About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
johnnycannuk
's Blog
Created: Monday, December 6 2010 13:19.11 CST
Direct Link, View / Make / Edit Comments
Reversing a Crack: Unpacking and the Fake IAT
Author:
johnnycannuk
# Views:
22456
Part of the new day job is to figure out how things get "cracked" and what to recommend how to prevent it.Seemed simple enough, though to be honest, most of my reversing has been to understand how things work, rather than for malware and cracking. That means that while I can read x86 ASM and understand Windows system calls etc, I was not that great at unpacking and rebuilding IATs - stuff essential for getting a proper PE image that can be reverse in IDA Pro without issues. So, to sharpen my skills and to learn some new techniques, I decided to try reversing an crack to discover how it worked.
The Game: Zuma Deluxe from Zylom
The Crack: Zylom.Zuma.Deluxe.1.0.0.1_CRKEXE-FFF.zip from keygens.nl
Tools:
Immunity DBG (with Olly PEDumper)
Olly 1.10 with Olly Advanced and OllyDump
ImpREC 1.7c
LordPE
PEiD
CFF Explorer by Daniel Pistelli
IDA Pro v 6.
Resources used:
##re (big thanks to usualsuspect, upb and __jon)
Reviewing lena151 tutorials, specifically 3, 20 and 21 (Thanks lena151 wherever you are!)
Note: I choose Zuma Deluxe for a few reasons. First, it's an older game that I am familiar with. Second, the oringal uncracked version small and easily obtainable for use in differential analysis. THIS ISN'T A TUTORIAL ON CRACKING THE GAME, the is about reversing the crack. Thirdly, this game has literally hundreds of cracks already out there and clearly this is not in anyway affecting Zylom. Once again, Zuma isn't the target of the reversing, the Zuma cracked version is.
Now, with the CMA out of the way, let me say this - the interesting part was not how the crack worked (that was so incredibly easy, even I could have cracked the game without help) by how the crack was packaged. Basically the CRACK had better binary security measures protecting it than the legitimate game.
Unpacking
---------
My plan was to simply reverse the crack in IDA, find the differences between it and the legit binary and figure out if there was a better way. Not so fast, first, unlike the legit binary, the crack was packed.
According to PEiD is was with "PECompact 2.x -> Jeremy Collake". Well the unpacker I had kept failing (despite working on other similarly packed binaries). Time to do some investigating.
What follows in this unpacking section comes from my chat's with usualsuspect on ##re. I present it not as my own doing, but as an educational resource. I learned more about mupping in the last week than I knew there even was to learn (thanks again usualsuspect). The entry point looked like this:
00401000 > $ B8 A8685B00 MOV EAX,Zuma-cra.005B68A8
00401005 . 50 PUSH EAX
00401006 . 64:FF35 000000>PUSH DWORD PTR FS:[0]
0040100D . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401014 . 33C0 XOR EAX,EAX
00401016 . 8908 MOV DWORD PTR DS:[EAX],ECX
00401018 . 50 PUSH EAX
00401019 . 45 INC EBP
0040101A . 43 INC EBX
0040101B . 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
0040101C . 6D INS DWORD PTR ES:[EDI],DX ; I/O command
0040101D . 70 61 JO SHORT Zuma-cra.00401080
0040101F . 637432 00 ARPL WORD PTR DS:[EDX+ESI],SI
00401023 A2 DB A2
00401024 46 DB 46 ; CHAR 'F'
00401025 97 DB 97
00401026 FD DB FD
00401027 8C DB 8C
00401028 A5 DB A5
00401029 37 DB 37 ; CHAR '7'
0040102A 06 DB 06
0040102B A1 DB A1
Stepping through it looks like the Zuma-cra.005B68A8 is being installed as a SEH:
0012FFBC 0012FFE0 ��. Pointer to next SEH record
0012FFC0 005B68A8 �h[. SE handler
0012FFC4 7C817077 wp�| RETURN to kernel32.7C817077
0012FFC8 7C910228 (�| ntdll.7C910228
0012FFCC FFFFFFFF ����
0012FFD0 7FFDF000 .��
0012FFD4 8054B6ED ��T�
0012FFD8 0012FFC8 ��.
So, put a break point on it and go. First thing you notice is that at the code doesn't jump to an unpacking routine, but purposely causes a an error:
00401014 . 33C0 XOR EAX,EAX
00401016 . 8908 MOV DWORD PTR DS:[EAX],ECX <-- Access violation since EAX will be 000000
The SEH chain then kicks in. If you Shift-F9 (in either Immunity or Olly) you get to your first breakpoint. This looks very much like an anti-auto-unpacking measure, trying to convince you that the file is corrupt.
005B68A8 B8 2D565BF0 MOV EAX,F05B562D <-- breaks here
005B68AD 8D88 9E120010 LEA ECX,DWORD PTR DS:[EAX+1000129E]
005B68B3 8941 01 MOV DWORD PTR DS:[ECX+1],EAX
005B68B6 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
005B68BA 8B52 0C MOV EDX,DWORD PTR DS:[EDX+C]
005B68BD C602 E9 MOV BYTE PTR DS:[EDX],0E9
005B68C0 83C2 05 ADD EDX,5
005B68C3 2BCA SUB ECX,EDX
005B68C5 894A FC MOV DWORD PTR DS:[EDX-4],ECX
005B68C8 33C0 XOR EAX,EAX
005B68CA C3 RETN
005B68CB B8 78563412 MOV EAX,12345678 <--- where you eventually end up. Beginning of the unpacking routine
005B68D0 64:8F05 00000000 POP DWORD PTR FS:[0]
005B68D7 83C4 04 ADD ESP,4
005B68DA 55 PUSH EBP
005B68DB 53 PUSH EBX
005B68DC 51 PUSH ECX
F8 and step through slowly, watching the stack and the registers. You'll notice at 005B68BD its writing 0E9 to the address pointed at by EDX. A quick look at the registers shows that this is Zuma-cra.00401016 and this should look familiar - its the faulty MOV that caused the access violation that triggered the SEH in the first place. And 0E9...the mnemonic for JMP. Now, you could place a breakpoint here and single step or you could notice that the value in ECX is being written right after 0E9...basically creating the following command at Zuma-cra.00401016:
JMP Zuma-cra.005B68CB
which is immedialtly following the RETN for the SEH you are in. This is clearly the unpacking routine. If you step through, you'll notice it accessing kernel32, to do lots of writes to the process. It is both decrypting the packed binary and also doing something else. Of course, by the time you see the call to IsDebuggerPresent, it is almost too late. You can either patch by hand, change the flags or restart the process using either Immunity's !hidedebug IsDebuggerPresent or using the same setting in Olly Advanced plugin for Olly. I preferr the easy way. If you then step through, you get to :
005B6962 8BC6 MOV EAX,ESI
005B6964 5A POP EDX
005B6965 5E POP ESI
005B6966 5F POP EDI
005B6967 59 POP ECX
005B6968 5B POP EBX
005B6969 5D POP EBP
005B696A -FFE0 JMP EAX ; Zuma-cra.004FCF02 <--- OEP
005B696C 02CF ADD CL,BH
005B696E 4F DEC EDI
005B696F 0000 ADD BYTE PTR DS:[EAX],AL
So jump to Zuma-cra.004FCF02 and re-analyize in either Immunity or Olly (either built in or AnalyzeThis!) and the code appears, unpacked and ready to run or analyze.
Dumping
-------
So at this point I decided to dump the process, rebuild the PE and use IDA to do some static analysis. After more than a few tries, I came quickly to the conclusion that Immunity + Olly PE Dumper (the only dumping untility for Immunity I could find) screwed the IAT so completely that it was not recoverable. It seemed to find the IAT of the original packed binary, rather than the newly re-written one from the currently running process. Though many of the dll were the same, there were many more functions and a few more dlls. I was able to determine this by looking at the Import Directory for the dumped PE in CFF. It was identical to the packed binary, despite the fact that if you step through slowly enough, you can watch the calls to re-write the IAT happen during the unpacking routine run.
Onto Ollydump and Olly. Olly dump seemed to find the correct but only when the "Rebuild Imports" check box was deselected. Otherwise it created no import table all.
