packers

A Packed protection
by +tsehp, Spring 1999

red

A Packed protection... +tsehp's essay is well worth reading and re-reading. Reversers will understand how useful this kind of apporoach can be nowadays...
Read and enjoy!


A Packed protection.

Well this is the first essay of a new kind, we’ll study here a protection that is active when it is unpacked. I will not name the program according to Fravia’s new rules because the purpose of this is not to damage the programmer itself but only to learn to reverse it.

This program is made to build an installation package for your application, and the demo mode is fully featured exept that the package can only install on your computer, not others.

Tools needed :
-Softice
-Hex editor


So let’s start :
Start Setup.exe (guess you surely know what application I’m talking about)

When you try to install your package on another computer, you have a msg box telling you that it can’t work, so :
Bpx messageboxa, after two F12, you find the culprit : 
* Possible StringData Ref from Data Obj ->"c:\_INS999.765"
                                  |
:0043B447 68B84F4800              push 00484FB8
:0043B44C E8EF88FEFF              call 00423D40 *Are we on the original computer ?
:0043B451 85C0                    test eax, eax
:0043B453 7520                    jne 0043B475  *If yes jump to good guy
:0043B455 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC] *Bad guy start…
:0043B45B 50                      push eax
:0043B45C FFB5F4FEFFFF            push dword ptr [ebp+FFFFFEF4]
:0043B462 E830200000              call 0043D497
:0043B467 59                      pop ecx
:0043B468 59                      pop ecx
:0043B469 E8B3EDFCFF              call 0040A221
:0043B46E 33C0                    xor eax, eax
:0043B470 E9F9020000              jmp 0043B76E
You see into softice that you’re inside _ins5576, so where’s that file ? Not located inside your package but uncompressed into windows\temp\istmpXXX. So you’ve got a problem to do the patch

The question is, where’s that file coming from? If you do search _ins5576 inside the files in your package, you find it inside _ins32i.ex

So you’ve got to stop when setup finished read ins32i and when the decompressed _ins5576 is in the buffer to be written to windows\temp

You can use the classical bpx createfilea and readfile and to search the buffer with occurences of 75 20 8d 85 to know when this Happens.

When you manage, you land here in setup.exe : 
:004044C0 56                      push esi
:004044C1 753D                    jne 00404500
:004044C3 8B74240C                mov esi, dword ptr [esp+0C]
:004044C7 A1FC304100              mov eax, dword ptr [004130FC]
:004044CC 6A00                    push 00000000
:004044CE 689C274100              push 0041279C
:004044D3 FF36                    push dword ptr [esi]
:004044D5 FF742414                push [esp+14]
:004044D9 FF701C                  push [eax+1C]

* Reference To: KERNEL32.WriteFile, Ord:027Bh *this writes also the file ins5576
                                  |
:004044DC FF158CD04000            Call dword ptr [0040D08C]

* Reference To: KERNEL32.GetLastError, Ord:00F4h
                                  |
What to do? You can force setup.exe to patch the buffer just before writing it to your HD, so your ins5576 file will contain the patch to Remove the protection, how to do this? Not so simple...

The only way is to use a part of the code just before the call to writefile. Just replace an instruction like mov [xxxxx],XX with a call to a place that you can modify and where to modify ? At the end of the program, just do a map32 of setup.exe, it will give you the ending part of setup.text (the code place), you will have a little place to insert your own code.

I had to put two calls, one before writefile to patch the JNE to JMP and one after the write to put it back to JNE because at this point setup is still decompressing ins32i and using the buffer data to uncompress other parts, if you don’t all the occurences of JNE will be changed to JMP in the rest of the unpacked ins5576.

So here’s the places where I inserted the two calls : 
:004044B9 E822850000              call 0040C9E0 *The first call (at the end of setup)
						Change 75 to EB in the buffer at the good place.
:004044BE 90                      nop 		*to fill the gaps
:004044BF 90                      nop		*idem
:004044C0 56                      push esi
:004044C1 753D                    jne 00404500
:004044C3 8B74240C                mov esi, dword ptr [esp+0C]
:004044C7 A1FC304100              mov eax, dword ptr [004130FC]
:004044CC 6A00                    push 00000000
:004044CE 689C274100              push 0041279C
:004044D3 FF36                    push dword ptr [esi]
:004044D5 FF742414                push [esp+14]
:004044D9 FF701C                  push [eax+1C]

* Reference To: KERNEL32.WriteFile, Ord:027Bh
                                  |
:004044DC FF158CD04000            Call dword ptr [0040D08C]

* Reference To: KERNEL32.GetLastError, Ord:00F4h
                                  |
:004044E2 FF15B0D04000            Call dword ptr [0040D0B0]
:004044E8 FIND IT YOURSELF !      Call 0040c993 		*second call to put things back
:004044ED A19C274100              mov eax, dword ptr [0041279C]
:004044F2 3B06                    cmp eax, dword ptr [esi]
:004044F4 740E                    je 00404504
:004044F6 C705A8274100FCFFFFFF    mov dword ptr [004127A8], FFFFFFFC


And here are the two calls I wrote :
:0040C9E0 813D5BA7420075208D85    cmp dword ptr [0042A7a9], 858D2075 *is jne in buffer ?
:0040C9EA 7507                    jne 0040C9F3 *No lets go back
:0040C9EC C6055BA74200EB          mov byte ptr [0042A7a9], EB *Yes, let’s patch the buffer.

* Referenced by a Jump at Address:0040C9EA(C)
|
:0040C9F3 833DA827410000          cmp dword ptr [004127A8], 00000000 *that instruction was here
						before I replaced it with tha call 40c9e0.
:0040C9FA C3                      ret
So the purpose of this first call is to replace jne with jmp in the buffer memory, if you Searched with softice correctly, you will find the adress 42a7a9, before it is written into Ins5576 in your windows\temp directory. This file will loaded after and will contain the patched Protection.

So second call : 
:0040C993 813DA9A74200EB208D85    cmp dword ptr [0042A7A9], 858D20EB
:0040C99D 7507                    jne 0040C9A6
:0040C99F C6055BA74200EB          mov byte ptr [0042A7a9], 75
:0040C9A6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This is left as an exercise to the reader! You just got to use the syntax of my first call To do the rest.

You just got to know that you have to put the instruction that was before the place you putted The second call and, of course, you have to insert a Ret as well!

Note that I overwrited some existing code in this place, but it was not used at all, I tried With the original setup.exe on the computer used for the creation of the package.

And when you make Setup work, just stop ins5576 at 43b453 and you will find this : 
:0043B447 68B84F4800              push 00484FB8
:0043B44C E8EF88FEFF              call 00423D40
:0043B451 85C0                    test eax, eax
:0043B453 EB20                    jmp 0043B475  ***IT’S PATCHED !
:0043B455 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:0043B45B 50                      push eax
:0043B45C FFB5F4FEFFFF            push dword ptr [ebp+FFFFFEF4]
:0043B462 E830200000              call 0043D497
:0043B467 59                      pop ecx
:0043B468 59                      pop ecx
:0043B469 E8B3EDFCFF              call 0040A221
:0043B46E 33C0                    xor eax, eax
:0043B470 E9F9020000              jmp 0043B76E
So you managed to make setup.exe patch ins5576 where the protection resides, note that this Kind of thing is very used in crypted protections, that you can patch when decrypted in Memory, just before being crypted again !

Hope this helps you discover and understand a lot of new similar protection schemes.

+Tsehp (From Paris)

You'r deep inside fravia's pages of reverse engineering
red

 

red

redhomepage red links red anonymity red+ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?