OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, December 6 2010 13:19.11 CST

Direct Link, View / Make / Edit Comments

Reversing a Crack: Unpacking and the Fake IAT

Author:

johnnycannuk

# Views: 22456

Part of the new day job is to figure out how things get "cracked" and what to recommend how to prevent it.Seemed simple enough, though to be honest, most of my reversing has been to understand how things work, rather than for malware and cracking. That means that while I can read x86 ASM and understand Windows system calls etc, I was not that great at unpacking and rebuilding IATs - stuff essential for getting a proper PE image that can be reverse in IDA Pro without issues. So, to sharpen my skills and to learn some new techniques, I decided to try reversing an crack to discover how it worked.

The Game: Zuma Deluxe from Zylom
The Crack: Zylom.Zuma.Deluxe.1.0.0.1_CRKEXE-FFF.zip from keygens.nl

Tools:

Immunity DBG (with Olly PEDumper)
Olly 1.10 with Olly Advanced and OllyDump
ImpREC 1.7c
LordPE
PEiD
CFF Explorer by Daniel Pistelli
IDA Pro v 6.

Resources used:

##re (big thanks to usualsuspect, upb and __jon)
Reviewing lena151 tutorials, specifically 3, 20 and 21 (Thanks lena151 wherever you are!)

Note: I choose Zuma Deluxe for a few reasons. First, it's an older game that I am familiar with. Second, the oringal uncracked version small and easily obtainable for use in differential analysis. THIS ISN'T A TUTORIAL ON CRACKING THE GAME, the is about reversing the crack. Thirdly, this game has literally hundreds of cracks already out there and clearly this is not in anyway affecting Zylom. Once again, Zuma isn't the target of the reversing, the Zuma cracked version is.

Now, with the CMA out of the way, let me say this - the interesting part was not how the crack worked (that was so incredibly easy, even I could have cracked the game without help) by how the crack was packaged. Basically the CRACK had better binary security measures protecting it than the legitimate game.

Unpacking
---------

My plan was to simply reverse the crack in IDA, find the differences between it and the legit binary and figure out if there was a better way. Not so fast, first, unlike the legit binary, the crack was packed.

According to PEiD is was with "PECompact 2.x -> Jeremy Collake". Well the unpacker I had kept failing (despite working on other similarly packed binaries). Time to do some investigating.

What follows in this unpacking section comes from my chat's with usualsuspect on ##re. I present it not as my own doing, but as an educational resource. I learned more about mupping in the last week than I knew there even was to learn (thanks again usualsuspect). The entry point looked like this:

00401000 > $ B8 A8685B00    MOV EAX,Zuma-cra.005B68A8
00401005   . 50             PUSH EAX
00401006   . 64:FF35 000000>PUSH DWORD PTR FS:[0]
0040100D   . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401014   . 33C0           XOR EAX,EAX
00401016   . 8908           MOV DWORD PTR DS:[EAX],ECX
00401018   . 50             PUSH EAX
00401019   . 45             INC EBP
0040101A   . 43             INC EBX
0040101B   . 6F             OUTS DX,DWORD PTR ES:[EDI]               ;  I/O command
0040101C   . 6D             INS DWORD PTR ES:[EDI],DX                ;  I/O command
0040101D   . 70 61          JO SHORT Zuma-cra.00401080
0040101F   . 637432 00      ARPL WORD PTR DS:[EDX+ESI],SI
00401023     A2             DB A2
00401024     46             DB 46                                    ;  CHAR 'F'
00401025     97             DB 97
00401026     FD             DB FD
00401027     8C             DB 8C
00401028     A5             DB A5
00401029     37             DB 37                                    ;  CHAR '7'
0040102A     06             DB 06
0040102B     A1             DB A1

Stepping through it looks like the Zuma-cra.005B68A8 is being installed as a SEH:

0012FFBC   0012FFE0  ��.  Pointer to next SEH record
0012FFC0   005B68A8  �h[.  SE handler
0012FFC4   7C817077  wp�|  RETURN to kernel32.7C817077
0012FFC8   7C910228  (�|  ntdll.7C910228
0012FFCC   FFFFFFFF  ��
0012FFD0   7FFDF000  .��
0012FFD4   8054B6ED  ��T�
0012FFD8   0012FFC8  ��.

