaker

  4. #4
    NchantA
    Guest
    ehehe arguements sharpen the mind

    ok well, the trainer was a novel idea (not entirely my own) one of the reasons i included it here. and i *was* going to submit this too the reversr forum but this is the mini project area, it says nothing about newbie project

    and it is a small project so it fits the forum quite well

    it search's for a dummy process on start up, patching shouldnt be hard, but i did have trouble unpacking myself!

    its packed with neolite if that helps


    im not sure what u want about the audio codecs??

    and the apply changes in a real trainer *would* do something to the game yes, it could be fun to reverse hehe

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    NchantA
    Guest
    i just realized i do this way to much



    hehehehehehe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    SV
    Guest
    Hi

    I have a working unpacked exe except splash bitmap :-( and have found something too !!
    I have really big prob with this splash bitmap.
    How is it loaded in dialog ? Only in rsrc ?
    I have saved a right bmp file (at least).

    Thx SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    Hi SV,

    I seem to be having a problem with the Splash screen as well. I got what I thought would be a working dump (JMP EAX in .crypt section, EAX = OEP in .text section) and the program runs fine. The problem is that the file size is only 224K and all it does is display the Splash screen, and without any image...

    In Exescope the Splash screen Dialog Resource (ID 102) is there. You can edit a few things with it (Titlebar etc.) and it responds. FindResourceA with lpName properly points to it (66h = 102) and is called a few times. But there just ain't no image associated with it!!

    So this was packed with what? AsNeolite? ^_^

    Nchanta, I was joking about adding a few more functions via the codecs because it seemed you had loaded just about every other system dll via LoadLibraryA and GetProcAddress just to make things nice and confusing

    Kayaker

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    OK, I sort of figured out what's going on. The program maps itself into memory with MapViewofFile then starts unpacking itself. If you trace for a while after this break and display the Virtual Offsets of each section you see them being unpacked at address 451D70 (and within that call at 45220A) each in turn -
    .text 400000 - 423000
    .rdata 423000 - 42B000
    .data 42B000 - 42D000

    There's one more Call to 451D70 for the .rsrc section but it seems to be unpacked into scattered parts of memory there and later. i.e. 470000 - 480000 contains some of the good stuff, the memory around 4F4F90 contains a ref. to "Nchanta" and a few of the string resources, etc.

    I think if we could get a good dump of the .rsrc section it could be appended to a dump of the 1st 3 sections and work OK. I just haven't figured out where to dump the good bits.

    Kayaker

  9. #9
    NchantA
    Guest
    hehe

    a very unusual problem yes?

    a simple splashscreen can cause so much problems

    ah yes, kayaker, i notice the aha joke now ;P i dont usually find 'needle in the haystack' approach is worth using, but in this such experiment it proved usefull

    keep going

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    90h
    Guest
    I have extract the splash screen from the crackme and find out which proccess the crackme wants to be loaded. The splash screen is at 47009Eh(Virtual Offset) size 84E76h(aka 531kb) and it has a BMP Header so i do not think it in the .rsrc sectionas. Far as i know all bmp in .rsrc have no header(that not 100% ture they can if you like).

    PS.
    What is a easy program to unpack? Then i will come back to this program. Kayaker thanks for the info will have to look in to.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    NchantA
    Guest
    http://csir.cjb.net is a good place to go for packing related stuff
    http://zencrack2.cjb.net rox aswell

    hi r!sc

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    Hi 90h,

    Your info on the size/location of the bmp makes sense. I have a dump of size 85029 addressed at 470080 which I got during the Neolite unpacking phase. The 1st 1E bytes contains a header which includes what seems to be an encryption string, the next 84e76 as you've confirmed is the bmp itself, which can be dumped and viewed, and the last 195 bytes contain more encryption strings associated with the rest of the resources. This seems to account for the whole of the "lost resources".

    These 'encryption strings', for lack of a better term, seem to be associated with each resource. i.e. *!mai!**!ScN!* seems to be associated with the Splash Screen bitmap, *!mai!**!MiS!* is associated with the 2 MessageBox strings, *!mai!**!but!* with the Apply Memory Changes' and 'Quit' buttons, etc.

