Exetools - Unpack mpress 1.2xx

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Unpack mpress 1.2xx (https://forum.exetools.com/showthread.php?t=14435)

Unpack mpress 1.2xx

Hi !
someone have info/tool/tutorial/other to unpack/reverse an executable protect with matcode mpress product ?
Bye

mpress doesn't use any tricks to make unpacking hard.
Hence any tutorial about manual unpacking upx also applies to mpress (just use the ESP trick).

as zementmischer said it is like upx
check this tut on tuts4you

PHP Code:


		
			
http://tuts4you.com/download.php?view.2227

but if you want more help post your target and will try to help you

Check this out.

From SunBeam

Quote:

Just a heads-up - from what I tested with latest version, all one needs to do is F7 over first PUSHAD, hardware breakpoint on ESP, on access, then Shift+F9. And you'll land at JMP to OEP T_T.. Reminds me of UPX..

Hi !
Many thanks to everyone reply me..
I'm a absolute beginner in exewarez , tracing and patching..

My target is this (the Development version..)

http://www.gearotic.com/downloads.html

Any help is greatly appreciated, and I can learn something ..

Here is the OEP.
Just watch the video.

And here's the unpacked exe:
hxxp://www.mediafire.com/download.php?g30hjuz8jdgkzlc

unpacking was a lil' bit harder than expected due to a darn R6002 exception :mad:

Hi !
WOW !!
not one, but 2, SUPER RAPID solutions !!

I would give the award ex-aequo to both.. giv and zementmischer

many thanks again..

now i can try to "cure" him !!
Can I get help if I need it?
Bye
Axel

Wow, choosing a target that depends on a digitally signed license is probably the most sophisticated way to start rce'ing ;)
I guess the best way to break its protection would be to generate your own public/private key pair using MS' CSP and replace the public key BLOB inside the exe (resource id 163) with your own one.
Use the private key to code a simple keygen (you'll also need it to RE the license file format - but from what I saw the format isn't too complicated)
The main advantage of this approach is that you can crack future versions by just replacing its BLOB resource with your own one.
You'll quickly find the license handler if you look for references to CryptAcquireContextW, CryptImportKey and CryptDecrypt.

Quote:

Originally Posted by axl936 (Post 79857)

This was the target that was just discusssed for a user on tuts4you.
..http://forum.tuts4you.com/topic/29562-i-have-a-rogue-program-i-cant-figure-out-what-it-is/

Your dumps will not run without some tweaking because all the code sections are located in .mpress1 unpacked. This causes an r6002 error msg for your dumps. You must patch the header check for .rdata or remap/rebuild the pe header mpress sections back .text .rdata .data. If you can't get access to the post let me know. - jack

@axl936: Here's a link to an already patched version (proof-of-concept).
I did create my own RSA key pair, replaced the private key of the target with my own one and used my public key to make a valid license.
Btw. my first guess regarding DSA was a lil' bit wrong - the target actually uses an RSA cipher with 1024bit.

@RedBlkJck: I opted for the first method - splitting sections and rebuilding the PE image is a far more time consuming task than setting a hwbp at the section flags inside the PE header :D

@zementmischer I hear ya. I spent a little time looking to rebuild it. The packer code start point has been the end of the text section in my testing with other mpress files. IE betwen the 2 JMPs routines, packer code. I was looking for some patterns to identify it easier. Sometimes there is a pointer of the amount of bytes to the next section from the .text section. mpress2 is all packer code can be removed. You can easily see where the resource mapping was moved from the original code. But it isn't as convenient as UPX including a copy of the original PE section. Anyway here is my mapping of my dump for this target if you are interested.

Name VirtSize VirtAddr SizeRaw PtrRaw Flags Pointing Directories
-------------------------------------------------------------------------------------------
.text 001E3000h 00401000h 001E2200h 00000200h E00000E0h
.rdata 00063000h 005E4000h 00062000h 001E2400h 40000040h Delay Import Descriptor
.data 00009000h 00647000h 00009000h 00244400h C0000040h
.rsrc 005A0000h 00650000h 0059F200h 0024D400h C0000040h Resource Table
.ImpFix 00005000h 00BF0000h 00004400h 007EC600h C0000040h Import Table

Quote:

Originally Posted by RedBlkJck (Post 79867)

Hi
effectively i can't access to the post..

@zementmischer
Thanks for the work done, but I'd like to understand how you did it ..
Can you explain me ?

I thought to make a loader....but your sollution was excelent.

If the application is written on .NET, you can use de4dot version 1.9.0 to deobfuscate.

@axl936
AFAIK registration at tuts4you is open. Unpacking different targets are well covered there. The post was a little long with having to solve a problem with olly setup, etc. Here is a shortened version of what I posted with some selective editing.

mpress is easy to unpack as there is very little to prevent unpacking. There is a generic pattern that can be used RET JMP, step, POPAD JMP = OEP There are olly scripts that will do this. Load the packed file in Olly. Scroll down in Olly until the code goes to all null bytes, scroll back up and you will see RET followed by JMP C3E9. Break on JMP and run. Step in after break. Scroll down in Olly again looking for the POPAD followed by JMP 61E9. Break on JMP and run. The JMP destination is your OEP. Step once and you are at OEP. Dump and rebuild your taget. It should run but this app is compiled with MS VC++ and uses floating point literal constants. Your dump will have a R6002 error msg.

The problem of R6002 error can be seen across other packers also. If UPX was used to pack the same file and you dumped it, the same error would occur in your dump. Just like Mpress your dump would have all the sections placed into the first section .UPX0 If you used UPX -d flag or a program like PE Explorer the unpacked UPX file would not have the error. This is because a copy of the original PE would be used to rebuild it back to the origial sections. Mpress doesn't include this so you would have to rebuild the original sections manualy.

This blog posting covers the problem of MSVC++ floating point that packers will have to deal with. It has an example not packed to demostrate the problem and how to track it. Read this to get an understanding of the R6002.
http://nezumi-lab.org/blog/?p=73

Ghandi posted some more indepth details on the tuts4you thread with other code list examples. I'm only quoting a small portion of ghandi's post.
Quote Ghandi
But it is sufficient to say that the following check is performed and if the call to IsNonWiteableInCurrentImage returns FALSE, it will throw that error. The fix is simple when the sections haven't been mangled, just change the permissions of '.rdata' to read only and if the sections have been mangled you can always patch the code itself to bypass this check.

PHP Code:


		
			
013E30C1                391D A8573E01    cmp dword ptr [__dyn_tls_init_callback],ebx

013E30C7                74 19                    je short 013E30E2

013E30C9                68 A8573E01        push offset __dyn_tls_init_callback

013E30CE                E8 BD040000        call _IsNonwritableInCurrentImage

013E30D3                59                              pop ecx

013E30D4                85C0                      test eax,eax

013E30D6                74 0A                    je short 013E30E2

For a better understanding of what was going on, I used the example of r6002 bug from that blog posting and packed it with Mpress 2.17. Attached below with the original source.

Mpress takes all the sections and places them into one, the resource mappings are kept in their own section but the raw resources are placed into mpress1 section. .mpress2 section is packer code. If you change permissions to read only on .mpress1 of your dump, you are changing it for all the original sections and the app will crash with different error. The packer is dealing with the same problem of the rdata section, this is why the app doesn't crash while packed.

Basically a section of the file PE header will be read and checked for what permission attributes it has. It does not verify the permissions of the section as it is actually loaded in memory, just the PE. If the attributes of the section is read only then EAX = 00000001 on the RET to the call. When TEST EAX, EAX is performed, the next conditional jump JE SHORT will not jump. If EAX = 00000000 JE SHORT will JMP causing the R6002 msg. You can see this in the same code above from Ghandi @013E30D6. In testing with other examples of this, the result is the same.

So how you patch it is up to you. Just so the call causing the error msg is not the next instruction at JE SHORT. Using the packed demo and the break point method from the blog, I added some observation notes. Follow the same method with your Gearotic target and you will come to the same solution.

PHP Code:


		
			
0040719E        PUSH r6002dum.0041D680

004071A3        CALL r6002dum.0040E780



0040E780        MOV EDI, EDI

0040E782        PUSH EBP

......

......

0040E7D5        PUSH EAX

0040E7D6        PUSH r6002dum.00400000                  ; Image base

0040E7DB        CALL <r6002dum.ReadThePESections>       ;0040E730



0040E730        MOV EDI, EDI                            ;<ReadThePESections>

0040E732        PUSH EBP

0040E733        MOV EBP, ESP

0040E735        MOV EAX, DWORD PTR [EBP+8]              ; Stack SS:[0018FF0C]=00400000

0040E738        MOV ECX, DWORD PTR [EAX+3C              ; 0040003C ; Offset to PE signature

0040E73B        ADD ECX, EAX                            ; [00400054]

0040E73D        MOVZX EAX, WORD PTR [ECX+14]            ; 00400054 ; SizeOfOptionalHeader = E0 (224.)

0040E741        PUSH EBX

0040E742        PUSH ESI                                ; [00400046]

0040E743        MOVZX ESI, WORD PTR [ECX+6]             ; 00400046 ; NumberOfSections = 4

0040E747        XOR EDX, EDX

0040E749        PUSH EDI

0040E74A        LEA EAX, DWORD PTR [EAX+ECX+18]         ; 00400138 Address=00400138, (ASCII ".MPRESS1")

0040E74E        TEST ESI, ESI

0040E750        JBE SHORT r6002dum.0040E76D

0040E752        MOV EDI, DWORD PTR [EBP+C]

0040E755        MOV ECX, DWORD PTR [EAX+C]              ; 00400144 ; VirtualAddress = 1000

0040E758        CMP EDI, ECX

0040E75A        JB SHORT r6002dum.0040E765

0040E75C        MOV EBX, DWORD PTR [EAX+8]              ; 00400140 ; VirtualSize = 26000 (155648.)

0040E75F        ADD EBX, ECX                            ; ECX=00001000 EBX=00026000

....

....

0040E772        POP EBP

0040E773        RET                                     ; RET to 0040E7E0



0040E7E0        ADD ESP, 8

0040E7E3        TEST EAX, EAX

0040E7E5        JE SHORT r6002dum.0040E822              ; EAX+24 below is where your breakpoint should have brought you from blog post

0040E7E7        MOV EAX, DWORD PTR [EAX+24]             ; DS:[0040015C]=E00000E0; Characteristics = CODE|INITIALIZED_DATA|UNINITIALIZED_DATA|EXECUTE|READ|WRITE

0040E7EA        SHR EAX, 1F

0040E7ED        NOT EAX

0040E7EF        AND EAX, 1                              ; EAX becomes 00000000

0040E7F2        MOV DWORD PTR [EBP-4], -2

0040E7F9        MOV ECX, DWORD PTR [EBP-10]

0040E7FC        MOV DWORD PTR FS:[0], ECX

....

....

0040E809        POP EBP

0040E80A        RET                                     ; Return to 004071A8



004071A8        POP ECX                                 ; 

004071A9        TEST EAX, EAX                           ; Test EAX, if 0 we jump on JE to the error msg

004071AB        JE SHORT r6002dum.004071B7              ; If no jump the .section is read only, no error msg

004071AD        PUSH DWORD PTR [EBP+8]                  ; Patch JE to nop or inc eax before test so no jump

004071B0        CALL DWORD PTR [41D680]                 ;

Anyway that is pretty much the posted summed up into one. Hope that explains it easier.
Credits to Ghandi (ARTeam) and KPNC blog post explaining the R6002 error.

@axl936: And once you have managed to unpack it you should take a look at my 'quick and dirty' patcher/keyfilemaker implementation. I've successfully tested the patcher with both versions (stable and development). The following steps are performed:

Generate a random 1024bit RSA key pair.
Generate a fresh license with this random key and save it as 'license.dat'.
Open the unpacked target and locate the resource which holds the private key blob.
Replace the private key with your own one and save the modifications back to the executable.

The main advantage of this procedure is that it should also work with future versions and different keys (as long as 1024bit RSA keys are used and the blob is stored as "BIN" resource). But you can easily modify the sources by redefining KEYLENGTH and BLOBRSRC - just in case they change the key size or the resource location.

Code:

#include <windows.h>

#include <wincrypt.h>

#include <malloc.h>

#include <stdio.h>

#include <string.h>



#define KEYLENGTH (1024 << 16)

#define BLOBRSRC  "BIN"



static LPBYTE lpbyTargetBlob = NULL;



BOOL CALLBACK EnumResNameProc(HMODULE hModule, LPCSTR lpszType, LPSTR lpszName, LONG_PTR lParam)

{

    HRSRC hrsrc;

    HGLOBAL hBlob;

    LPBYTE lpbyResource;

    BOOL fRetVal = TRUE;



    hrsrc = FindResourceA(hModule, lpszName, lpszType);

    if (!hrsrc || SizeofResource(hModule, hrsrc) != (DWORD)lParam) return fRetVal;

    if (!(hBlob = LoadResource(hModule, hrsrc))) return fRetVal;

    lpbyResource = (LPBYTE)LockResource(hBlob);

    if (!memcmp(lpbyResource + 8, "RSA2", 4))

    {

        lpbyTargetBlob = (LPBYTE)malloc(lParam);

        memcpy(lpbyTargetBlob, lpbyResource, (DWORD)lParam);

        fRetVal = FALSE;

    }

    UnlockResource(hBlob);

    FreeResource(hBlob);



    return fRetVal;

}



void main(int argc, char* argv[])

{

    LPCSTR szLicense = "zementmischer\0Don't mess with concrete!!!\0forum.exetools.com\0\1\1\1\107";

    CHAR szContainerName[_MAX_PATH] = "";

    HCRYPTPROV hProv;

    HCRYPTKEY hRSAKey;

    LPBYTE lpbyPrivKeyBlob, lpbyLicense, lpbyFileMapping = NULL;

    DWORD cbBlockSize, cbSize, cbPrivKeyBlob = 0, cbContainerName = sizeof(szContainerName), i;

    HANDLE hFile = INVALID_HANDLE_VALUE, hFileMapping = NULL;

    HMODULE hTarget;

    BOOL fSuccess = FALSE;



    if (argc != 2)

    {

        fprintf(stderr, "%s: <unpacked exe>\n", argv[0]);

        return;

    }



    if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0))

    {

        if (GetLastError() != NTE_BAD_KEYSET

        || !CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)

        || !CryptGetProvParam(hProv, PP_CONTAINER, (LPBYTE)szContainerName, &cbContainerName, 0))

        {

            fprintf(stderr, "Failed to open/create key container\n");

            return;

        }

    }



    if (!CryptGenKey(hProv, CALG_RSA_KEYX, KEYLENGTH | CRYPT_EXPORTABLE, &hRSAKey)

    ||  !CryptExportKey(hRSAKey, NULL, PRIVATEKEYBLOB, 0, NULL, &cbPrivKeyBlob))

    {

        fprintf(stderr, "Failed to generate RSA key pair\n");

        goto cleanup;

    }



    lpbyPrivKeyBlob = (LPBYTE)_alloca(cbPrivKeyBlob);

    CryptExportKey(hRSAKey, NULL, PRIVATEKEYBLOB, 0, lpbyPrivKeyBlob, &cbPrivKeyBlob);

    CryptGetKeyParam(hRSAKey, KP_BLOCKLEN, (LPBYTE)&cbBlockSize, &cbSize, 0);

    cbBlockSize = cbBlockSize / 8;

    lpbyLicense = (LPBYTE)_alloca(cbBlockSize);



    hFile = CreateFileA("license.dat", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);

    if (hFile == INVALID_HANDLE_VALUE)

    {

        fprintf(stderr, "Failed to create license file\n");

        goto cleanup;

    }

    memset(lpbyLicense, 0, cbBlockSize);

    memcpy(lpbyLicense, szLicense, cbBlockSize - 12);

    cbSize = cbBlockSize - 11;

    CryptEncrypt(hRSAKey, NULL, FALSE, 0, lpbyLicense, &cbSize, cbBlockSize);

    WriteFile(hFile, lpbyLicense, cbSize, &cbSize, NULL);

    CloseHandle(hFile);

    hFile = INVALID_HANDLE_VALUE;



    hTarget = LoadLibraryA(argv[1]);

    if (!hTarget)

    {

        fprintf(stderr, "Failed to load target file\n");

        goto cleanup;

    }

    EnumResourceNamesA(hTarget, BLOBRSRC, EnumResNameProc, cbPrivKeyBlob);

    FreeLibrary(hTarget);

    if (!lpbyTargetBlob)

    {

        fprintf(stderr, "Failed to locate RSA blob\n");

        goto cleanup;

    }



    hFile = CreateFileA(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if (hFile == INVALID_HANDLE_VALUE)

    {

        fprintf(stderr, "Failed to open target file\n");

        goto cleanup;

    }

    cbSize = GetFileSize(hFile, NULL);

    if ((hFileMapping = CreateFileMappingA(hFile, NULL, PAGE_READWRITE, 0, 0, NULL)) != NULL

    &&  (lpbyFileMapping = reinterpret_cast<LPBYTE>(MapViewOfFile(hFileMapping, FILE_MAP_READ|FILE_MAP_WRITE, 0, 0, 0))) != NULL)

    {

        for (i = 0; i < cbSize - cbPrivKeyBlob; ++i)

        {

            if (!memcmp(lpbyFileMapping + i, lpbyTargetBlob, cbPrivKeyBlob))

            {

                memcpy(lpbyFileMapping + i, lpbyPrivKeyBlob, cbPrivKeyBlob);

                fSuccess = TRUE;

                break;

            }

        }



        FlushViewOfFile(lpbyFileMapping, 0);

        UnmapViewOfFile(lpbyFileMapping);

    }



cleanup:

    if (hFileMapping) CloseHandle(hFileMapping);

    if (hFile != INVALID_HANDLE_VALUE) CloseHandle(hFile);

    if (lpbyTargetBlob) free(lpbyTargetBlob);

    CryptDestroyKey(hRSAKey);

    CryptReleaseContext(hProv, 0);



    if (fSuccess) fprintf(stdout, "File patched\n");

}

Thanks for the wonderful explanation, very complete and accurate!
Now I will try to repeat the steps as indicated from scratch and I want to see if I can do it!

I have effectively chosen a bone too hard for me to start learn unpacking/patching !
Luckily for me you know a lot about this subject, and you've done all the work in a very short time!

A good lesson in rce'ing !!

Thanks..

Quote:

Originally Posted by axl936 (Post 79883)

I suggest you to begin with lena151 tutorials which you can find here:

Quote:

http://tuts4you.com/download.php?list.17