So, put a break point on it and go. First thing you notice is that at the code doesn't jump to an unpacking routine, but purposely causes a an error:

00401014   . 33C0           XOR EAX,EAX
00401016   . 8908           MOV DWORD PTR DS:[EAX],ECX  <-- Access violation since EAX will be 000000

The SEH chain then kicks in. If you Shift-F9 (in either Immunity or Olly) you get to your first breakpoint. This looks very much like an anti-auto-unpacking measure, trying to convince you that the file is corrupt.

005B68A8   B8 2D565BF0      MOV EAX,F05B562D                   <-- breaks here
005B68AD   8D88 9E120010    LEA ECX,DWORD PTR DS:[EAX+1000129E]
005B68B3   8941 01          MOV DWORD PTR DS:[ECX+1],EAX
005B68B6   8B5424 04        MOV EDX,DWORD PTR SS:[ESP+4]
005B68BA   8B52 0C          MOV EDX,DWORD PTR DS:[EDX+C]
005B68BD   C602 E9          MOV BYTE PTR DS:[EDX],0E9
005B68C0   83C2 05          ADD EDX,5
005B68C3   2BCA             SUB ECX,EDX
005B68C5   894A FC          MOV DWORD PTR DS:[EDX-4],ECX
005B68C8   33C0             XOR EAX,EAX
005B68CA   C3               RETN
005B68CB   B8 78563412      MOV EAX,12345678            <--- where you eventually end up. Beginning of the unpacking routine
005B68D0   64:8F05 00000000 POP DWORD PTR FS:[0]
005B68D7   83C4 04          ADD ESP,4
005B68DA   55               PUSH EBP
005B68DB   53               PUSH EBX
005B68DC   51               PUSH ECX

F8 and step through slowly, watching the stack and the registers. You'll notice at 005B68BD its writing 0E9 to the address pointed at by EDX. A quick look at the registers shows that this is Zuma-cra.00401016 and this should look familiar - its the faulty MOV that caused the access violation that triggered the SEH in the first place. And 0E9...the mnemonic for JMP. Now, you could place a breakpoint here and single step or you could notice that the value in ECX is being written right after 0E9...basically creating the following command at Zuma-cra.00401016:

JMP Zuma-cra.005B68CB

which is immedialtly following the RETN for the SEH you are in. This is clearly the unpacking routine. If you step through, you'll notice it accessing kernel32, to do lots of writes to the process. It is both decrypting the packed binary and also doing something else. Of course, by the time you see the call to IsDebuggerPresent, it is almost too late. You can either patch by hand, change the flags or restart the process using either Immunity's !hidedebug IsDebuggerPresent or using the same setting in Olly Advanced plugin for Olly. I preferr the easy way.  If you then step through, you get to :

005B6962   8BC6             MOV EAX,ESI
005B6964   5A               POP EDX
005B6965   5E               POP ESI
005B6966   5F               POP EDI
005B6967   59               POP ECX
005B6968   5B               POP EBX
005B6969   5D               POP EBP
005B696A  -FFE0             JMP EAX                                  ; Zuma-cra.004FCF02 <--- OEP
005B696C   02CF             ADD CL,BH
005B696E   4F               DEC EDI
005B696F   0000             ADD BYTE PTR DS:[EAX],AL

So jump to Zuma-cra.004FCF02 and re-analyize in either Immunity or Olly (either built in or AnalyzeThis!) and the code appears, unpacked and ready to run or analyze.

Dumping
-------

So at this point I decided to dump the process, rebuild the PE and use IDA to do some static analysis. After more than a few tries, I came quickly to the conclusion that Immunity + Olly PE Dumper (the only dumping untility for Immunity I could find) screwed the IAT so completely that it was not recoverable. It seemed to find the IAT of the original packed binary, rather than the newly re-written one from the currently running process. Though many of the dll were the same, there were many more functions and a few more dlls.  I was able to determine this by looking at the Import Directory for the dumped PE in CFF. It was identical to the packed binary, despite the fact that if you step through slowly enough, you can watch the calls to re-write the IAT happen during the unpacking routine run.

Onto Ollydump and Olly. Olly dump seemed to find the correct but only when the "Rebuild Imports" check box was deselected. Otherwise it created no import table all.

Looking at this binary with CFF showed 10 dll imports with close to 250 functions being used. The IAT started at RVA 001AD000 and ended at 001AD464 (001AD458+size of last IAT entry)

The next step, according to Hoyle, is to run ImpREC to rebuild the IAT and get a working binary (or one that can be run through LordPE to get one).

This is were things got weird.

ImpREC and IAT rebuilding
-------------------------

When I entered the new OEP into ImpREC and did an "Autosearch", it seemed to find the IAT and presented me with an RVA of 001ACFFC and a size of 000008CC. Figuring the tool knew more than I did, I accepted this and got the imports. Oddly, I got a list of 20 dll and funtions, not the 10 that were exported in the dump that OllyDump created. More curious, the list repeated itself:

advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
oleaut32.dll
shell32.dll
user32.dll
winmm.dll
wsock32.dll
ole32.dll
advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
oleaut32.dll
shell32.dll
user32.dll
winmm.dll
wsock32.dll
ole32.dll

All of the dll were at different addresses. When the dump was fixed with this default, the resulting binary would not run at all. Neither did rebuilding with LordPE help.

At first myself and a few guys on ##re though one part might be the unpacker's IAT and the other might be the IAT for the game, but after  closer examination, this did not seem to be the case. The original had a totally different RVA and size and referenced different functions. This was an exact repeat of the same list twice, with the same function calls, in contiguous rva space that had obviously been written to memory by the unpacker itself.

So I jumped to the start of the IAT at RVA 001ACFFC (0051ACFFC in my CPU pane) and then followed in the dump to see what was there:

005ACFEC  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005ACFFC  00 00 00 00 B2 7C DF 77 27 6C DD 77 E7 EA DD 77  ....�|�w'l�w��w
005AD00C  BB 7A DD 77 F4 E9 DD 77 52 78 DD 77 A0 42 DE 77  �z�w��wRx�w�B�w
005AD01C  E5 EC DD 77 B8 53 DE 77 F3 BC DF 77 32 43 DE 77  ��w�S�w��w2C�w
005AD02C  60 7B DF 77 D3 79 DF 77 00 00 00 00 16 8D 0C 5D  `{�w�y�w....�.]
005AD03C  00 00 00 00 FF DC F1 77 0D B5 F1 77 C1 61 F1 77  ....��w.��w�a�w
005AD04C  A5 61 F1 77 1C EF F1 77 DB 5E F1 77 56 6A F1 77  �a�w��w�^�wVj�w
005AD05C  77 5D F1 77 4F BA F1 77 71 5A F1 77 00 BF F3 77  w]�wO��wqZ�w.��w
005AD06C  45 DF F1 77 FA 6B F1 77 CE EC F1 77 25 8D F1 77  E��w�k�w��w%��w
005AD07C  70 5B F1 77 14 8E F1 77 11 E6 F1 77 4C 7B F1 77  p[�w��w��wL{�w
005AD08C  8C B3 F1 77 00 00 00 00 4C AD 85 7C 2E 98 80 7C  ��w....L��|.��|
005AD09C  B5 99 80 7C 02 D3 80 7C B5 A4 80 7C 7E 2B 81 7C  ��|Ӏ|��|~+�|
005AD0AC  A9 2A 81 7C 91 9F 80 7C 7A 13 91 7C DD 1E 83 7C  �*�|��|z�|��|
005AD0BC  98 9C 80 7C 22 FF 80 7C B9 FF 80 7C CD FD 80 7C  ��|"��|��|��|
005AD0CC  CF FC 80 7C 63 13 82 7C 77 EE 80 7C E1 4E 83 7C  ��|c�|w�|�N�|
005AD0DC  79 38 81 7C BD 2F 81 7C 6F B5 80 7C 41 B7 80 7C  y8�|�/�|o��|A��|
005AD0EC  21 FE 90 7C DF E9 80 7C 7E AC 80 7C 7B 1D 80 7C  !��|��|~��|{�|
005AD0FC  5D 49 84 7C 95 DE 80 7C 71 BA 80 7C C7 A4 80 7C  ]I�|�ހ|q��|Ǥ�|
005AD10C  4E FA 82 7C 33 A8 80 7C 19 9F 80 7C AF AC 80 7C  N��|3��|��|��|
005AD11C  06 98 80 7C 1A 98 80 7C 4D 1C 83 7C 28 1A 80 7C  ��|��|M�|(�|
005AD12C  D4 1A 80 7C F2 1E 80 7C C3 2C 81 7C F6 2D 81 7C  ��|��|�,�|�-�|
005AD13C  C0 99 80 7C 53 1D 80 7C 82 19 82 7C 27 0E 81 7C  ��|S�|��|'�|
005AD14C  AC 17 82 7C F1 C1 85 7C 74 A1 80 7C C5 AB 92 7C  ��|��|t��|ū�|
005AD15C  12 CB 81 7C F8 C0 80 7C 27 29 83 7C D7 06 81 7C  ˁ|��|')�|��|
005AD16C  1A 1E 80 7C 2D FF 90 7C A1 9E 80 7C E9 17 80 7C  �|-��|��|��|
005AD17C  40 AE 80 7C 2E 50 83 7C 9C 39 81 7C A0 9B 91 7C  @��|.P�|�9�|��|
005AD18C  C4 00 91 7C F1 0E 81 7C 12 18 80 7C 18 8E 83 7C  �.�|��|�|��|
005AD19C  48 CD 80 7C 16 2F 81 7C 3F 2E 81 7C 30 FE 90 7C  H̀|/�|?.�|0��|
005AD1AC  77 37 81 7C 65 9C 80 7C E0 97 80 7C DD 04 91 7C  w7�|e��|��|��|
005AD1BC  CA 3F 86 7C D9 2F 81 7C EF D6 81 7C 93 CC 81 7C  �?�|�/�|�ց|�́|
005AD1CC  87 4B 81 7C A8 2F 81 7C 37 CD 80 7C 98 0F 81 7C  �K�|�/�|7̀|��|
005AD1DC  56 2C 81 7C 84 9B 80 7C F1 9A 80 7C E1 26 81 7C  V,�|��|�|�&�|
005AD1EC  2E 0C 81 7C EF 50 83 7C 76 20 83 7C 7B D3 81 7C  ..�|�P�|v �|{Ӂ|
005AD1FC  3C 8A 83 7C 30 A5 80 7C B0 9F 80 7C 11 7D 83 7C  <��|0��|��|}�|
005AD20C  C3 C1 81 7C 6B 11 81 7C 6F BD 80 7C C3 B2 81 7C  ��|k�|o��|ò�|
005AD21C  47 28 81 7C 17 D1 80 7C FE A3 80 7C A8 34 83 7C  G(�|р|��|�4�|
005AD22C  02 16 81 7C A4 16 82 7C A8 F7 82 7C BD 2E 81 7C  �|��|��|�.�|
005AD23C  4D C0 80 7C 35 14 82 7C 09 2A 83 7C 66 98 80 7C  M��|5�|.*�|f��|
005AD24C  E0 10 90 7C 00 10 90 7C 0D 61 83 7C 4A 93 80 7C  ��|.�|.a�|J��|
005AD25C  B5 08 83 7C 8B 99 80 7C A8 C1 80 7C E7 9B 80 7C  ��|��|��|盀|
005AD26C  DB A0 80 7C 30 25 80 7C B7 A0 80 7C D0 97 80 7C  ۠�|0%�|��|З�|
005AD27C  E3 14 82 7C 46 24 80 7C DC 15 81 7C 00 00 00 00  ��|F$�|��|....
005AD28C  80 48 12 77 39 4B 12 77 00 00 00 00 A8 11 A4 7C  �Hw9Kw....��|
005AD29C  00 00 00 00 6E 43 42 7E 7D 6D 45 7E 6B F5 42 7E  ....nCB~}mE~k�B~
005AD2AC  6B 21 43 7E BA 0D 43 7E C7 03 43 7E 2E 8C 41 7E  k!C~�.C~�C~.�A~
005AD2BC  A9 E4 42 7E 40 11 43 7E 9D C2 42 7E ED 42 42 7E  ��B~@C~��B~�BB~
005AD2CC  7E C1 42 7E FD 8F 42 7E E9 8F 42 7E 5D 94 41 7E  ~�B~��B~�B~]�A~
005AD2DC  9C 8F 41 7E 59 70 45 7E 5E EA 42 7E F6 E8 42 7E  ��A~YpE~^�B~��B~
005AD2EC  FD AA 42 7E 28 8E 41 7E 12 D3 42 7E B4 90 42 7E  ��B~(�A~�B~��B~
005AD2FC  2B 77 42 7E 89 C6 43 7E 02 C7 43 7E 2F 9C 42 7E  +wB~��C~�C~/�B~
005AD30C  C8 98 42 7E 78 8E 41 7E AB 8E 41 7E D2 D1 42 7E  ȘB~x�A~��A~��B~
005AD31C  A8 03 43 7E C2 F3 42 7E AB AE 42 7E 7F 5F 45 7E  �C~��B~��B~_E~
005AD32C  3D 9E 42 7E 44 99 42 7E 00 F1 44 7E E7 C2 43 7E  =�B~D�B~.�D~��C~
005AD33C  22 78 42 7E 46 DE 41 7E 66 97 42 7E 5E C3 42 7E  "xB~F�A~f�B~^�B~
005AD34C  7A C3 42 7E 77 02 43 7E 9E 0F 43 7E 65 02 43 7E  z�B~wC~�C~eC~
005AD35C  EA 07 45 7E 30 99 42 7E 3E D3 42 7E 4E 97 42 7E  �E~0�B~>�B~N�B~
005AD36C  A0 97 42 7E 9C B1 42 7E B2 DE 42 7E 56 AF 42 7E  ��B~��B~��B~V�B~
005AD37C  11 90 42 7E 39 C7 43 7E C7 86 41 7E 9D 86 41 7E  �B~9�C~ǆA~��A~
005AD38C  8E 90 42 7E 60 9B 42 7E 4E 4A 42 7E 9E B2 42 7E  ��B~`�B~NJB~��B~
005AD39C  12 B1 42 7E 40 A3 42 7E F6 8B 41 7E 49 98 42 7E  �B~@�B~��A~I�B~
005AD3AC  B8 96 41 7E 00 00 00 00 F8 94 B4 76 DF AC B4 76  ��A~....��v߬�v
005AD3BC  A5 AD B4 76 BF A8 B5 76 4F 4E B4 76 E1 07 B5 76  ��v��vON�v��v
005AD3CC  D4 02 B5 76 E1 95 B4 76 56 04 B5 76 F3 05 B5 76  ��vᕴvV�v��v
005AD3DC  B2 06 B5 76 00 00 00 00 53 2E AB 71 55 53 AB 71  ��v....S.�qUS�q
005AD3EC  7B 3F AB 71 A8 30 AB 71 ED 3F AB 71 E1 2E AB 71  {?�q�0�q�?�q�.�q
005AD3FC  50 3F AB 71 11 42 AB 71 55 6A AB 71 40 10 AC 71  P?�qB�qUj�q@�q
005AD40C  D3 8C AB 71 91 E4 AB 71 03 E7 AB 71 80 44 AB 71  ӌ�q��q�q�D�q
005AD41C  30 2E AD 71 F6 0B AC 71 10 3D AB 71 AD 2E AB 71  0.�q��q=�q�.�q
005AD42C  C1 45 AB 71 68 0B AC 71 53 2E AB 71 AD 2E AB 71  �E�qh�qS.�q�.�q
005AD43C  07 4A AB 71 CE 3C AB 71 27 4C AB 71 70 2E AD 71  J�q�<�q'L�qp.�q
005AD44C  2B 3E AB 71 D6 2E AD 71 00 00 00 00 4A F9 52 77  +>�q�.�q....J�Rw
005AD45C  AC F1 4F 77 00 00 00 00 B2 7C DF 77 27 6C DD 77  ��Ow....�|�w'l�w
005AD46C  E7 EA DD 77 BB 7A DD 77 F4 E9 DD 77 52 78 DD 77  ��w�z�w��wRx�w
005AD47C  A0 42 DE 77 E5 EC DD 77 B8 53 DE 77 F3 BC DF 77  �B�w��w�S�w��w
005AD48C  32 43 DE 77 60 7B DF 77 D3 79 DF 77 00 00 00 00  2C�w`{�w�y�w....
005AD49C  16 8D 0C 5D 00 00 00 00 FF DC F1 77 0D B5 F1 77  �.]....��w.��w
005AD4AC  C1 61 F1 77 A5 61 F1 77 1C EF F1 77 DB 5E F1 77  �a�w�a�w��w�^�w
005AD4BC  56 6A F1 77 77 5D F1 77 4F BA F1 77 71 5A F1 77  Vj�ww]�wO��wqZ�w
005AD4CC  00 BF F3 77 45 DF F1 77 FA 6B F1 77 CE EC F1 77  .��wE��w�k�w��w
005AD4DC  25 8D F1 77 70 5B F1 77 14 8E F1 77 11 E6 F1 77  %��wp[�w��w��w
005AD4EC  4C 7B F1 77 8C B3 F1 77 00 00 00 00 4C AD 85 7C  L{�w��w....L��|
005AD4FC  2E 98 80 7C B5 99 80 7C 02 D3 80 7C B5 A4 80 7C  .��|��|Ӏ|��|
005AD50C  7E 2B 81 7C A9 2A 81 7C 91 9F 80 7C 7A 13 91 7C  ~+�|�*�|��|z�|
005AD51C  DD 1E 83 7C 98 9C 80 7C 22 FF 80 7C B9 FF 80 7C  ��|��|"��|��|
005AD52C  CD FD 80 7C CF FC 80 7C 63 13 82 7C 77 EE 80 7C  ��|��|c�|w�|
005AD53C  E1 4E 83 7C 79 38 81 7C BD 2F 81 7C 6F B5 80 7C  �N�|y8�|�/�|o��|
005AD54C  41 B7 80 7C 21 FE 90 7C DF E9 80 7C 7E AC 80 7C  A��|!��|��|~��|
005AD55C  7B 1D 80 7C 5D 49 84 7C 95 DE 80 7C 71 BA 80 7C  {�|]I�|�ހ|q��|
005AD56C  C7 A4 80 7C 4E FA 82 7C 33 A8 80 7C 19 9F 80 7C  Ǥ�|N��|3��|��|
005AD57C  AF AC 80 7C 06 98 80 7C 1A 98 80 7C 4D 1C 83 7C  ��|��|��|M�|
005AD58C  28 1A 80 7C D4 1A 80 7C F2 1E 80 7C C3 2C 81 7C  (�|��|��|�,�|
005AD59C  F6 2D 81 7C C0 99 80 7C 53 1D 80 7C 82 19 82 7C  �-�|��|S�|��|
005AD5AC  27 0E 81 7C AC 17 82 7C F1 C1 85 7C 74 A1 80 7C  '�|��|��|t��|
005AD5BC  C5 AB 92 7C 12 CB 81 7C F8 C0 80 7C 27 29 83 7C  ū�|ˁ|��|')�|
005AD5CC  D7 06 81 7C 1A 1E 80 7C 2D FF 90 7C A1 9E 80 7C  ��|�|-��|��|
005AD5DC  E9 17 80 7C 40 AE 80 7C 2E 50 83 7C 9C 39 81 7C  ��|@��|.P�|�9�|
005AD5EC  A0 9B 91 7C C4 00 91 7C F1 0E 81 7C 12 18 80 7C  ��|�.�|��|�|
005AD5FC  18 8E 83 7C 48 CD 80 7C 16 2F 81 7C 3F 2E 81 7C  ��|H̀|/�|?.�|
005AD60C  30 FE 90 7C 77 37 81 7C 65 9C 80 7C E0 97 80 7C  0��|w7�|e��|��|
005AD61C  DD 04 91 7C CA 3F 86 7C D9 2F 81 7C EF D6 81 7C  ��|�?�|�/�|�ց|
005AD62C  93 CC 81 7C 87 4B 81 7C A8 2F 81 7C 37 CD 80 7C  �́|�K�|�/�|7̀|
005AD63C  98 0F 81 7C 56 2C 81 7C 84 9B 80 7C F1 9A 80 7C  ��|V,�|��|�|
005AD64C  E1 26 81 7C 2E 0C 81 7C EF 50 83 7C 76 20 83 7C  �&�|..�|�P�|v �|
005AD65C  7B D3 81 7C 3C 8A 83 7C 30 A5 80 7C B0 9F 80 7C  {Ӂ|<��|0��|��|
005AD66C  11 7D 83 7C C3 C1 81 7C 6B 11 81 7C 6F BD 80 7C  }�|��|k�|o��|
005AD67C  C3 B2 81 7C 47 28 81 7C 17 D1 80 7C FE A3 80 7C  ò�|G(�|р|��|
005AD68C  A8 34 83 7C 02 16 81 7C A4 16 82 7C A8 F7 82 7C  �4�|�|��|��|
005AD69C  BD 2E 81 7C 4D C0 80 7C 35 14 82 7C 09 2A 83 7C  �.�|M��|5�|.*�|
005AD6AC  66 98 80 7C E0 10 90 7C 00 10 90 7C 0D 61 83 7C  f��|��|.�|.a�|
005AD6BC  4A 93 80 7C B5 08 83 7C 8B 99 80 7C A8 C1 80 7C  J��|��|��|��|
005AD6CC  E7 9B 80 7C DB A0 80 7C 30 25 80 7C B7 A0 80 7C  盀|۠�|0%�|��|
005AD6DC  D0 97 80 7C E3 14 82 7C 46 24 80 7C DC 15 81 7C  З�|��|F$�|��|
005AD6EC  00 00 00 00 80 48 12 77 39 4B 12 77 00 00 00 00  ....�Hw9Kw....
005AD6FC  A8 11 A4 7C 00 00 00 00 6E 43 42 7E 7D 6D 45 7E  ��|....nCB~}mE~
005AD70C  6B F5 42 7E 6B 21 43 7E BA 0D 43 7E C7 03 43 7E  k�B~k!C~�.C~�C~
005AD71C  2E 8C 41 7E A9 E4 42 7E 40 11 43 7E 9D C2 42 7E  .�A~��B~@C~��B~
005AD72C  ED 42 42 7E 7E C1 42 7E FD 8F 42 7E E9 8F 42 7E  �BB~~�B~��B~�B~
005AD73C  5D 94 41 7E 9C 8F 41 7E 59 70 45 7E 5E EA 42 7E  ]�A~��A~YpE~^�B~
005AD74C  F6 E8 42 7E FD AA 42 7E 28 8E 41 7E 12 D3 42 7E  ��B~��B~(�A~�B~
005AD75C  B4 90 42 7E 2B 77 42 7E 89 C6 43 7E 02 C7 43 7E  ��B~+wB~��C~�C~
005AD76C  2F 9C 42 7E C8 98 42 7E 78 8E 41 7E AB 8E 41 7E  /�B~ȘB~x�A~��A~
005AD77C  D2 D1 42 7E A8 03 43 7E C2 F3 42 7E AB AE 42 7E  ��B~�C~��B~��B~
005AD78C  7F 5F 45 7E 3D 9E 42 7E 44 99 42 7E 00 F1 44 7E  _E~=�B~D�B~.�D~
005AD79C  E7 C2 43 7E 22 78 42 7E 46 DE 41 7E 66 97 42 7E  ��C~"xB~F�A~f�B~
005AD7AC  5E C3 42 7E 7A C3 42 7E 77 02 43 7E 9E 0F 43 7E  ^�B~z�B~wC~�C~
005AD7BC  65 02 43 7E EA 07 45 7E 30 99 42 7E 3E D3 42 7E  eC~�E~0�B~>�B~
005AD7CC  4E 97 42 7E A0 97 42 7E 9C B1 42 7E B2 DE 42 7E  N�B~��B~��B~��B~
005AD7DC  56 AF 42 7E 11 90 42 7E 39 C7 43 7E C7 86 41 7E  V�B~�B~9�C~ǆA~
005AD7EC  9D 86 41 7E 8E 90 42 7E 60 9B 42 7E 4E 4A 42 7E  ��A~��B~`�B~NJB~
005AD7FC  9E B2 42 7E 12 B1 42 7E 40 A3 42 7E F6 8B 41 7E  ��B~�B~@�B~��A~
005AD80C  49 98 42 7E B8 96 41 7E 00 00 00 00 F8 94 B4 76  I�B~��A~....��v
005AD81C  DF AC B4 76 A5 AD B4 76 BF A8 B5 76 4F 4E B4 76  ߬�v��v��vON�v
005AD82C  E1 07 B5 76 D4 02 B5 76 E1 95 B4 76 56 04 B5 76  ��v��vᕴvV�v
005AD83C  F3 05 B5 76 B2 06 B5 76 00 00 00 00 53 2E AB 71  ��v��v....S.�q
005AD84C  55 53 AB 71 7B 3F AB 71 A8 30 AB 71 ED 3F AB 71  US�q{?�q�0�q�?�q
005AD85C  E1 2E AB 71 50 3F AB 71 11 42 AB 71 55 6A AB 71  �.�qP?�qB�qUj�q
005AD86C  40 10 AC 71 D3 8C AB 71 91 E4 AB 71 03 E7 AB 71  @�qӌ�q��q�q
005AD87C  80 44 AB 71 30 2E AD 71 F6 0B AC 71 10 3D AB 71  �D�q0.�q��q=�q
005AD88C  AD 2E AB 71 C1 45 AB 71 68 0B AC 71 53 2E AB 71  �.�q�E�qh�qS.�q
005AD89C  AD 2E AB 71 07 4A AB 71 CE 3C AB 71 27 4C AB 71  �.�qJ�q�<�q'L�q
005AD8AC  70 2E AD 71 2B 3E AB 71 D6 2E AD 71 00 00 00 00  p.�q+>�q�.�q....
005AD8BC  4A F9 52 77 AC F1 4F 77 00 00 00 00 64 D4 1A 00  J�Rw��Ow....d�.
005AD8CC  00 00 00 00 00 00 00 00 A4 D9 1A 00 00 D0 1A 00  ........��..�.
005AD8DC  9C D4 1A 00 00 00 00 00 00 00 00 00 9C DA 1A 00  ��.........��.
005AD8EC  38 D0 1A 00 A4 D4 1A 00 00 00 00 00 00 00 00 00  8�.��.........
005AD8FC  C0 DA 1A 00 40 D0 1A 00 F8 D4 1A 00 00 00 00 00  ��.@�.��.....
005AD90C  00 00 00 00 28 DC 1A 00 94 D0 1A 00 F0 D6 1A 00  ....(�.��.��.
005AD91C  00 00 00 00 00 00 00 00 0C E5 1A 00 8C D2 1A 00  .........�.��.
005AD92C  FC D6 1A 00 00 00 00 00 00 00 00 00 3E E5 1A 00  ��.........>�.
005AD93C  98 D2 1A 00 04 D7 1A 00 00 00 00 00 00 00 00 00  ��.�.........
005AD94C  5A E5 1A 00 A0 D2 1A 00 18 D8 1A 00 00 00 00 00  Z�.��.�.....
005AD95C  00 00 00 00 D4 E9 1A 00 B4 D3 1A 00 48 D8 1A 00  ....��.��.H�.
005AD96C  00 00 00 00 00 00 00 00 A8 EA 1A 00 E4 D3 1A 00  ........��.��.
005AD97C  BC D8 1A 00 00 00 00 00 00 00 00 00 06 EC 1A 00  ��.........�.
005AD98C  58 D4 1A 00 00 00 00 00 00 00 00 00 00 00 00 00  X�.............
005AD99C  00 00 00 00 00 00 00 00 61 64 76 61 70 69 33 32  ........advapi32
005AD9AC  2E 64 6C 6C 00 00 0B 02 52 65 70 6F 72 74 45 76  .dll..ReportEv
005AD9BC  65 6E 74 41 00 00 CB 01 52 65 67 43 6C 6F 73 65  entA..�RegClose

The size reported by ImpREC of 8CC started to look at little large, considering the CFF output showed the IAT address of the last import was only at RVA 001AD458 (0051AD458). So I decided to try setting the size to one that matched the CFF output, changing 8cc to 464.

Sure enough, the dumped binary ran fine (in a VM of course  ;-) ) and IDA had no issues reversing it for analysis.

Looking at the dump above you should notice something...between the last entry starting at 005AD458 and the start of the next at 005AD464 is 000000 - the same that is used to indicate separation between IAT entries. This is why ImpREC thought it was 8CC - it read the memory, parsing it as if 000000 were the delimiter between IAT entries. Wehn running in memory, this meant nothing, as the calls would still work. The extra, duplicate IAT entries, seem to have been written with the sole purpose but to prevent dumping with ImpREC itself.

Conclusion
----------

It was a fantastic challenge and I learned more about PE file formats, IAT structure and mupping than I realized even existed. And I love the irony that the crack had SEH based unpacking routines, anti-debug checking and a fake IAT to prevent (easy) dumping of the unpacked exe - while the legit binary had literally nothing in the way of protection that a level1 crackme had.

Archived Entries for johnnycannuk

Subject	# Views	Created On
No archived blog entries found.

There are 31,311 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit