Xceed Absolute Packager v1.1

Absolute Packager has a NAG Screen every time it is loaded, stating 'X Days left for evaluation, I understand that I may use the program for evaluation purposes only', with Agree/Help/Quit buttons. Every package you create has a Nag aswell, stating it was 'Created with the Free Trial Version, and all packages created with the Free Trial Version will display this Nag', and theres several text reminders that its a 'Free Trial Version'. The 30 day trial doesn't work, i.e. it still works after the trial has ended, but were gonna kill this Nag & the Nag in the packages we create anyway.

=============== lets begin... ===============

Before we do begin, get your pen & paper ready and lets write down some variables. We need two file offsets, one for the DEP (Depacker Exit Point) & the other for our iMP (Inline Memory Patch) do it like this (this is VERY important if you want to follow along)

OFFSET#1 ; FILE OFFSET-DEP
OFFSET#2 ; FILE OFFSET-iMP

PATCH#1 ; 5 BYTES (OUR CALL TO OUR PATCH)

We want to find the exit point of the unpacker code, which will give us the original entry point of the program, before it was compressed with Shrinker. Loading absolute.exe into softice's symbol loader, doesn't work, instead of it soft ice breaking on the first instruction, the damn thing just runs.

Heh, get ProcDump loaded, select the PE-Editor Function, load absolute.exe. We can see that the Entry Point is '0015654B', select sections, and lOOk for the nearest Virtual Offset to the Entry Point, you will find it to be the '.load' section, starting at RVA '00155000', '.load' + 154B = Entry Point! The file Offset of this section is '00002800', add 154B = 3D4B, the file offset of the Program Entry Point. (did you follow that??)

Hex Edit absolute.exe, goto offset 3D4B, and change the '83' to a 'CC' (int 03).
Enter softice, type in 'bpint 03', hit F5
Run Absolute.exe
Softice will break here

0055654B CC int 03 (This address is the Entry Point + the ImageBase (00400000) )

Hmm, unpacking code normally locates itself far above the original code, so we trace through the code until it executes a jump or call to a location away from this address space, say somewhere between 00401000 & 00540000...

type in 'e eip 83' to replace the 'int 03' with the proper instruction code

0055654B 833DB411550000 cmp dword ptr [005511B4], 00000

Start tracing the code with F10, trying to remember what calls do what :) (you'll see)
When you execute this call, the programs runs...

005565D3 E806000000 call 5565DE

so run the program again, replace the 'CC' with '83', start tracing again, F10 until you get to the call where the program ran, then step into it with F8.
Carry on tracing with F10.

After tracing for a while, the program runs again, after trying to step over a call [ebp-24]:-

0055664A A114365500 mov eax, dword ptr [00553614] (0006C31C)
0055664F 030528375500 add eax, dword ptr [00553728] (00400000)
00556655 8945DC mov dword ptr [ebp-24], eax (Original Program Entry point)
00556658 FF7510 push [ebp+10]
0055665B FF750C push [ebp+0C]
0055665E FF7508 push [ebp+08]
00556661 FF55DC call [ebp-24] (call 0046C31C)

So there you go, a lesson in tracing through decompressor code, to find the Depacker Exit Point 'DEP', and the Program Entry Point 'PEP'. With these addresses, were set to patch this mother!

Hex Edit Absolute.exe again, goto offset 3D4B, and change the 'CC' back to the original '83', search for the 'push [ebp+08],call [ebp-24]', 'FF7508FF55DC', it turns up at Offset 3E5E (write this down, OFFSET#1) change the first 'FF' to a 'CC'. We need to change this code to jump to our own code, instead of running the program, a jump takes up 5 bytes, so we have to overwrite both these instructions, don't worry though, because after patching the memory with our inline code, we can execute the two instructions we replaced.

Whilst you have absolute.exe loaded in your hex editor, just look through the file, for some space around the unpacker code, to place our own patch code. There are plenty of places.. I choose offset 26C0 (write this down, OFFSET#2), just after the imports. Enter 'some text' here that we can search for in softice, after it has unpacked the program. Save the file, and run it again..

Softice breaks here

0055665E CC int 03

K, now search for the text you entered into the exe, type in s 0 l ffffffff 'some text', you should get 'Pattern found at 01xx:005548C0' and the text displayed in the data window, type in 'a eip', to assemble instructions at the current Eip. type in 'jmp 5548C0', then hit escape.

Copy the instruction codes down for the jump you just wrote 'E95DE2FFFF' HIT F5, shrinker traps an exception, well, we haven't wrote the rest of our code yet, have we? we still have to crack the program, then we can finish off our patch..

===============data we have so far===============

OFFSET#1 = 3E5E (DepackerExitPoint)
OFFSET#2 = 26C0 (Where our Inline Memory Patch will go)
PATCH#1 = E95DE2FFFF (jump to our iMP)

=============== lets crack! ===============

My way might be wrong, but it worked, so i'll tell you anyway...Basically, i keep tracing through the code with F10, until the Nag's popped up, remember the caller, run the prog again, then kill that call, test it to see if it still runs? If it doesn't, trace into it, and try again, i find the right place eventually..

run absolute.exe (with the int 03 still embedded at the DEP) type in 'e eip FF', then trace with F8 when you have executed the call [ebp-24], trace with F10, until the Nag pops up...

its here:-
0046C3FB E8B09BFFFF call 00465FB0 (call Nag)

well, this calls the Nag, then after clicking agree, returns you to softice, so put a breakpoint on the call, and run the program again..

Softice breaks on the call, type in 'e eip b8' which will change it to a 'mov eax,xxxxxxxx', hit F5 to run the program, GodDamn!, it works! heh, too easy.

Our patch only has to change the byte at RVA 46C3FB to a 'b8', so lets do it..

Run the proggie again, this time, putting in the jmp at the DEP, and stepping into it with F8.

when softice breaks, type in 'a eip', to assemble code at the current Eip.
type in 'jmp 5548C0', then hit escape.
Hit F8, were at location 5548C0 now?
type in 'a eip'
type in 'mov byte ptr [46C3FB], B8' (our iMP, Inline Memory Patch)
then replace the Packer Exit Point.
type in 'push dword ptr [ebp+08]'
type in 'call [ebp-24]', then hit escape..
dump the memory, by typing in 'pagein 5548C0 10 c:\imp.dat' or write down all the instruction codes you just created..
'C605FBC34600B8FF7508FF55DC'

Hexedit absolute.exe again, then either copy & paste imp.dat into absolute.exe at OFFSET#2 26C0, or write in all the codes by hand. goto OFFSET#1 3E5E, and write in the jump instruction codes, save it and run!

Cool, it works... now for killing the Nag in the Packages we create with it..

=============== removing NAG #2 ===============

ok, now for a bit of ZEN cracking, as this is tutorial is really to teach patching packed files, and not cracking as such...

Absolute Packager creates the self-extracting zips using a separate 'dll, 'xcdzip32.dll' (The Xceed Zip Compression Library:File Version 3, 5, 0, 4). Lucky for us, they use the same library in the full version as in the trial version, and just check some flag in memory, to see what sort of 'exe to create.

well, upon disassembly of this dll, you can soon find this part of code...

Disassembly of File: xcdzip32.dll

:1000B1AF A1B08E0210 mov eax, dword ptr [10028EB0] <-- some version flag
:1000B1B4 85C0 test eax, eax <-- check for zero
:1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG'
:1000B1B8 83F802 cmp eax, 00000002 <-- check for two
:1000B1BB 7417 je 1000B1D4 <-- JumpifEqual to 'no NAG'
:1000B1BD 83F803 cmp eax, 00000003 <-- check if three
:1000B1C0 7417 je 1000B1D9 <-- JumpifEqual to NAG #2

* Possible StringData Ref from Data Obj ->"This self-extracting zip fille "
->"was created with the free trrial "
->"version of the Xceed Zip Sellf-Extractor. "
->" It will only unzip itself oon "
->"the same machine that it wass created "
->"on. Registering your Xceed Zip "
->"Self-Extractor will remove tthis "
->"limitation."
|
:1000B1C2 BE10480110 mov esi, 10014810 <-- NAG #1 (not ours)
:1000B1C7 8BFB mov edi, ebx
:1000B1C9 B93D000000 mov ecx, 0000003D
:1000B1CE F3 repz
:1000B1CF A5 movsd
:1000B1D0 66A5 movsw
:1000B1D2 EB13 jmp 1000B1E7

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000B1B6(C), :1000B1BB(C)
|
:1000B1D4 C60300 mov byte ptr [ebx], 00 <-- Set a version flag.
:1000B1D7 EB0E jmp 1000B1E7 <-- ha! done...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000B1C0(C)
|

* Possible StringData Ref from Data Obj ->"This self-extracting zip file "
->"was created with the free trial "
->"version of the Xceed Absolute "
->"Packager - the software that makes "
->"it easy to create powerful, fully "
->"customizable self-extracting zip "
->"files."
|
:1000B1D9 BE08490110 mov esi, 10014908 <-- NAG #2 (the one we got :)


oki, the way i crack this is change this line...

:1000B1B4 85C0 test eax, eax <-- check for zero
:1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG'

to this

:1000B1B4 33C0 xor eax, eax <-- zero eax (to force the jump)
:1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG'

So, change the byte at offset A5B4 to a '33', job done!

Another lame protection bytes the dust...