    I unpacked the program manually following a standard Neolite procedure, tracing until code similar to the following (may need to set a MapViewOfFile to break into the program initially)

    MOV EAX,[ESP+04]
    AND EAX,[xxxxxxxx]
    CALL xxxxxxxx
    INC BYTE PTR [xxxxxxxx]
    JMP EAX ; eax is Original Entry Point of program = 40F2D3

    set a jmp eip at the JMP EAX, F5 out of SI, full dump with Procdump, change Entry Point. Check out the tut by Eternal Bliss for an example with Notepad:
    http://www.woodmann.net/fravia/text/eb_tut32.txt

    I also dumped the unpacked memory image with TRW PEDUMP. In both cases the program ran OK but just shows a blank splashscreen then sits there. All resources except the icon, some default string resources, and some DialogBox templates are missing.

    There's a call 0040EF00 statement which is used several times at different addresses which seems to make use of these encryption strings somewhere during the FindResource / LoadResource / CreateDialogIndirectParamA phase of the program. You can do a String Ref search in W32dasm for them or set a BPM on the strings in SI (i.e at memory address 470080 for the 1st one, 484E96 for the rest).

    Why the encryption strings? Well, there's also a ref in the dumped exe file to Inflate 1.04 by Mark Adler. Turns out this is a GNU program used to 'inflate' compressed files. The public source code is now part of Info-ZIP software.

    My thought was that Nchanta "borrowed" some of the source code and it is being used somehow to 'inflate' the corresponding 'deflated' resources. Though this doesn't really make sense in a way because the resources aren't actually compressed, just sort of separate from the regular exe structure. I looked briefly at the source code and there's no indication of these funny encryption strings, so I may be off-target here. ???

    I've tried inserting the whole 85029 byte 'resource' structure into the dumped file in various ways and succeeded in getting the Apply Memory Changes and Quit buttons to show somewhat ghostly in the splashscreen, but that's all.

    Assuming the code to deal with these encryption strings (if that's really what they are) is OK in the dumped file, then it *should* just be a matter of proper addressing of the bmp, messagebox and dialog box resources as a unit.

    This is all fine in theory, but I still haven't put Humpty back together again. If Nchanta is being truthful in that he hasn't been able to unpack the file successfully himself, perhaps he may want to enter the discussions? ^_^

    Regards,

    Kayaker

  13. #13
    90h
    Guest
    thanks NchantA and Kayaker. Cool i was right about the JMP EAX is a jmp to the original code.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    90h
    Guest
    With bad/good luck i got it unpack with a splashscreen(but that's all). What i did was a standard Neolite dump. Then made a dump at 470080 size 85029(like Kayaker said). Add 85029 bytes with topo to my main dump then add the 470080 dump over my new bytes then run a test run(had a splashscreen). Yes it a bad dump but was makeing i for testing.

    This what i was trying to do is use PEditor to add a new section with a VA of 470080(i do not think you can jump from 42D000 to 470080 now) then add 470080 dump to end of File. Did not work so i use topo to add the byte(/section) to it and was going to reedit with PEditor(but b4 i did that i run it).

    Kayaker how did you get Apply Memory Changes and Quit buttons?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    90h
    Guest
    I did a new dump 470080 from 40D9E5(well a BPX 40D9E1 and i think the 2nd time) size 85F80h and add it to the end like i did b4 done it run find but it not 100% unpack i have a section .crypt! that i can not delete at this time.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Unusual crackme by ksydfius
    By My Infected Computer in forum Blogs Forum
    Replies: 0
    Last Post: June 16th, 2013, 17:49
  2. An Unusual Crash
    By Suteki in forum The Newbie Forum
    Replies: 4
    Last Post: November 5th, 2007, 12:19
  3. Unusual UPX activity
    By SiGiNT in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: December 15th, 2005, 11:33
  4. Unusual tests for DRx registers
    By evaluator in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 3rd, 2004, 13:08
  5. Unusual setup program
    By john whitt in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: March 1st, 2002, 02:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •