Software mechanism of Genesis - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Software mechanism of Genesis

Description:

Software mechanism of Genesis --- a cheating software for Warcraft3. Yang Chen. Wen Sun. A little bit about Genesis. The new version of ZeroCraft. Contains two ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 39
Provided by: wen90
Category:

less

Transcript and Presenter's Notes

Title: Software mechanism of Genesis


1
Software mechanism of Genesis --- a
cheating software for Warcraft3
Yang Chen Wen Sun
2
A little bit about Genesis
  • The new version of ZeroCraft
  • Contains two main pieces
  • (1) Launcher.exe
  • (2) Genesis.dll

3
Our adventure 1 - Launcher.exe part
  • 1st try
  • Load the EXE file with Ollydbg directly.
  • We got the following error message from
  • Ollydbg

4
Our adventure 1 - Launcher.exe part
Maybe this file is self-extracting or
self-modifying
5
Our adventure 1 - Launcher.exe part
  • Try again to load the .exe file with IDA
    directly.
  • We got the following error message too.

6
Our adventure 1 - Launcher.exe part
7
Our adventure 1 - Launcher.exe part
  • Our hypothesis
  • The software has been packed !

8
Our adventure 1 - Launcher.exe part
  • 2nd try
  • Unpack the EXE file with the existed unpackers
  • (1) upx ----- Didnt work
  • (2) GUW ----- Didnt work
  • (3) ProcDump ----- By using this universal
    unpacking approach, got Good News!

9
Our adventure 1 - Launcher.exe part
10
Our adventure 1 - Launcher.exe part
  • We also tried to unpack DLL file with ProcDum
    too.
  • But it didnt work.
  • At this point, our conclusion is the EXE file
    and the DLL file
  • may be packed by different packers.

11
Our adventure 1 - Launcher.exe part
  • 3rd try
  • Load the unpacked EXE file with IDA
  • Everything seems good

12
Our adventure 1 - Launcher.exe part
13
Our adventure 1 - Launcher.exe part
  • However, things appear to be not that normal
    then.
  • Problems we got
  • By looking at the assembly code and checking the
    contents in
  • the registers, we saw some invalid
    address acesses
  • We set the breakpoint and let the debugger run
    step by step
  • At add ssdword_4093DBebp, ebx
    line, we get error message. At the same time, the
    debugger is disabled.

14
Our adventure 1 - Launcher.exe part
Launcher_unpacked.exeThe instruction at
0x7C919913 referenced memory at 0x7CC01D77. The
memory could not be read
15
Our adventure 1 - Launcher.exe part
  • After directly running the unpacked EXE file, we
  • also got an error message.

16
Our adventure 1 - Launcher.exe part
17
Our adventure 1 - Launcher.exe part
  • Our hypothesis
  • The PE file may have been damaged when we
    unpacked the EXE file
  • Our Solution
  • Use ProcDump Rebuild PE function to rebuild
    the PE file

18
Our adventure 1 - Launcher.exe part
19
Our adventure 1 - Launcher.exe part
  • Run the unpacked file directly after PE
    rebuilder, get the
  • following error message

20
Our adventure 2 - Launcher.exe part
  • (1) We finally realized that the unpack process
    done by
  • Procdump actually may not be finished
  • successfully as we were informed.
  • (2) We decided to manually unpack it instead.

21
Our adventure 1 - Launcher.exe part
  • Use PeiD for the last try before we start to
    manual unpack
  • the Software.
  • Luckily it offers us the information about the
    packing tools
  • used PEcompact 1.56

22
Our adventure 2 - Launcher.exe part
23
Our adventure 2 Laucher.exe
  • Using Ollydbg
  • - locate ESP
  • - full dump ESP
  • - set breakpoint at the first dword pointed by
    ESP
  • - run code
  • - step into
  • - got OEP
  • Using LordPE, full-dump the binary in memory
  • Using Imprec to relocate Virtual Address in PE

24
Our adventure 2 Laucher.exe
Step in until we get here
Dump
25
Our adventure 2 Laucher.exe
Run(F9) code in Ollydgb and step in(F7) until
26
Our adventure 2 Laucher.exe
OEP
27
Our adventure 2 Laucher.exe
28
Our adventure 2 Laucher.exe
Step3
Step4
Step1
Step2
29
Our adventure 2 Laucher.exe
Fix PE
30
Our adventure 2 Laucher.exe
Strings the unpacked PE
31
Our adventure 2 Laucher.exe
  • We manually unpacked EXE file successfully?

32
Our adventure 3 Genesis.dll
  • Then We tried to unpack the DLL file
  • - Only one significant difference from the EXE
  • file

33
Our adventure 3 Genesis.dll
Change to 010E
34
Our adventure 3 Genesis.dll
  • We unpacked DLL successfully
  • We tried to launch unpacked .exe and .dll
  • Unpacked genesis.dll does not work
  • Something must be wrong

35
Our adventure 3 Genesis.dll
Checksum failure
36
Our adventure 3 Genesis.dll
  • We tried to fix checksum

37
Our adventure 3 Genesis.dll
  • Problem is still there
  • Have to resort another way
  • From PE specification, we got
  • - Authenticode PE image hash relating to the
    integrity of a file
  • - In an Authenticode signature, the file hash
    is digitally signed by using a private key known
    only to the signer of the file

38
Conclusion
  • Reverse engineering is hard
  • Too many tools, too many software versions, many
    ways to anti-reversing
  • For unpacking, the key point is to locate OEP
  • Launcher.exe is coded in VB
  • - call ltJMP.msvbvm60.ThunRTMaingt
  • - msvbvm60.dll is VB virtual machine runtime
    library
  • - ThunRTMain is VB code entry point
  • However we believe genesis.dll is programmed in C
    or C
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Software mechanism of Genesis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!