A Packed protection
by +tsehp, Spring 1999
A Packed protection... +tsehp's essay is well worth reading and re-reading. Reversers
will understand how useful this kind of apporoach can be nowadays...
Read and enjoy!
A Packed protection.
Well this is the first essay of a new kind, weíll study here a protection that is active when it
is unpacked. I will not name the program according to Fraviaís new rules because the purpose of
this is not to damage the programmer itself but only to learn to reverse it.
This program is made to build an installation package for your application, and the demo mode is
fully featured exept that the package can only install on your computer, not others.
Tools needed :
-Softice
-Hex editor
So letís start :
Start Setup.exe (guess you surely know what application Iím talking about)
When you try to install your package on another computer, you have a msg box telling
you that it canít work, so :
Bpx messageboxa, after two F12, you find the culprit :
* Possible StringData Ref from Data Obj ->"c:\_INS999.765"
|
:0043B447 68B84F4800 push 00484FB8
:0043B44C E8EF88FEFF call 00423D40 *Are we on the original computer ?
:0043B451 85C0 test eax, eax
:0043B453 7520 jne 0043B475 *If yes jump to good guy
:0043B455 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC] *Bad guy startÖ
:0043B45B 50 push eax
:0043B45C FFB5F4FEFFFF push dword ptr [ebp+FFFFFEF4]
:0043B462 E830200000 call 0043D497
:0043B467 59 pop ecx
:0043B468 59 pop ecx
:0043B469 E8B3EDFCFF call 0040A221
:0043B46E 33C0 xor eax, eax
:0043B470 E9F9020000 jmp 0043B76E
You see into softice that youíre inside _ins5576, so whereís that file ? Not
located inside your package but uncompressed into windows\temp\istmpXXX.
So youíve got a problem to do the patch
The question is, whereís that file coming from? If you do search _ins5576 inside
the files in your package, you find it inside _ins32i.ex
So youíve got to stop when setup finished read ins32i and when the decompressed _ins5576
is in the buffer to be written to windows\temp
You can use the classical bpx createfilea and readfile and to search the buffer with
occurences of 75 20 8d 85 to know when this Happens.
When you manage, you land here in setup.exe :
:004044C0 56 push esi
:004044C1 753D jne 00404500
:004044C3 8B74240C mov esi, dword ptr [esp+0C]
:004044C7 A1FC304100 mov eax, dword ptr [004130FC]
:004044CC 6A00 push 00000000
:004044CE 689C274100 push 0041279C
:004044D3 FF36 push dword ptr [esi]
:004044D5 FF742414 push [esp+14]
:004044D9 FF701C push [eax+1C]
* Reference To: KERNEL32.WriteFile, Ord:027Bh *this writes also the file ins5576
|
:004044DC FF158CD04000 Call dword ptr [0040D08C]
* Reference To: KERNEL32.GetLastError, Ord:00F4h
|
What to do? You can force setup.exe to patch the buffer just before writing it
to your HD, so your ins5576 file will contain the patch to Remove the protection,
how to do this? Not so simple...
The only way is to use a part of the code just before the call to writefile.
Just replace an instruction like mov [xxxxx],XX with a call to a place that
you can modify and where to modify ? At the end of the program, just do a map32 of
setup.exe, it will give you the ending part of setup.text (the code place), you
will have a little place to insert your own code.
I had to put two calls, one before writefile to patch the JNE to JMP and one after
the write to put it back to JNE because at this point setup is still decompressing
ins32i and using the buffer data to uncompress other parts, if you donít all the
occurences of JNE will be changed to JMP in the rest of the unpacked ins5576.
So hereís the places where I inserted the two calls :
:004044B9 E822850000 call 0040C9E0 *The first call (at the end of setup)
Change 75 to EB in the buffer at the good place.
:004044BE 90 nop *to fill the gaps
:004044BF 90 nop *idem
:004044C0 56 push esi
:004044C1 753D jne 00404500
:004044C3 8B74240C mov esi, dword ptr [esp+0C]
:004044C7 A1FC304100 mov eax, dword ptr [004130FC]
:004044CC 6A00 push 00000000
:004044CE 689C274100 push 0041279C
:004044D3 FF36 push dword ptr [esi]
:004044D5 FF742414 push [esp+14]
:004044D9 FF701C push [eax+1C]
* Reference To: KERNEL32.WriteFile, Ord:027Bh
|
:004044DC FF158CD04000 Call dword ptr [0040D08C]
* Reference To: KERNEL32.GetLastError, Ord:00F4h
|
:004044E2 FF15B0D04000 Call dword ptr [0040D0B0]
:004044E8 FIND IT YOURSELF ! Call 0040c993 *second call to put things back
:004044ED A19C274100 mov eax, dword ptr [0041279C]
:004044F2 3B06 cmp eax, dword ptr [esi]
:004044F4 740E je 00404504
:004044F6 C705A8274100FCFFFFFF mov dword ptr [004127A8], FFFFFFFC
And here are the two calls I wrote :
:0040C9E0 813D5BA7420075208D85 cmp dword ptr [0042A7a9], 858D2075 *is jne in buffer ?
:0040C9EA 7507 jne 0040C9F3 *No lets go back
:0040C9EC C6055BA74200EB mov byte ptr [0042A7a9], EB *Yes, letís patch the buffer.
* Referenced by a Jump at Address:0040C9EA(C)
|
:0040C9F3 833DA827410000 cmp dword ptr [004127A8], 00000000 *that instruction was here
before I replaced it with tha call 40c9e0.
:0040C9FA C3 ret
So the purpose of this first call is to replace jne with jmp in the buffer memory, if you
Searched with softice correctly, you will find the adress 42a7a9, before it is written into
Ins5576 in your windows\temp directory. This file will loaded after and will contain the
patched Protection.
So second call :
:0040C993 813DA9A74200EB208D85 cmp dword ptr [0042A7A9], 858D20EB
:0040C99D 7507 jne 0040C9A6
:0040C99F C6055BA74200EB mov byte ptr [0042A7a9], 75
:0040C9A6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This is left as an exercise to the reader! You just got to use the syntax of my first call
To do the rest.
You just got to know that you have to put the instruction that was before the place you putted
The second call and, of course, you have to insert a Ret as well!
Note that I overwrited some existing code in this place, but it was not used at all, I tried
With the original setup.exe on the computer used for the creation of the package.
And when you make Setup work, just stop ins5576 at 43b453 and you will find this :
:0043B447 68B84F4800 push 00484FB8
:0043B44C E8EF88FEFF call 00423D40
:0043B451 85C0 test eax, eax
:0043B453 EB20 jmp 0043B475 ***ITíS PATCHED !
:0043B455 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:0043B45B 50 push eax
:0043B45C FFB5F4FEFFFF push dword ptr [ebp+FFFFFEF4]
:0043B462 E830200000 call 0043D497
:0043B467 59 pop ecx
:0043B468 59 pop ecx
:0043B469 E8B3EDFCFF call 0040A221
:0043B46E 33C0 xor eax, eax
:0043B470 E9F9020000 jmp 0043B76E
So you managed to make setup.exe patch ins5576 where the protection resides, note that this
Kind of thing is very used in crypted protections, that you can patch when decrypted in
Memory, just before being crypted again !
Hope this helps you discover and understand a lot of new similar protection schemes.
+Tsehp (From Paris)
You'r deep inside fravia's pages of reverse engineering
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia
Is reverse engineering illegal?