Page 1 of 3 123 LastLast
Results 1 to 15 of 35

Thread: Identifying a packer, PEiD/TrID fail

  1. #1
    netsniper
    Guest

    Identifying a packer, PEiD/TrID fail

    1. What is the problem....
    I cannot determine the packer of a certain binary, and thus, cannot unpack it automatically

    2. What is the protection.....
    Unsure as of yet, but would probably need to unpack first to find out

    3. What tools are you using....
    I have tried PEiD, TrID, Ollydbg, Winhex, and IDA Pro to get some idea of how it is packed -- but no luck

    4. What tutorials have you read....
    I have read some basic unpacking tutorials on common packers like UPX, ASPack, etc and have unpacked these on my own before

    5. Show your output listing WITH comments....
    PEiD v0.93 with all plugins on their site shows "Nothing Found *", with options Hardcore scan, recurse subdirectories, use external signatures, reg shell ext, min to sys tray, load plugins, allow mult instances.

    TrID output:
    Code:
    C:\Program Files\TrID>trid "c:\Program Files\fakefolder\fakefile.exe"
    
    TrID/32 - File Identifier v1.56 - (C) 2003-04 By M.Pontello
    
    Collecting data from file: c:\Program Files\fakefolder\fakefile.exe
    Definitions found: 1552
    Analyzing...
    
     72.4% (.EXE) Win32 Executable Generic (10527/13/4)
     13.8% (.EXE) Generic Win/DOS Executable (2002/3)
     13.8% (.EXE) DOS Executable Generic (2000/1)
      0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)
    
    C:\Program Files\TrID>
    6. NOW ask your question....
    Are there any other tools that can help me identify the packer of this binary? I would like to investigate the underlying code itself, so I need to unpack it first. If manual unpacking is necessary, I would like to learn how to do this. However, since my situation is also time critical, would it be against the rules to offer monetary reward for an expert to help? This was not detailed in the FAQ.

    I eagerly await your replies ;-)

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Autodesk? It might be dongle related...

    my 2 cents
    esther


    Reverse the code,Reverse Your Minds First

  3. #3
    netsniper
    Guest
    Quote Originally Posted by esther
    Autodesk? It might be dongle related...
    The exe is NOT an autodesk application. I think that TrID is identifying a file format that autodesk uses within my fakefile.exe app, which does video encoding (i'm hiding the name of the file on purpose). Anyways, are there any other ways to attack this?

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by netsniper
    Are there any other tools that can help me identify the packer of this binary?
    If PEiD couldn't detect it, chances are that other apps won't be able to either.

    Quote Originally Posted by netsniper
    However, since my situation is also time critical
    If your situation is time critical, then you may want to just run your target, dump its memory, and analyze the dump (as opposed to doing a perfect unpacking job).

    Quote Originally Posted by netsniper
    would it be against the rules to offer monetary reward for an expert to help
    If this is third-party (not written by you) commercial software, then you shouldn't offer such a reward here. However, if it is not commercial software or the software's EULA explicitly allows for reverse engineering, then please say so and you may get some offers to help.

  5. #5
    netsniper
    Guest
    Quote Originally Posted by disavowed
    If your situation is time critical, then you may want to just run your target, dump its memory, and analyze the dump (as opposed to doing a perfect unpacking job).
    I would try to do this, but the app also seems to have code that stops me from using Ollydbg in this way. Is there an easier way to dump the running process to memory? Also, even though I have tricked the program to letting Ollydbg run a few times, when I "attach to process" the code still looks like junk! I'm wondering if there is much SMC here that is screwing everything up. All I really want to do is analyze the "virgin" function structures, without jumping through all these fscking h00ps :-O Man, these guys are really trying to hide their source. It is about a $1000 program, which I also assume to have ripped code from GPL projects. I'll give a big hint. Their website has been posted on /. many times in recent weeks and this site went down today ;-P I think they are pressured by my analysis of their other "product"...

    In conclusion, how can I dump the memory so I can analyze this file's functions?

    Quote Originally Posted by disavowed
    If this is third-party (not written by you) commercial software, then you shouldn't offer such a reward here. However, if it is not commercial software or the software's EULA explicitly allows for reverse engineering, then please say so and you may get some offers to help.
    If it is suspected that GPL code is within, would that be legal? I have already proven, very publicly, that this company's other "product" was stolen from GPL sources. I would like to do that again with this application that they are protecting so well. There must be something underneath, or else, why would they hide so well :-) I ask in the name of open source for help, and if none is available, I offer -- out of curiosity for the conclusion -- a monetary reward for unpacking, which should aid in proving the stolen source code. This is a big deal...

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Information required as follows:

    HOw many sections in the PE file?

    Names of PE file sections?

    Is OEP in the final section?

    Sizes of sections in file?

    Any functions in the Import Table? If so, how many and what are their names?

    When the program executes, is there only one "instance" running?

    Can you simply dump the program from memory using LordPE while it's running? or does LordPE give you an error when trying to do so?


    -nt20

  7. #7
    netsniper
    Guest
    Quote Originally Posted by nikolatesla20
    HOw many sections in the PE file?
    seven sections...

    Quote Originally Posted by nikolatesla20
    Names of PE file sections?
    In order by virtual address:
    .text
    xm618ywi
    .data
    .rsrc
    bvium466
    fbnk3hol
    q7n4woxj

    Quote Originally Posted by nikolatesla20
    Is OEP in the final section?
    I don't know the OEP. and am a little naive to finding it since I don't have SoftICE. I am trying to get it installed after reading this fine tutorial and getting a good idea how to do it:
    http://www.woodmann.com/fravia/predator_unpacking.htm

    Can I locate the OEP some other way? This application seems to have anti-debugging code so I don't know how to get around that to find the OEP. Is there some other way without the debugger? I mean, if I try to open Ollydbg, the protected application immediately closes it.

    In PE Explorer, the listed "Address of Entry Point" is 003DB93B. But I am assuming that this is not the OEP...

    Quote Originally Posted by nikolatesla20
    Sizes of sections in file?
    From PE Explorer:
    Name | Vrt Sz | Vrt Addr | Sz Raw Data | Ptr Raw Data | Chars | Ptr Dirs

    .text | 000d2000h | 00401000h | 00000000h | 00000400h | e0000020h | --
    xm618ywi | 00022000h | 004d3000h | 00000000h | 00000400h | e0000060h | --
    .data | 0010f000h | 004f5000h | 00000000h | 00000400h | c0000040h | --
    .rsrc | 00088000h | 00604000h | 0002b000h | 00000400h | c0000040h | Resource Table
    bvium466 | 00016000h | 0068c000h | 00000000h | 0002b400h | e2000060h | --
    fbnk3hol | 00054000h | 006a2000h | 00000000h | 0002b400h | e0000020h | --
    q7n4woxi | 000e6000h | 006f6000h | 000e5d24h | 0002b400h | e0000060h | Import Table: TLS Table

    Quote Originally Posted by nikolatesla20
    Any functions in the Import Table? If so, how many and what are their names?
    I am not that familiar with packed programs messing with the import table. I am now reading this guide:
    http://sandsprite.com/CodeStuff/Understanding_imports.html

    However, still not sure how to detect how many fuctions there are and what the names are. I can say that the DLLs in the program folder seem to be msvc71*.dll files, so I am assuming a .NET application. Since the raw size of the q7n4woxj section seems large, I'm guessing that most of the code is in here...

    OK, I took a look at the section in a hex editor and see only a few notable functions in here -- but everything else looks garbled:
    GetModuleHandleA
    LoadLibraryA
    GetProcAddress
    ExitProcess
    MessageBoxA

    Quote Originally Posted by nikolatesla20
    When the program executes, is there only one "instance" running?
    It only runs one instance at a time.

    Quote Originally Posted by nikolatesla20
    Can you simply dump the program from memory using LordPE while it's running? or does LordPE give you an error when trying to do so?
    I can dump the running process, but the dumped file does not run correctly. It hangs with a greyed out window and I have to end task it...

    Thanks for your guidance, and hope to hear back from you soon :-)

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    It looks to me Execryptor... one of the best toys in the market!
    Regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  9. #9
    kao
    Guest
    Agree with Bilbo - looks like Execryptor: very hard but crackable. There is no SMC, but lots of junk code. Developer can also hide parts of his code in the junk code. There is huge performance hit for doing that, so usually only serial checking routine is "junked".

    Execryptor does not support .NET applications, though. It might be normal application compiled with VS 2003.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by netsniper
    ... which I also assume to have ripped code from GPL projects. I'll give a big hint. Their website has been posted on /. many times in recent weeks and this site went down today ;-P I think they are pressured by my analysis of their other "product"...
    Ahh... found it with http://www.google.com/search?btnI&q=netsniper+gpl

    Quote Originally Posted by netsniper
    If it is suspected that GPL code is within, would that be legal?
    I'm not a lawyer, but my guess would be no.

    Quote Originally Posted by netsniper
    I offer -- out of curiosity for the conclusion -- a monetary reward for unpacking, which should aid in proving the stolen source code. This is a big deal...
    perhaps you should use half of that monetary award to pay a lawyer to determine whether or not unpacking it and reverse engineering it would be legal. if the lawyer confirms that it's legal, then come back here and offer the other half of the monetary award for unpacking it. (and of course provide references to the lawyer and their decision)

  11. #11
    It seems they should have already talked to lawyers because they are collecting donations on the "PearPC Legal Suit Donation Page."

    From everything I've read on the net, there is no legal prohibition on reverse engineering any software code for the purposes of examining it. As I understand the issue, the problem comes from "misappropriating" the intellectual property of another and "using" that work without the permission (or compensation) of the author. Examining the code of others is something which is done all the time in software companies.

    California made some news a couple of years ago as part of the release and publication of the DeCSS code which allowed one to "access" movie CDs. California's Supreme Court eventually got involved in the controversy and issued a decision in the case, titled: DVD COPY CONTROL v. BUNNER. The United States (and California has it's own State regulation adopting the U.S. model) has Something called the "Uniform Trade Secrets Act (UTSA)."

    According to that Act:

    Trade secret misappropriation occurs whenever a person: (1) acquires another's trade secret with knowledge or reason to know "that the trade secret was acquired by improper means" ( 3426.1, subd. (b)(1)); (2) discloses or uses, without consent, another's trade secret that the person "[u]sed improper means to acquire knowledge of" (id., subd. (b)(2)(A)); (3) discloses or uses, without consent, another's trade secret that the person, "[a]t the time of disclosure or use, knew or had reason to know that his or her knowledge of the trade secret was" (a) "[d]erived from or through a person who had utilized improper means to acquire it" (id., subd. (b)(2)(B)(i)), (b) "[a]cquired under circumstances giving rise to a duty to maintain its secrecy or limit its use" (id., subd. (b)(2)(B)(ii)), or (c) "[d]erived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use" (id., subd. (b)(2)(B)(iii)); or (4) discloses or uses, without consent, another's trade secret that the person, "before a material change of his or her position, knew or had reason to know that it was a trade secret and that knowledge of it had been acquired by accident or mistake" (id., subd. (b)(2)(C)).

    But, for our purposes, here is the interesting part under both U.S. and California law:

    Acquisition of a trade secret by "'[i]mproper means' includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." ( 3426.1, subd. (a).) "Reverse engineering or independent derivation alone," however, is not "considered improper means."

    It would seem that if one where seeking to sue another for "misappropriating" their intellectual property in the form of their code and incorporating it into their own software, reverse engineering the code would be "required" and the principle form of "proof" that a "misappropriation" had occurred. If the trade secret actually "belongs" to the person doing the reversing, it probably would be hard to successfully argue they were "misappripriating" their own code.

    Regards,
    JMI

  12. #12
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Naive Observation. (Packing and unpacking IS NOT MY THING):

    Even when the application is up and running, The code looks scrambled?

    May be I misunderstood but have you done this?:

    Get the app up and running.
    The code should be unpacked in memory, at least some parts of it.
    Using a dumping tool like PE Tools, find the process in the memory and dump it.

    You could analyze the dump for code patterns, strings, etc.
    The API calls and communication with the system dlls is probably scrambled beyond recognition, but the code flow and the structure of the functions should be recognizable

  13. #13
    netsniper
    Guest
    Quote Originally Posted by bilbo
    It looks to me Execryptor... one of the best toys in the market!
    Better than Silicon Realm's Armadillo/Software Passport?

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    netsniper
    Guest
    Quote Originally Posted by JMI
    "Reverse engineering or independent derivation alone," however, is not "considered improper means."

    It would seem that if one where seeking to sue another for "misappropriating" their intellectual property in the form of their code and incorporating it into their own software, reverse engineering the code would be "required" and the principle form of "proof" that a "misappropriation" had occurred. If the trade secret actually "belongs" to the person doing the reversing, it probably would be hard to successfully argue they were "misappripriating" their own code.
    Great insight dude :-) Yes, I think that it is fine to reverse the software, but I will also speak with my lawyer and see what he says. I want to make sure that this is allowable. If that is the case, how much of a time investment would it be to "virginize" this application? I'm assuming that manual work would need to be done to get the code into a usable form for IDA Pro analysis (ie. unpack, recover from junk code blocks, remove anti-debug code, remove anit-trace, etc...). Let me know and then offer up a bid. After I talk to my lawyer I would love to speak with someone about doing this, and afterward, finding out how they went about their work. Maybe they could also write up an article on how they did it? I found someone else on the net that was doing similar research and seems to show that XVID and LAME code is in their product! I'm about to email him and talk some more about it. See for yourself here:
    http://www.tliquest.net/ryan/cherryos/vx30/oldversion/

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    netsniper
    Guest
    Quote Originally Posted by naides
    Even when the application is up and running, The code looks scrambled?

    May be I misunderstood but have you done this?:

    Get the app up and running.
    The code should be unpacked in memory, at least some parts of it.
    Using a dumping tool like PE Tools, find the process in the memory and dump it.
    Yeah, I did dump the process, but it still seems like junk! I am wondering wtf is going on here. I am new to this though, so I must be doing something stupid. Another guy on the net did happen to get a dump working correctly and analyzed the code a little bit. Maye I can just snag the resultant executables from him so I can do some IDA Pro analysis. This is getting very interesting...

    netsniper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Identifying a protection
    By kaotix in forum The Newbie Forum
    Replies: 3
    Last Post: March 9th, 2005, 02:56
  2. Identifying Protection
    By xollox in forum The Newbie Forum
    Replies: 22
    Last Post: May 25th, 2004, 03:27
  3. does asprotect make trace conditions fail???
    By yaa in forum OllyDbg Support Forums
    Replies: 3
    Last Post: February 22nd, 2004, 04:53
  4. revirgin IAT tracer fail
    By Rainor in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: September 26th, 2002, 22:45
  5. DS 2.6, icedump, win XP -> fail
    By chitech in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: August 21st, 2002, 01:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •