1 / 38

Software mechanism of Genesis --- a cheating software for Warcraft3

Learn the challenges and steps to unpack Genesis cheating software for Warcraft3, exploring techniques and tools used in reverse engineering. Understand the difference between EXE and DLL unpacking and the intricacies of checksum and Authenticode in PE specification.

slaverne
Download Presentation

Software mechanism of Genesis --- a cheating software for Warcraft3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun

  2. A little bit about Genesis • The new version of ZeroCraft • Contains two main pieces: • (1) Launcher.exe • (2) Genesis.dll

  3. Our adventure 1 - Launcher.exe part 1st try: Load the EXE file with Ollydbg directly. We got the following error message from Ollydbg

  4. Our adventure 1 - Launcher.exe part Maybe this file is self-extracting or self-modifying

  5. Our adventure 1 - Launcher.exe part Try again to load the .exe file with IDA directly. We got the following error message too.

  6. Our adventure 1 - Launcher.exe part

  7. Our adventure 1 - Launcher.exe part Our hypothesis : The software has been packed !

  8. Our adventure 1 - Launcher.exe part 2nd try: Unpack the EXE file with the existed unpackers (1) upx ----- Didn’t work (2) GUW ----- Didn’t work (3) ProcDump ----- By using this universal unpacking approach, got Good News!

  9. Our adventure 1 - Launcher.exe part

  10. Our adventure 1 - Launcher.exe part We also tried to unpack DLL file with ProcDum too. But it didn’t work. At this point, our conclusion is: the EXE file and the DLL file may be packed by different packers.

  11. Our adventure 1 - Launcher.exe part 3rd try: Load the unpacked EXE file with IDA Everything seems good

  12. Our adventure 1 - Launcher.exe part

  13. Our adventure 1 - Launcher.exe part However, things appear to be not that “normal” then…. Problems we got: • By looking at the assembly code and checking the contents in the registers, we saw some invalid address acesses • We set the breakpoint and let the debugger run step by step At “add ss:dword_4093DB[ebp], ebx” line, we get error message. At the same time, the debugger is disabled.

  14. Our adventure 1 - Launcher.exe part Launcher_unpacked.exe:The instruction at 0x7C919913 referenced memory at 0x7CC01D77. The memory could not be read

  15. Our adventure 1 - Launcher.exe part After directly running the unpacked EXE file, we also got an error message.

  16. Our adventure 1 - Launcher.exe part

  17. Our adventure 1 - Launcher.exe part Our hypothesis : The PE file may have been damaged when we unpacked the EXE file Our Solution: Use ProcDump “Rebuild PE” function to rebuild the PE file

  18. Our adventure 1 - Launcher.exe part

  19. Our adventure 1 - Launcher.exe part Run the unpacked file directly after PE rebuilder, get the following error message :

  20. Our adventure 2 - Launcher.exe part (1) We finally realized that the unpack process done by Procdump actually may not be finished successfully as we were informed. (2) We decided to manually unpack it instead.

  21. Our adventure 1 - Launcher.exe part Use PeiD for the last try before we start to manual unpack the Software. Luckily it offers us the information about the packing tools used – PEcompact 1.56

  22. Our adventure 2 - Launcher.exe part

  23. Our adventure 2 – Laucher.exe • Using Ollydbg - locate ESP - full dump ESP - set breakpoint at the first dword pointed by ESP - run code - step into - got OEP • Using LordPE, full-dump the binary in memory • Using Imprec to relocate Virtual Address in PE

  24. Our adventure 2 – Laucher.exe Step in until we get here Dump

  25. Our adventure 2 – Laucher.exe Run(F9) code in Ollydgb and step in(F7) until …

  26. Our adventure 2 – Laucher.exe OEP

  27. Our adventure 2 – Laucher.exe

  28. Our adventure 2 – Laucher.exe Step3 Step4 Step1 Step2

  29. Our adventure 2 – Laucher.exe Fix PE

  30. Our adventure 2 – Laucher.exe Strings the unpacked PE

  31. Our adventure 2 – Laucher.exe We manually unpacked EXE file successfully

  32. Our adventure 3 – Genesis.dll • Then We tried to unpack the DLL file - Only one significant difference from the EXE file

  33. Our adventure 3 – Genesis.dll Change to 010E

  34. Our adventure 3 – Genesis.dll • We unpacked DLL successfully • We tried to launch unpacked .exe and .dll • Unpacked genesis.dll does not work • Something must be wrong

  35. Our adventure 3 – Genesis.dll Checksum failure

  36. Our adventure 3 – Genesis.dll • We tried to fix checksum

  37. Our adventure 3 – Genesis.dll • Problem is still there • Have to resort another way • From PE specification, we got: - Authenticode PE image hash relating to the integrity of a file - In an Authenticode signature, the file hash is digitally signed by using a private key known only to the signer of the file

  38. Conclusion • Reverse engineering is hard • Too many tools, too many software versions, many ways to anti-reversing • For unpacking, the key point is to locate OEP • Launcher.exe is coded in VB - call <JMP.&msvbvm60.ThunRTMain> - msvbvm60.dll is VB virtual machine runtime library - ThunRTMain is VB code entry point • However we believe genesis.dll is programmed in C or C++

More Related