Looking at this binary with CFF showed 10 dll imports with close to 250 functions being used. The IAT started at RVA 001AD000 and ended at 001AD464 (001AD458+size of last IAT entry)
The next step, according to Hoyle, is to run ImpREC to rebuild the IAT and get a working binary (or one that can be run through LordPE to get one).
This is were things got weird.
ImpREC and IAT rebuilding
-------------------------
When I entered the new OEP into ImpREC and did an "Autosearch", it seemed to find the IAT and presented me with an RVA of 001ACFFC and a size of 000008CC. Figuring the tool knew more than I did, I accepted this and got the imports. Oddly, I got a list of 20 dll and funtions, not the 10 that were exported in the dump that OllyDump created. More curious, the list repeated itself:
advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
oleaut32.dll
shell32.dll
user32.dll
winmm.dll
wsock32.dll
ole32.dll
advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
oleaut32.dll
shell32.dll
user32.dll
winmm.dll
wsock32.dll
ole32.dll
All of the dll were at different addresses. When the dump was fixed with this default, the resulting binary would not run at all. Neither did rebuilding with LordPE help.
At first myself and a few guys on ##re though one part might be the unpacker's IAT and the other might be the IAT for the game, but after closer examination, this did not seem to be the case. The original had a totally different RVA and size and referenced different functions. This was an exact repeat of the same list twice, with the same function calls, in contiguous rva space that had obviously been written to memory by the unpacker itself.
So I jumped to the start of the IAT at RVA 001ACFFC (0051ACFFC in my CPU pane) and then followed in the dump to see what was there:
005ACFEC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005ACFFC 00 00 00 00 B2 7C DF 77 27 6C DD 77 E7 EA DD 77 ....�|�w'l�w���w
005AD00C BB 7A DD 77 F4 E9 DD 77 52 78 DD 77 A0 42 DE 77 �z�w���wRx�w�B�w
005AD01C E5 EC DD 77 B8 53 DE 77 F3 BC DF 77 32 43 DE 77 ���w�S�w��w2C�w
005AD02C 60 7B DF 77 D3 79 DF 77 00 00 00 00 16 8D 0C 5D `{�w�y�w....�.]
005AD03C 00 00 00 00 FF DC F1 77 0D B5 F1 77 C1 61 F1 77 ....���w.��w�a�w
005AD04C A5 61 F1 77 1C EF F1 77 DB 5E F1 77 56 6A F1 77 �a�w��w�^�wVj�w
005AD05C 77 5D F1 77 4F BA F1 77 71 5A F1 77 00 BF F3 77 w]�wO��wqZ�w.��w
005AD06C 45 DF F1 77 FA 6B F1 77 CE EC F1 77 25 8D F1 77 E��w�k�w���w%��w
005AD07C 70 5B F1 77 14 8E F1 77 11 E6 F1 77 4C 7B F1 77 p[�w��w��wL{�w
005AD08C 8C B3 F1 77 00 00 00 00 4C AD 85 7C 2E 98 80 7C ���w....L��|.��|
005AD09C B5 99 80 7C 02 D3 80 7C B5 A4 80 7C 7E 2B 81 7C ���|Ӏ|���|~+�|
005AD0AC A9 2A 81 7C 91 9F 80 7C 7A 13 91 7C DD 1E 83 7C �*�|���|z�|��|
005AD0BC 98 9C 80 7C 22 FF 80 7C B9 FF 80 7C CD FD 80 7C ���|"��|���|���|
005AD0CC CF FC 80 7C 63 13 82 7C 77 EE 80 7C E1 4E 83 7C ���|c�|w�|�N�|
005AD0DC 79 38 81 7C BD 2F 81 7C 6F B5 80 7C 41 B7 80 7C y8�|�/�|o��|A��|
005AD0EC 21 FE 90 7C DF E9 80 7C 7E AC 80 7C 7B 1D 80 7C !��|��|~��|{�|
005AD0FC 5D 49 84 7C 95 DE 80 7C 71 BA 80 7C C7 A4 80 7C ]I�|�ހ|q��|Ǥ�|
005AD10C 4E FA 82 7C 33 A8 80 7C 19 9F 80 7C AF AC 80 7C N��|3��|��|���|
005AD11C 06 98 80 7C 1A 98 80 7C 4D 1C 83 7C 28 1A 80 7C ��|��|M�|(�|
005AD12C D4 1A 80 7C F2 1E 80 7C C3 2C 81 7C F6 2D 81 7C ��|��|�,�|�-�|
005AD13C C0 99 80 7C 53 1D 80 7C 82 19 82 7C 27 0E 81 7C ���|S�|��|'�|
005AD14C AC 17 82 7C F1 C1 85 7C 74 A1 80 7C C5 AB 92 7C ��|���|t��|ū�|
005AD15C 12 CB 81 7C F8 C0 80 7C 27 29 83 7C D7 06 81 7C ˁ|���|')�|��|
005AD16C 1A 1E 80 7C 2D FF 90 7C A1 9E 80 7C E9 17 80 7C �|-��|���|��|
005AD17C 40 AE 80 7C 2E 50 83 7C 9C 39 81 7C A0 9B 91 7C @��|.P�|�9�|���|
005AD18C C4 00 91 7C F1 0E 81 7C 12 18 80 7C 18 8E 83 7C �.�|��|�|��|
005AD19C 48 CD 80 7C 16 2F 81 7C 3F 2E 81 7C 30 FE 90 7C H̀|/�|?.�|0��|
005AD1AC 77 37 81 7C 65 9C 80 7C E0 97 80 7C DD 04 91 7C w7�|e��|���|��|
005AD1BC CA 3F 86 7C D9 2F 81 7C EF D6 81 7C 93 CC 81 7C �?�|�/�|�ց|�́|
005AD1CC 87 4B 81 7C A8 2F 81 7C 37 CD 80 7C 98 0F 81 7C �K�|�/�|7̀|��|
005AD1DC 56 2C 81 7C 84 9B 80 7C F1 9A 80 7C E1 26 81 7C V,�|���|�|�&�|
005AD1EC 2E 0C 81 7C EF 50 83 7C 76 20 83 7C 7B D3 81 7C ..�|�P�|v �|{Ӂ|
005AD1FC 3C 8A 83 7C 30 A5 80 7C B0 9F 80 7C 11 7D 83 7C <��|0��|���|}�|
005AD20C C3 C1 81 7C 6B 11 81 7C 6F BD 80 7C C3 B2 81 7C ���|k�|o��|ò�|
005AD21C 47 28 81 7C 17 D1 80 7C FE A3 80 7C A8 34 83 7C G(�|р|���|�4�|
005AD22C 02 16 81 7C A4 16 82 7C A8 F7 82 7C BD 2E 81 7C �|��|���|�.�|
005AD23C 4D C0 80 7C 35 14 82 7C 09 2A 83 7C 66 98 80 7C M��|5�|.*�|f��|
005AD24C E0 10 90 7C 00 10 90 7C 0D 61 83 7C 4A 93 80 7C ��|.�|.a�|J��|
005AD25C B5 08 83 7C 8B 99 80 7C A8 C1 80 7C E7 9B 80 7C ��|���|���|盀|
005AD26C DB A0 80 7C 30 25 80 7C B7 A0 80 7C D0 97 80 7C ۠�|0%�|���|З�|
005AD27C E3 14 82 7C 46 24 80 7C DC 15 81 7C 00 00 00 00 ��|F$�|��|....
