Date: Wed, 11 Feb 1998 09:06:14 +0100 From: PROAS To: Liu TaoTao Subject: Craking ChkEXE 1.17 with TR! How to unpack Hann0 B”ck's ChkEXE 1.17 with Super TR 1.97 by eL PuSHeR ---------------------------------------------------------------------- In the doc Hanno says: 'ChkEXE is protected with LZEXE v1.00a, REC v0.35, CrackStop v1.01 and some additional tricks.' 'Liu TaoTao: Now I made a selfcheck that can't be faked with MKEXE. Try to find something against it. It's an old and well known methode.' Here are the steps to unprotect this cool program and still get a fully working EXE. 1st.- We already know that the primary shell is LZEXE, then REC 0.35 by Ralph Rose and finally CrackStop 1.01 by Stefan Esser, so we must find Fabrice Bellard's LZEXE entrypoint. We load TR and type in: + N CHKEXE.EXE + AUTOINT 1 ON + EXE1 + RELOAD + GOXB 06 0E 1F 8B 0E 0C 00 <- Entrypoint for LZEXE'd files. We are ready to write the dump out to disk but we find we cannot, because the protector has disabled the keyboard by stealing us the keyboard handler. fuck! Well, don't panic. In this cases (most protectors will disable the keyboard anyway) we must resort to BATCH file processing (good 'ole batch). 2nd.- Making the batch file for TR to dump the EXE to disk and generate a suitable file. COPY CON FUCKCHK.BAT (or use your favourite editor) N CHKEXE.EXE AUTOINT1 ON EXE1 RELOAD GOXB 06 0E 1F 8B 0E 0C 00 <- LZEXE ENTRYPOINT [GOREG CS] \ [GOREG CS] / <- OPTIONAL (TRACE OVER LZEXE) WEXE1 ;Second dump .... EXE2 RELOAD GOXB 06 0E 1F 8B 0E 0C 00 [GOREG CS] \ [GOREG CS] / <- OPTIONAL (TRACE OVER LZEXE) WEXE2 G ; Go until it exits to DOS to recover keyboard handler. ^Z The lines in brackets are optional. I prefer to stop at LZEXE's entrypoint and dump it to disk because I can open it later with an specific utility such as UNP and get a smaller and cleaner image of the original exe rather than tracing beyond and make a wild guess of the original image size. :-) Note: To unpack this with UNP -> UNP e -ail MEM.EXE Now, let's load TR again. TR DO FUCKCHK.BAT Q <- We exit to DOS and we have the two dumps written to disk. MKEXE <- Create MEM.EXE 3rd.- Now we have our newly created MEM.EXE. We look inside it with our favourite hex editor. All text strings are visible now, so we can assure it's unpacked. At last!. Then we execute it and *shit* it got stuck. What's wrong? Remember Hanno said he had protected his proggy with some tricks... Yes, it's time to trace the code with our favourite debugger. I used Soft-Ice 2.80 here. 4th.- You trace through the program and find it freezes at several condi- tional jumps. Because I am a bit lazy, I haven't bother myself to discover what the procedures do; let's just change the jumps, ok? 1st comp. -> FIND FF 1E 00 02 74 07 -> CHANGE TO FF 1E 00 02 EB 07 2nd comp. -> FIND FF 1E 00 02 74 06 -> CHANGE TO FF 1E 00 02 EB 06 3rd comp. -> FIND FF 1E 00 02 74 04 -> CHANGE TO FF 1E 00 02 EB 04 They are very similar, aren't they? We have loaded MEM.EXE into our favourite hex editor and made these changes permanent. It's time to try our EXE. We execute it and it returns back to DOS ­­­WITHOUT DOING NOTHING!!! Back to the debugger session ..... arghhh!!! After a little tracing, we find the instruction that laughed at us ... 26 F7 06 5C 00 42 48 74 FE That is: TEST ES:[005C],4842 -> TEST two bytes at ES:005c with 'HB' JZ Fuck You Hummm, That reminds me of signature added by PKLITE with extra compression ('PK' or 'pk' - as PKLITE 2.01 does) but this time 'HB', Hanno B”ck huh?, how cunning. We must change this string to 26 C7 06 5C 00 42 48 90 90 to fake the signature. 5th. We have made all these changes to MEM.EXE and execute it. WOW! It works perfectly. Now we can pack it and save some KB's of precious disk space. See you! Some words from the author of this crack: I am a 24 years old (accountancy) student who is currently busy working in a consultant's office. I love computers. 10 years have passed since I bought my first PC (It was an 2086 Amstrad, around 1.988) and now a have an 'almighty' Pentium 133. I have learned my little knowledge from scratch and by myself. I am very interested in keeping a huge collection of early PC's games, which were often copy-protected (key-disks and the sort), because I find cracking it's a funny way to learn assembler. My main concerns, right now is to make friends, learn more and uncover how to get rid of those nasty self-booters programs (those who work only booting them from floppies). I have collected a huge amount of tutorials over the years but no one cover this topic. Can anyone help me? I think it has a lot to do with Int 13h as it's a typical way to access disks making DOS unable to recognize 'em. I'd like to make a few complaints about TR too: + TR is unable to step inside interrupts (like CUP386 does) which make impossible to trace certain programs that left a resident portion of the EXE in memory and dump them to disk. + TR gets stuck when a program tries to access the floppy disk drive (as all disk-based protections do). Anyway, I think TR is the outcome of a lot of hard work and it's cool. I also have Soft-Ice and I hate it, even most people says it's the *best* debugger around. It's very user-unfriendly. P.S. I would like to thank Liu TaoTao for his great TR (I'll send you a postcard when I have the time) I'd send you money if I wasn't so poor (we, students, are always in bad economic shape, you know). I encourage you to put this crack on you web's page, but please, give me credit for it. I'd also wish to thank Hanno B”ck for make the best identifier I've ever seen (in my humble opinion). This crack is for EDUCATIONAL PURPOSE ONLY. I do not mean any harm to any of the authors. If anyone has any comments or just want to talk feel free to e-mail me at my work: PROAS@ARRAKIS.ES (Mornings only) PS2. I challenge everybody that claims to be 'elite' to try to unpack the very old game BUDOKAN: THE MARTIAL SPIRIT BY ELECTRONIC ARTS (1.989) The .COM file is encrypted and I think IT'S UNBREAKABLE (Good 8086 code) I have tried it with tons of unprotectors (CUP ,TR, TEU, UPC, etc ...) They all failed................. If you want a copy to try (BUDO.COM) just leave me a message and I'll try to send you via attachment. PS3. Can anyone tell me what's this cool mailing-list all about? ------------------------ eL PuSHeR Feb-10-1998 -------------------------