Reversing Packed Targets
An Excersize in reversing for reversing's sake
packers
Packers
19 May 1998
by The RudeBoy [PC]
Courtesy of Fravia's page of reverse engineering
 
fra_00xx
980519
RudeBoy
0100
PU
PC
Simple, yet interesting little essay about basic DOS-type unpacking skills.
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (X)Intermediate ( )Advanced ( )Expert

An essay discussing simple .com file packing and unpacking
Reversing Packed Targets
An Excersize in reversing for reversing's sake
Written by The RudeBoy [PC]


Introduction

This essay is meant to explain .com file packing and unpacking.

Not much else to say...



Tools required
TRacer 1.98
IDA 3.7x
C Compiler (optional)
Hex Editor (optional)
PKLite

Target's URL/FTP
rb15fcrk.com - f's crack for ReBirth 1.5

Program History
Not Important

Essay

A friend of mine downloaded this crack off the web so that he could better evaluate

ReBirth.  He sent it to me as well, and when I ran it I noticed that it had a "nag".

In order to run the patch, you had to hit the "Page Up" key.  I decided that I would 

remove the nag from this program.



To do this, i started up IDA and loaded the .com file.  What I saw was interesting. 

The program started off with a jmp, followed by a bunch of data that seemed to make

no sense.  Generally this is a good sign that the file is packed.  I now had a few 

options: i could try a generic unpacker (and learn nothing in the process), i could

use TR or debug to unpack the prog (and learn nothing), or, i could reverse the 

unpacking routine and write my own unpacker for this kind of file.  I decided to go

for the third option.



To reverse the unpacking routine, I followed the jump at the entry point.  The first

thing it does is check the DOS version, then jumps to the next part of the code regardless

of what version of DOS is running.  This is where we want to start paying attention:





loc_0_3576:				

		mov	bx, 10h     ; 

		add	bx, 0F0h    ; 10h + F0h = 100h*

		push	bx      

		mov	al, 0AAh    ; Encryption key into al

		add	al, 7	    ; change the key by adding 7

		push	cx

		mov	cx, 3465h   ; # of bytes to decrypt into cx



loc_0_3586:	

		jmp	loc_0_358A  ; jmp to decryption loop

; ŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸ

		db 0EAh	; Í

; ŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸŸ



loc_0_358A:				

		xor	cs:[bx], al ; xor the byte at cs:[bx] with our encryption key

		push	si      ; random code

		mov	si, 64h     ; ??

		sub	si, 27DBh   ; ??

		pop	bp		    ; ??	

		inc	al          ; increment the encryption key

		inc	bx          ; look at the next byte in the program

		loop	loc_0_3586 ; loop until all bytes have been processed



* 100h is the starting location in memory of a .com file



So this code is pretty simple, get the encryption key, xor a byte by it, increment

the encryption key, and use it tdecryptpt the next byte in the file.

If thencryptionon routine ended here there would be a problem.  When the program is

packed, The first 3 bytes are changed to a jmp to this section of code.  Xor'ing this

jump by the encryption key will still leave us with 3 odd bytes at the start of the file.

So we go to the next section of the code:





		mov	bx, 100h

		mov	word ptr [bx], 0F0B8h

		mov	byte ptr [bx+2], 80h





Simple enough, the packer stores the first 3 bytes directly in the decryption routine.

Now, to write our own unpacker for these files.  I used C to do this, but you can use

whatever language is comfortable to you.  You can take at a look at the source to my

unpacker here.



Now, on to removing that nag...

Wait, this file is packed again...this time with PKLite.  Reversing PKLite is beyond

the scope of this essay, but PKLite has an option built into it to decompress packed

files. Just run pklite -x [filename] and the file is now unpacked.



Again, on to removing the nag...but wait, the file is packed yet again...

This time the file is compressed with the same packer used the first time, so, if you

wrote your unpacker properly you can make short work of this final layer of packing.



Now time to *finally* remove the nag.  IDA does not produce a very usable listing for 

this prog, so fire up TR, and step through this prog.  You will find a few sections

of code dedicated to printing characters and strings to the screen, then a few 

memory allocation calls then:





		mov	ds, cs:word_0_2B9	; setting up a far call

		push	ds			;

		pop	es			;

		assume es:seg000		;

		call	dword ptr cs:unk_0_2B7  ; NagUser();





Trace into the NagUser() function and here is what you will see:





		or	ax, ax	    ;Test value in ax

		jz	loc_0_BA4   ;jump

		clc	

		retf	

loc_0_BA4:				

		xor	ax, ax

		int	16h	    ; KEYBOARD - READ CHAR FROM BUFFER, WAIT IF EMPTY

				    ; Return: AH = scan code, AL = character

		cmp	ah, 49h	    ; compare the key pressed to "Page Up"

		jz	loc_0_BAF   ; jump if equal



Bingo! That's the code we're looking for. In order to kill the nag, we have to do

two things. First, stop the int 16h, because it waits for a keypress.  Second, force

the jz after the compare to always jump.  There are many ways to do these things, I

will let you figure them out for yourself.







/*********************************************************************************

	funp.cpp

	Unpacker for "f" encrypted .com files

	This code is not very neat...i threw it together pretty quickly, so please

	excuse the sloppyness.

*********************************************************************************/

#include <STDIO.h>

#include <STDLIB.h>



void main (int argc, char *argv[]) {

    FILE *packed, *unpacked;

	int codeloc, count, i, curbyte;

	char key;

	printf("f-Unpacker by The RudeBoy [PC]\n");

	if (argc <3)

	{

		printf("USAGE: funp [packed file] [unpacked file]\n");

		exit(-1);

	}

	// Open the files

    if((packed = fopen(argv[1], "rb")) == NULL){

        printf("Error: cannot locate %s\n", argv[1]);

        exit(-1);

    }                

	if ((unpacked = fopen(argv[2], "wb")) == NULL)

	{

        printf("Error: cannot open %s\n", argv[2]);

        exit(-1);

	}



	//Seek in one byte, to get the location of the decryption code

	"if(fseek(packed,1.class" tppabs="http://fravia.org/if(fseek(packed,1.class" , SEEK_SET)){

        printf("Error in %s: cannot seek to 0x1\n", argv[1]);

        exit(-1);

    }

	codeloc = 0;

	//Get the location of the decryption code (relative to the current location in the file)

	if( fread(&codeloc, sizeof(short), 1, packed) != 1)

	{

		printf("Error in %s: could not read data\n", argv[1]);

		exit(-1);

	}

	codeloc += 3; //So we have the total length from the start of the file to the code

	if(fseek(packed,codeloc + 0x17 , SEEK_SET)){

        printf("Error in %s: cannot seek to 0x%X\n", argv[1], codeloc);

        exit(-1);

    }

	//Get the initial decryption key

	if( fread(&key, sizeof(char), 1, packed) != 1)

	{

		printf("Error in %s: could not read data\n", argv[1]);

		exit(-1);

	}

	//add 7

	key += 7;

	count = 0;

	if(fseek(packed,codeloc + 0x1C , SEEK_SET)){

        printf("Error in %s: cannot seek to 0x%X\n", argv[1], codeloc);

        exit(-1);

    }

	//Get the number of encrypted bytes

	if( fread(&count, sizeof(short), 1, packed) != 1)

	{

		printf("Error in %s: could not read data\n", argv[1]);

		exit(-1);

	}

	//Go to the beginning of the file to start the decryption

    fseek(packed,0 , SEEK_SET);

	//Decryption loop

	for(i = 1;i<=count;i++)

	{

		//Get the next byte from the packed file

		curbyte = fgetc(packed);

		//xor it by the key

		curbyte ^= key;

		//and write it to the decrypted file

		fputc( curbyte, unpacked);

		//increment the key, or make it 0 if it equals 0xFF

		if(key == 0xFF)

			key = 0;

		else

			key++;

	}

	//Go to the location in the packed file where the "real" first 3 bytes are found

	if(fseek(packed,codeloc + 0x38 , SEEK_SET)){

        printf("Error in %s: cannot seek to 0x%X\n", argv[1], codeloc);

        exit(-1);

    }

	fseek(unpacked,0 , SEEK_SET);

	//Get each of those bytes and write them to the unpacked file

	curbyte = fgetc(packed);

    fputc( curbyte, unpacked);

	curbyte = fgetc(packed);

    fputc( curbyte, unpacked);

	fseek(packed,3 , SEEK_CUR);

	curbyte = fgetc(packed);

    fputc( curbyte, unpacked);

	

	//close the files

    fclose(packed);

    fclose(unpacked);

	

	printf("Done.\n");



}

//----------------------------------------------------------------------------------







Ob Duh
Ob duh doesn't apply, it's reversing for reversing sake , here

You are deep inside fravia's page of reverse engineering, choose your way out:

projunpa
Back to the packers' section

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?