005AD28C 80 48 12 77 39 4B 12 77 00 00 00 00 A8 11 A4 7C �Hw9Kw....��|
005AD29C 00 00 00 00 6E 43 42 7E 7D 6D 45 7E 6B F5 42 7E ....nCB~}mE~k�B~
005AD2AC 6B 21 43 7E BA 0D 43 7E C7 03 43 7E 2E 8C 41 7E k!C~�.C~�C~.�A~
005AD2BC A9 E4 42 7E 40 11 43 7E 9D C2 42 7E ED 42 42 7E ��B~@C~��B~�BB~
005AD2CC 7E C1 42 7E FD 8F 42 7E E9 8F 42 7E 5D 94 41 7E ~�B~��B~�B~]�A~
005AD2DC 9C 8F 41 7E 59 70 45 7E 5E EA 42 7E F6 E8 42 7E ��A~YpE~^�B~��B~
005AD2EC FD AA 42 7E 28 8E 41 7E 12 D3 42 7E B4 90 42 7E ��B~(�A~�B~��B~
005AD2FC 2B 77 42 7E 89 C6 43 7E 02 C7 43 7E 2F 9C 42 7E +wB~��C~�C~/�B~
005AD30C C8 98 42 7E 78 8E 41 7E AB 8E 41 7E D2 D1 42 7E ȘB~x�A~��A~��B~
005AD31C A8 03 43 7E C2 F3 42 7E AB AE 42 7E 7F 5F 45 7E �C~��B~��B~_E~
005AD32C 3D 9E 42 7E 44 99 42 7E 00 F1 44 7E E7 C2 43 7E =�B~D�B~.�D~��C~
005AD33C 22 78 42 7E 46 DE 41 7E 66 97 42 7E 5E C3 42 7E "xB~F�A~f�B~^�B~
005AD34C 7A C3 42 7E 77 02 43 7E 9E 0F 43 7E 65 02 43 7E z�B~wC~�C~eC~
005AD35C EA 07 45 7E 30 99 42 7E 3E D3 42 7E 4E 97 42 7E �E~0�B~>�B~N�B~
005AD36C A0 97 42 7E 9C B1 42 7E B2 DE 42 7E 56 AF 42 7E ��B~��B~��B~V�B~
005AD37C 11 90 42 7E 39 C7 43 7E C7 86 41 7E 9D 86 41 7E �B~9�C~džA~��A~
005AD38C 8E 90 42 7E 60 9B 42 7E 4E 4A 42 7E 9E B2 42 7E ��B~`�B~NJB~��B~
005AD39C 12 B1 42 7E 40 A3 42 7E F6 8B 41 7E 49 98 42 7E �B~@�B~��A~I�B~
005AD3AC B8 96 41 7E 00 00 00 00 F8 94 B4 76 DF AC B4 76 ��A~....���v߬�v
005AD3BC A5 AD B4 76 BF A8 B5 76 4F 4E B4 76 E1 07 B5 76 ���v���vON�v��v
005AD3CC D4 02 B5 76 E1 95 B4 76 56 04 B5 76 F3 05 B5 76 ��vᕴvV�v��v
005AD3DC B2 06 B5 76 00 00 00 00 53 2E AB 71 55 53 AB 71 ��v....S.�qUS�q
005AD3EC 7B 3F AB 71 A8 30 AB 71 ED 3F AB 71 E1 2E AB 71 {?�q�0�q�?�q�.�q
005AD3FC 50 3F AB 71 11 42 AB 71 55 6A AB 71 40 10 AC 71 P?�qB�qUj�q@�q
005AD40C D3 8C AB 71 91 E4 AB 71 03 E7 AB 71 80 44 AB 71 ӌ�q��q�q�D�q
005AD41C 30 2E AD 71 F6 0B AC 71 10 3D AB 71 AD 2E AB 71 0.�q��q=�q�.�q
005AD42C C1 45 AB 71 68 0B AC 71 53 2E AB 71 AD 2E AB 71 �E�qh�qS.�q�.�q
005AD43C 07 4A AB 71 CE 3C AB 71 27 4C AB 71 70 2E AD 71 J�q�<�q'L�qp.�q
005AD44C 2B 3E AB 71 D6 2E AD 71 00 00 00 00 4A F9 52 77 +>�q�.�q....J�Rw
005AD45C AC F1 4F 77 00 00 00 00 B2 7C DF 77 27 6C DD 77 ��Ow....�|�w'l�w
005AD46C E7 EA DD 77 BB 7A DD 77 F4 E9 DD 77 52 78 DD 77 ���w�z�w���wRx�w
005AD47C A0 42 DE 77 E5 EC DD 77 B8 53 DE 77 F3 BC DF 77 �B�w���w�S�w��w
005AD48C 32 43 DE 77 60 7B DF 77 D3 79 DF 77 00 00 00 00 2C�w`{�w�y�w....
005AD49C 16 8D 0C 5D 00 00 00 00 FF DC F1 77 0D B5 F1 77 �.]....���w.��w
005AD4AC C1 61 F1 77 A5 61 F1 77 1C EF F1 77 DB 5E F1 77 �a�w�a�w��w�^�w
005AD4BC 56 6A F1 77 77 5D F1 77 4F BA F1 77 71 5A F1 77 Vj�ww]�wO��wqZ�w
005AD4CC 00 BF F3 77 45 DF F1 77 FA 6B F1 77 CE EC F1 77 .��wE��w�k�w���w
005AD4DC 25 8D F1 77 70 5B F1 77 14 8E F1 77 11 E6 F1 77 %��wp[�w��w��w
005AD4EC 4C 7B F1 77 8C B3 F1 77 00 00 00 00 4C AD 85 7C L{�w���w....L��|
005AD4FC 2E 98 80 7C B5 99 80 7C 02 D3 80 7C B5 A4 80 7C .��|���|Ӏ|���|
005AD50C 7E 2B 81 7C A9 2A 81 7C 91 9F 80 7C 7A 13 91 7C ~+�|�*�|���|z�|
005AD51C DD 1E 83 7C 98 9C 80 7C 22 FF 80 7C B9 FF 80 7C ��|���|"��|���|
005AD52C CD FD 80 7C CF FC 80 7C 63 13 82 7C 77 EE 80 7C ���|���|c�|w�|
005AD53C E1 4E 83 7C 79 38 81 7C BD 2F 81 7C 6F B5 80 7C �N�|y8�|�/�|o��|
005AD54C 41 B7 80 7C 21 FE 90 7C DF E9 80 7C 7E AC 80 7C A��|!��|��|~��|
005AD55C 7B 1D 80 7C 5D 49 84 7C 95 DE 80 7C 71 BA 80 7C {�|]I�|�ހ|q��|
005AD56C C7 A4 80 7C 4E FA 82 7C 33 A8 80 7C 19 9F 80 7C Ǥ�|N��|3��|��|
005AD57C AF AC 80 7C 06 98 80 7C 1A 98 80 7C 4D 1C 83 7C ���|��|��|M�|
005AD58C 28 1A 80 7C D4 1A 80 7C F2 1E 80 7C C3 2C 81 7C (�|��|��|�,�|
005AD59C F6 2D 81 7C C0 99 80 7C 53 1D 80 7C 82 19 82 7C �-�|���|S�|��|
005AD5AC 27 0E 81 7C AC 17 82 7C F1 C1 85 7C 74 A1 80 7C '�|��|���|t��|
005AD5BC C5 AB 92 7C 12 CB 81 7C F8 C0 80 7C 27 29 83 7C ū�|ˁ|���|')�|
005AD5CC D7 06 81 7C 1A 1E 80 7C 2D FF 90 7C A1 9E 80 7C ��|�|-��|���|
005AD5DC E9 17 80 7C 40 AE 80 7C 2E 50 83 7C 9C 39 81 7C ��|@��|.P�|�9�|
005AD5EC A0 9B 91 7C C4 00 91 7C F1 0E 81 7C 12 18 80 7C ���|�.�|��|�|
005AD5FC 18 8E 83 7C 48 CD 80 7C 16 2F 81 7C 3F 2E 81 7C ��|H̀|/�|?.�|
005AD60C 30 FE 90 7C 77 37 81 7C 65 9C 80 7C E0 97 80 7C 0��|w7�|e��|���|
005AD61C DD 04 91 7C CA 3F 86 7C D9 2F 81 7C EF D6 81 7C ��|�?�|�/�|�ց|
005AD62C 93 CC 81 7C 87 4B 81 7C A8 2F 81 7C 37 CD 80 7C �́|�K�|�/�|7̀|
005AD63C 98 0F 81 7C 56 2C 81 7C 84 9B 80 7C F1 9A 80 7C ��|V,�|���|�|
005AD64C E1 26 81 7C 2E 0C 81 7C EF 50 83 7C 76 20 83 7C �&�|..�|�P�|v �|
005AD65C 7B D3 81 7C 3C 8A 83 7C 30 A5 80 7C B0 9F 80 7C {Ӂ|<��|0��|���|
005AD66C 11 7D 83 7C C3 C1 81 7C 6B 11 81 7C 6F BD 80 7C }�|���|k�|o��|
005AD67C C3 B2 81 7C 47 28 81 7C 17 D1 80 7C FE A3 80 7C ò�|G(�|р|���|
005AD68C A8 34 83 7C 02 16 81 7C A4 16 82 7C A8 F7 82 7C �4�|�|��|���|
005AD69C BD 2E 81 7C 4D C0 80 7C 35 14 82 7C 09 2A 83 7C �.�|M��|5�|.*�|
005AD6AC 66 98 80 7C E0 10 90 7C 00 10 90 7C 0D 61 83 7C f��|��|.�|.a�|
005AD6BC 4A 93 80 7C B5 08 83 7C 8B 99 80 7C A8 C1 80 7C J��|��|���|���|
005AD6CC E7 9B 80 7C DB A0 80 7C 30 25 80 7C B7 A0 80 7C 盀|۠�|0%�|���|
005AD6DC D0 97 80 7C E3 14 82 7C 46 24 80 7C DC 15 81 7C �|��|F$�|��|
005AD6EC 00 00 00 00 80 48 12 77 39 4B 12 77 00 00 00 00 ....�Hw9Kw....
005AD6FC A8 11 A4 7C 00 00 00 00 6E 43 42 7E 7D 6D 45 7E ��|....nCB~}mE~
005AD70C 6B F5 42 7E 6B 21 43 7E BA 0D 43 7E C7 03 43 7E k�B~k!C~�.C~�C~
005AD71C 2E 8C 41 7E A9 E4 42 7E 40 11 43 7E 9D C2 42 7E .�A~��B~@C~��B~
005AD72C ED 42 42 7E 7E C1 42 7E FD 8F 42 7E E9 8F 42 7E �BB~~�B~��B~�B~
005AD73C 5D 94 41 7E 9C 8F 41 7E 59 70 45 7E 5E EA 42 7E ]�A~��A~YpE~^�B~
005AD74C F6 E8 42 7E FD AA 42 7E 28 8E 41 7E 12 D3 42 7E ��B~��B~(�A~�B~
005AD75C B4 90 42 7E 2B 77 42 7E 89 C6 43 7E 02 C7 43 7E ��B~+wB~��C~�C~
005AD76C 2F 9C 42 7E C8 98 42 7E 78 8E 41 7E AB 8E 41 7E /�B~ȘB~x�A~��A~
005AD77C D2 D1 42 7E A8 03 43 7E C2 F3 42 7E AB AE 42 7E ��B~�C~��B~��B~
005AD78C 7F 5F 45 7E 3D 9E 42 7E 44 99 42 7E 00 F1 44 7E _E~=�B~D�B~.�D~
005AD79C E7 C2 43 7E 22 78 42 7E 46 DE 41 7E 66 97 42 7E ��C~"xB~F�A~f�B~
005AD7AC 5E C3 42 7E 7A C3 42 7E 77 02 43 7E 9E 0F 43 7E ^�B~z�B~wC~�C~
005AD7BC 65 02 43 7E EA 07 45 7E 30 99 42 7E 3E D3 42 7E eC~�E~0�B~>�B~
005AD7CC 4E 97 42 7E A0 97 42 7E 9C B1 42 7E B2 DE 42 7E N�B~��B~��B~��B~
005AD7DC 56 AF 42 7E 11 90 42 7E 39 C7 43 7E C7 86 41 7E V�B~�B~9�C~džA~
005AD7EC 9D 86 41 7E 8E 90 42 7E 60 9B 42 7E 4E 4A 42 7E ��A~��B~`�B~NJB~
005AD7FC 9E B2 42 7E 12 B1 42 7E 40 A3 42 7E F6 8B 41 7E ��B~�B~@�B~��A~
005AD80C 49 98 42 7E B8 96 41 7E 00 00 00 00 F8 94 B4 76 I�B~��A~....���v
005AD81C DF AC B4 76 A5 AD B4 76 BF A8 B5 76 4F 4E B4 76 ߬�v���v���vON�v
005AD82C E1 07 B5 76 D4 02 B5 76 E1 95 B4 76 56 04 B5 76 ��v��vᕴvV�v
005AD83C F3 05 B5 76 B2 06 B5 76 00 00 00 00 53 2E AB 71 ��v��v....S.�q
005AD84C 55 53 AB 71 7B 3F AB 71 A8 30 AB 71 ED 3F AB 71 US�q{?�q�0�q�?�q
005AD85C E1 2E AB 71 50 3F AB 71 11 42 AB 71 55 6A AB 71 �.�qP?�qB�qUj�q
005AD86C 40 10 AC 71 D3 8C AB 71 91 E4 AB 71 03 E7 AB 71 @�qӌ�q��q�q
005AD87C 80 44 AB 71 30 2E AD 71 F6 0B AC 71 10 3D AB 71 �D�q0.�q��q=�q
005AD88C AD 2E AB 71 C1 45 AB 71 68 0B AC 71 53 2E AB 71 �.�q�E�qh�qS.�q
005AD89C AD 2E AB 71 07 4A AB 71 CE 3C AB 71 27 4C AB 71 �.�qJ�q�<�q'L�q
005AD8AC 70 2E AD 71 2B 3E AB 71 D6 2E AD 71 00 00 00 00 p.�q+>�q�.�q....
005AD8BC 4A F9 52 77 AC F1 4F 77 00 00 00 00 64 D4 1A 00 J�Rw��Ow....d�.
005AD8CC 00 00 00 00 00 00 00 00 A4 D9 1A 00 00 D0 1A 00 ........��..�.
005AD8DC 9C D4 1A 00 00 00 00 00 00 00 00 00 9C DA 1A 00 ��.........��.
005AD8EC 38 D0 1A 00 A4 D4 1A 00 00 00 00 00 00 00 00 00 8�.��.........
005AD8FC C0 DA 1A 00 40 D0 1A 00 F8 D4 1A 00 00 00 00 00 ��.@�.��.....
005AD90C 00 00 00 00 28 DC 1A 00 94 D0 1A 00 F0 D6 1A 00 ....(�.��.��.
005AD91C 00 00 00 00 00 00 00 00 0C E5 1A 00 8C D2 1A 00 .........�.��.
005AD92C FC D6 1A 00 00 00 00 00 00 00 00 00 3E E5 1A 00 ��.........>�.
005AD93C 98 D2 1A 00 04 D7 1A 00 00 00 00 00 00 00 00 00 ��.�.........
005AD94C 5A E5 1A 00 A0 D2 1A 00 18 D8 1A 00 00 00 00 00 Z�.��.�.....
005AD95C 00 00 00 00 D4 E9 1A 00 B4 D3 1A 00 48 D8 1A 00 ....��.��.H�.
005AD96C 00 00 00 00 00 00 00 00 A8 EA 1A 00 E4 D3 1A 00 ........��.��.
005AD97C BC D8 1A 00 00 00 00 00 00 00 00 00 06 EC 1A 00 ��.........�.
005AD98C 58 D4 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 X�.............
005AD99C 00 00 00 00 00 00 00 00 61 64 76 61 70 69 33 32 ........advapi32
005AD9AC 2E 64 6C 6C 00 00 0B 02 52 65 70 6F 72 74 45 76 .dll..ReportEv
005AD9BC 65 6E 74 41 00 00 CB 01 52 65 67 43 6C 6F 73 65 entA..�RegClose
The size reported by ImpREC of 8CC started to look at little large, considering the CFF output showed the IAT address of the last import was only at RVA 001AD458 (0051AD458). So I decided to try setting the size to one that matched the CFF output, changing 8cc to 464.
Sure enough, the dumped binary ran fine (in a VM of course ;-) ) and IDA had no issues reversing it for analysis.
Looking at the dump above you should notice something...between the last entry starting at 005AD458 and the start of the next at 005AD464 is 000000 - the same that is used to indicate separation between IAT entries. This is why ImpREC thought it was 8CC - it read the memory, parsing it as if 000000 were the delimiter between IAT entries. Wehn running in memory, this meant nothing, as the calls would still work. The extra, duplicate IAT entries, seem to have been written with the sole purpose but to prevent dumping with ImpREC itself.
Conclusion
----------
It was a fantastic challenge and I learned more about PE file formats, IAT structure and mupping than I realized even existed. And I love the irony that the crack had SEH based unpacking routines, anti-debug checking and a fake IAT to prevent (easy) dumping of the unpacked exe - while the legit binary had literally nothing in the way of protection that a level1 crackme had.
Archived Entries for johnnycannuk
Subject
# Views
Created On
No archived blog entries found.
There are
31,311
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit