Unknown packer trouble

[hosiminh]

All my efforts to unpack this baby has failed.

PeID 0.93 says for file "FunnyCreatures.exe" : NeoLite vx.x

There is no need to run installer.
Unpack "fcreatures.exe" with Winrar (function "extract to" )

hxxp://astatix.advanta.org/download/fcreatures.exe (859 kb)

When Ollydbg stoped at Exception C000001E (INVALID LOCK SEQUENCE) (i have everything ticked under Debugging options -> exceptions ) , i put memory bp on access , and i landed here:

0044B8F2 . 66:C1C2 03 ROL DX,3 ; HERE
0044B8F6 . 53 PUSH EBX ; FunnyCre.00502183
0044B8F7 . 68 59529514 PUSH 14955259
0044B8FC . 5B POP EBX ; FunnyCre.00500401
0044B8FD . 81C3 E23D611A ADD EBX,1A613DE2
0044B903 .- E9 75D00B00 JMP FunnyCre.0050897D
0044B908 . 2BCE SUB ECX,ESI ; FunnyCre.00511B18

Checking my Log , showed that there is a lot of INT3 exceptions .

This unknown protector is checking for CC (bpx , bp) and hardware breakpoints .

I downloaded Neolite v2 , which seems to be the newest version of this packer ( hxxp://nmgmt.cs.nchu.edu.tw/nmTool/NEOLTE20.EXE ) , but this one is piss easy to unpack.

Most likely EXECrpyptor... if it has LOCK:INT1.. then u know u got this packer... very tough to unpack... i believe the OEP is emulated..... so you need to dump each section from memory as it decrypts itself...

hope this helps u .
-H3rCuL3s

Hi !
I've taken a look at your proggy and I've got a question.
What is your goal exactly ?
Is it to crack the proggy or to reverse / unpack the packed stuff ?
Because, if you just want to register this software, you can try different approach to succeed in diong so.
What I've understood about this program is that the packer is not only a packer, but a layer added to the proggy. It uses a lot of excellent obfuscation techniques and is really difficult to trace into. In fact, the IAT is also partially destroyed and redirected to the protector's routines. Then, even if you unpack it, you can't use it because of the bad IAT.

This approach is the hard one... maybe it could be simpler to try to reverse the little "register.exe" program.
In fact, it's a piece of cake to do so. Unfortunately, the "working serial" generated by this external registering tool is not valid, because of this :

email : [email protected]
password : XXXXXXXXX=000000 <- This part (000000) only is tested in registered.exe and depends on the email entered.

Once registered, 2 keys were created by 'register.exe' in the registry :
- Code : XXXXXXXXX
- Mail : [email protected]

the 'XXXXXXXXX' part is tested in the main game program. But you can easily find where with SI.
Take a look at this :
CODE : 00446E0E or CODE : 00446E2B

So, I let you try by yourself.
hope it can help you.
bye.
(if you just want to defeat the packer, I'm sorry for this "no use" long piece of text.)

[hosiminh]

A piece of cake to reverse little "register.exe" program ?

Look at 004039A4 where validation routine start . There are more than 8 loops waiting for you .

This is why i am more interesting in unpacking & patching.

One interesting this i had noticed : you can put CC (bpx & bp breakpoint only once , after you restart main program ( FunnyCreatures.exe ) and load ti again you will get Exception C000001E (INVALID LOCK SEQUENCE) .
But if you then quit Ollydbg , clean all *.UDDs and load it , you can put those bp again.

Hi again.
Yes, reversing register.exe is a piece of cake.

Load it in IDA and take few seconds to look at what it does.
What about those loops you talked about ? Explain in what way it's a problemn please.
Just take a look at offset 403b91, you'll find the final check
Mov EAX, computed number
CMP EAX, entered number. (425 or 936 in my lower example)
ok ... try these :
email : *put here just what you want*
serial : 1234567=425

or this
email : *still not important*
serial : whatyouwant=936

So ... it works fine with register.exe but *NOT* with the game... you can break into the game just to watch hwo it computes these 2 created registry values.

Frequency was right ! It's an EXEcryptor's work. This prog can pack and cipher very well.

Reversing it is quite hard... because of the IAT destroying, AND because it replaces (yes, recompiles) some routines in the original program. These routines are doing the same thing than original compiled code, but is replaced by an incredible piece of crap, very long and very obfuscated when only 2 or 3 bytes are really doing something hidden in a huge amount of horrible (and no-use and unreadable) code.


I'm sorry, but if you can't reverse properly the 'not protected' register.exe written in delphi, you will have some difficulties to break this really good packer called EXEcryptor.

So, just tell us what you want to do : crack the little game or break down EXECryptor.
have fun.
bye

[hosiminh]

Well , i took a closer look of those loops ... you're right , nothing to be affraid (but take some time to understand them) . I will start playing with packer itself .

[kubik]

Quote:

Originally Posted by hosiminh

I will start playing with packer itself.

I have defeat this protector and have removed all REG/BUY labels and NAGs (have changed CALL of registration check), but it is DEMO version because there are no levels above 7.

but, as i see in file "levels.lv", levels above 7 are crypted in slightly another way.
then it needs some additional info for correct decrypting;

btw, i solved 3-level in 15 moves & 7-level in 29 moves.

Hello !
Kubik... I'm really interrested in the way you defeated this protector. Could you be a litlle bit more precise concerning the ways to find real oep and removing the protection layer, please ?
I'll be really happy to hear about that !

thanx in advance.
bye.

yey, i'm restored my iconnection after 3 day:)

grab exclusive workz for Exetoolz:)

put "Levels.je!" and FCLDR.exe in dir & run FCLDR. learn more:)