Unpacking Kazaa 2.6

**Johnny_B** · 12-11-2003, 07:04 PM

Originally posted by RileyF+11 December 2003 - 17:49--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (RileyF @ 11 December 2003 - 17:49)</td></tr><tr><td id='QUOTE'><!--QuoteBegin-Johnny_B@11 December 2003 - 19:26
Didn't random nut unpack kazaa.exe?

well yeah he unpacked it, how would you otherwise reverse engineer it... but that's not the point.. if some one can host the unpacked kazaa other devs that can't unpack it (cause it's protected) ,trough whatever problems, can work on programs for 2.6, resource sections can be changed --> turn outlook in to a lite (icons)and maybe some one can work on KLR and imporve it.. so if some one can host it, that will be a 'investment' in the developing of kazaa lite...[/b][/quote]
Yeah I know all that.
It's just that if random nut already did it, perhaps he could make it easier for us and put it up on his klr website for us to download (or perhaps maybe even email it to someone that can host it).
Once some of us have it, he could then take take it off of his website (no need for him to get into trouble

).
We will eventually spread it.

**random nut** · 12-11-2003, 08:08 PM

Yes, I unpacked it, but I will not send it to anyone else or put it on a web site. I have provided the source code to klr.exe and use the source luke.

**Kunal** · 12-11-2003, 08:32 PM

c'mon RN, just send it to me pls!

**Johnny_B** · 12-11-2003, 09:01 PM

Originally posted by random nut@11 December 2003 - 19:08
Yes, I unpacked it, but I will not send it to anyone else or put it on a web site. I have provided the source code to klr.exe and use the source luke.

I think you like watching us trying to do in a month what you can do in 5 minutes.

We can't handle the source like you do, Obi-wan.

Please help us on this one, random nut.

--Spam-- · 12-12-2003, 04:15 AM

Does this help?

This code unpacks ActiveMark wrapper thanks to the fact, that it uses upx to compress the original PE. Sometimes theres is an error if SoftICE is active in w98 due to a high INT1 address, because a protection checks a large amount of memory from this address and it may produce an access exception.

.386

.model flat, stdcall

option casemap: none
include masm32includewindows.inc
include masm32includekernel32.inc
include masm32includeuser32.inc
include masm32includecomdlg32.inc

includelib masm32libkernel32.lib
includelib masm32libuser32.lib
includelib masm32libcomdlg32.lib

ImageBase      equ 400000h
sizeCabecera    equ 600h
FALSO          equ 0
CIERTO          equ -1

GetSection      PROTO WORD
RealignSections PROTO
WriteITAddress  PROTO WORD, WORD

.data
Save        db 'Unpacked.exe',0
Semaforo    db 'LeeMe.txt',0
msgNoes    db 'La proteccion no es ActiveMark o es otra version, desea continuar de todas maneras?',0
ofnTitle    db 'Unpacker para el ActiveMARK v2.6 bY eSn-mIn',0
ofnFilter  db 'Executable Files (*.exe)',0
            db '*.exe',0,0
Readme      db 'Unpacker para el ActiveMARK v2.6 bY eSn-mIn',13,10
            db 'Creado el 28 de Septiembre del 2002',13,10
            db 'http://www.esnmin.get.to'
sizeReadme  equ $ - OFFSET Readme
Pregunta    db FALSO

.data?
stnfo      STARTUPINFO <>
pinfo      PROCESS_INFORMATION <>
ofn        OPENFILENAME <>
ofnFile    db 200h dup (?)
Bytes      dd ?
sizeRsrc    dd ?
lpRsrc      dd ?
lpRsrc2    dd ?
rvaRsrc    dd ?
Cabecera    db sizeCabecera dup (?)
lpHook      dd ?
lpFile      dd ?
hSave      dd ?
hReadme    dd ?

.code
Main proc
LOCAL rvaITWORD, sizeITWORD, ImageSizeWORD

invoke GetModuleHandle, NULL

        mov ofn.hWndOwner, eax
        mov ofn.lStructSize, SIZEOF ofn
        mov ofn.lpstrFilter, offset ofnFilter
        mov ofn.lpstrTitle, offset ofnTitle
        mov ofn.lpstrFile, offset ofnFile
        mov ofn.nMaxFile, 200h
        mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or
                      OFN_LONGNAMES or OFN_EXPLORER or
                      OFN_HIDEREADONLY
invoke GetOpenFileNameA, offset ofn
or eax, eax
jz error

invoke GetStartupInfo, OFFSET stnfo
invoke CreateProcess, OFFSET ofnFile, NULL, NULL, NULL, NULL,
                      CREATE_SUSPENDED, NULL, NULL, OFFSET stnfo, OFFSET pinfo

; Lee la cabecera
        invoke ReadProcessMemory, pinfo.hProcess, ImageBase, OFFSET Cabecera,
                                  sizeCabecera, OFFSET Bytes

; Obtiene el size y la RVA de la seccion RSRC
        invoke GetSection, 3
        mov rvaRsrc, eax
        mov sizeRsrc, edx

; Realinea las secciones
        invoke RealignSections
        cmp eax, -1
        jz error

; Lee la seccion de recursos donde esta la IAT (La segunda vez es un backup)
        invoke GlobalAlloc, NULL, sizeRsrc
        mov lpRsrc, eax
        invoke ReadProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc, sizeRsrc, OFFSET Bytes
       
        invoke GlobalAlloc, NULL, sizeRsrc
        mov lpRsrc2, eax
        invoke ReadProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc2, sizeRsrc, OFFSET Bytes

mov edi, lpRsrc

; Escribe Funcion con la direccion de LoadLibraryA
        mov eax, LoadLibrary
        mov eax, [eax+2]
        mov eax, [eax]
        mov FuncionLoadLibrary, eax
        mov eax, CreateFile
        mov eax, [eax+2]
        mov eax, [eax]
        mov FuncionCreateFile, eax
        mov eax, CloseHandle
        mov eax, [eax+2]
        mov eax, [eax]
        mov FuncionCloseHandle, eax
       
; Busca la cadena LoadLibraryA
        mov eax, 'daoL'
        xor ecx, ecx
        .WHILE [edi+ecx] != eax && ecx < sizeRsrc
                inc ecx
       
        .ENDW
       
        .IF ecx == sizeRsrc && Pregunta == FALSO
                mov Pregunta, CIERTO
                invoke MessageBoxA, 0, OFFSET msgNoes, OFFSET ofnTitle, MB_OKCANCEL OR MB_ICONQUESTION
                cmp eax, IDCANCEL
                jz error

        .ENDIF
       
        mov eax, ecx
        sub eax, 2
        push eax

; Busca algunos ceros seguidos
        xor eax, eax
        xor edx, edx
        .WHILE edx < sizeHook + 1              ; Uno de los ceros marca el final de una cadena, de ahi el +1
                .IF BYTE PTR [edi+ecx] == 0
                        inc edx
                .ELSEIF
                        xor edx, edx
                .ENDIF
                inc ecx
       
        .ENDW
       
        mov eax, ecx
        sub eax, sizeHook
        add eax, rvaRsrc
        mov lpHook, eax

; Busca la parte de la IAT que referencia a esa cadena y escribe la direccion del Hook
        pop eax
        add eax, rvaRsrc
        sub eax, ImageBase
        xor ecx, ecx
        .WHILE [edi+ecx] != eax
                inc ecx
       
        .ENDW
        mov eax, lpHook
        mov [edi+ecx], eax

; Busca el FirstThunk del bloque del Kernel32.dll y suma 4
        mov eax, ecx
        add eax, rvaRsrc
        sub eax, ImageBase
        xor ecx, ecx
        .WHILE [edi+ecx] != eax
                inc ecx
       
        .ENDW
        add DWORD PTR [edi+ecx], 4

; Busca el rva de la IT
        sub ecx, 10h
        mov eax, ecx
        add eax, rvaRsrc
        sub eax, ImageBase
        mov rvaIT, eax

; Busca el size de la IT
        mov bl, FALSO
        .WHILE bl == FALSO
                mov bl, CIERTO
                mov edx, 20
                .WHILE edx > 0
                        .IF BYTE PTR [edi+ecx] != 0
                                mov bl, FALSO
                        .ENDIF
                        inc ecx
                        dec edx
               
                .ENDW
       
        .ENDW
       
        mov eax, ecx
        add eax, rvaRsrc
        sub eax, rvaIT
        mov sizeIT, eax

; Escribe la direccion y size de la IT en la cabecera
        invoke WriteITAddress, rvaIT, sizeIT

; Escribe el Hook en el hueco libre
        mov edi, lpHook
        sub edi, rvaRsrc
        add edi, lpRsrc
        mov esi, OFFSET Hook
        mov ecx, sizeHook
        rep movsb

; Obtiene la ImageSize de la Cabecera
        mov edi, DWORD PTR Cabecera + 3Ch
        add edi, OFFSET Cabecera
        mov eax, [edi+50h]
        mov ImageSize, eax

invoke DeleteFile, OFFSET Readme
invoke WriteProcessMemory, pinfo.hProcess, ImageBase, OFFSET Cabecera, sizeCabecera, OFFSET Bytes
invoke WriteProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc, sizeRsrc, OFFSET Bytes
invoke GlobalFree, lpRsrc
invoke ResumeThread, pinfo.hThread

; Espera a que se desempaque..
        @@:
        invoke CreateFile, OFFSET Semaforo, GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
        cmp eax, INVALID_HANDLE_VALUE
        jz @b
        mov hReadme, eax
        invoke WriteFile, hReadme, OFFSET Readme, sizeReadme, OFFSET Bytes, NULL
        invoke CloseHandle, hReadme

invoke SuspendThread, pinfo.hThread
invoke WriteProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc2, sizeRsrc, OFFSET Bytes
invoke GlobalFree, lpRsrc2

invoke GlobalAlloc, NULL, ImageSize
mov lpFile, eax
invoke ReadProcessMemory, pinfo.hProcess, ImageBase, lpFile, ImageSize, OFFSET Bytes

invoke CreateFile, OFFSET Save, GENERIC_WRITE, NULL, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov hSave, eax
invoke WriteFile, hSave, lpFile, ImageSize, OFFSET Bytes, NULL
invoke GlobalFree, lpFile

invoke TerminateProcess, pinfo.hProcess, NULL
invoke CloseHandle, pinfo.hProcess
invoke CloseHandle, hSave
jmp fin

error:
invoke GlobalFree, lpRsrc
invoke GlobalFree, lpRsrc2
invoke TerminateProcess, pinfo.hProcess, NULL
invoke CloseHandle, pinfo.hProcess

fin:
invoke ExitProcess, NULL
ret
Main endp

; -----------------------------------------------------------------------

GetSection proc Number
LOCAL rvaSectionWORD, sizeSectionWORD
        push ebx
        push edi
       
        mov edi, DWORD PTR Cabecera + 3Ch
        add edi, OFFSET Cabecera
        xor ebx, ebx
        mov bx, [edi+14h]      ; Size of NT header
        add edi, ebx
        add edi, 18h+8          ; Size of FileHeader + Size of the name of the section
        mov eax, 28h
        mov ebx, Number
        dec ebx
        mul ebx
        add edi, eax            ; Size of a section * Number of section - 1
        mov eax, [edi]          ; Size of RSRC section
        mov sizeSection, eax
        add edi, 4
        mov eax, [edi]
        add eax, ImageBase      ; RVA of RSRC section
        mov rvaSection, eax
        mov eax, rvaSection
        mov edx, sizeSection
       
        pop edi
        pop ebx
        ret

GetSection endp

; -----------------------------------------------------------------------

RealignSections proc
LOCAL NumberOfSections:WORD
        push eax
        push ebx
        push edi
       
        mov edi, DWORD PTR Cabecera + 3Ch
        add edi, OFFSET Cabecera
        mov ax, [edi+6]
        mov NumberOfSections, ax

        xor ebx, ebx
        mov bx, [edi+14h]      ; Size of NT header
        add edi, ebx
        add edi, 18h            ; Size of FileHeader
       
        mov bx, NumberOfSections
        .WHILE bx > 0
                .IF (DWORD PTR [edi] != '????' || DWORD PTR [edi+4] != '????&#39 && Pregunta == FALSO
                        mov Pregunta, CIERTO
                        invoke MessageBoxA, 0, OFFSET msgNoes, OFFSET ofnTitle, MB_OKCANCEL OR MB_ICONQUESTION
                        cmp eax, IDCANCEL
                        jz error
               
                .ENDIF
               
                mov eax, [edi+8]
                mov [edi+8+8], eax
                mov eax, [edi+0Ch]
                mov [edi+0Ch+8], eax
                add edi, 28h
                dec bx
       
        .ENDW
       
        pop edi
        pop ebx
        pop eax
        jmp fin
       
        error:
        mov eax, -1
       
        fin:
        ret
       
RealignSections endp

; -----------------------------------------------------------------------

WriteITAddress proc rvaITWORD, sizeITWORD
        mov edi, DWORD PTR Cabecera + 3Ch
        add edi, OFFSET Cabecera
        mov eax, rvaIT
        mov [edi+80h], eax
        mov eax, sizeIT
        mov [edi+84h], eax
        ret

WriteITAddress endp

; -----------------------------------------------------------------------

Hook proc ModuloWORD
LOCAL hReadWORD
        mov eax, [ebp+4]
        mov eax, [eax]
        .IF eax == 47078A95h                            ; xchg eax, ebp | mov al, [edi] | inc edi
                mov edx, [ebp+4]
                .WHILE DWORD PTR [edx] != 0C009078Bh    ; mov eax, [edi] | or eax, eax
                        dec edx
               
                .ENDW
                sub edx, 6
                mov eax, edx
                .WHILE DWORD PTR [eax] != 0FFCD8357h    ; push edi | or ebp, -1
                        dec eax
               
                .ENDW
                inc eax
                mov WORD PTR [eax], 685Eh              ; pop esi | push
                mov [eax+2], edx                        ; address
                mov BYTE PTR [eax+6], 0C3h              ; ret
                sub eax, 0Dh                            ; eax = OEP !!
               
        ; Escribe el OEP en la cabecera
                mov edx, ImageBase
                add edx, [edx+3Ch]
                sub eax, ImageBase
                mov [edx+28h], eax

        ; Crea algo para avisar de que ya estamos
        call _CreateFile
                FuncionCreateFile  dd ?
                db 'LeeMe.txt',0
               
                _CreateFile:
                pop eax
                push NULL
                push FILE_ATTRIBUTE_NORMAL
                push CREATE_ALWAYS
                push NULL
                push NULL
                push NULL
                add eax, 4
                push eax
                mov eax, [eax-4]
                call eax
                mov hRead, eax
               
        call _CloseHandle
                FuncionCloseHandle  dd ?
               
                _CloseHandle:
                pop eax
                mov eax, [eax]
                push hRead
                call eax
               
                jmp $
                       
        .ENDIF
        call _LoadLibrary
        FuncionLoadLibrary dd ?
       
        _LoadLibrary:
        pop eax
        mov eax, [eax]
        push Modulo
        call eax
        ret

Hook endp

sizeHook    equ $ - OFFSET Hook

end Main

--Spam-- · 12-12-2003, 04:17 AM

Or this?

A 10-30 minutes method to remove the activemark protection from a game is presented here:

AM=Activemark

tools required :
PTRW/W9x, SoftIce, C/C++ compiler, basic debugging skills.

Now this method is very cumbersome, my english is bad and if your not familiar with S-ice and such
you can skip all this

Background:

AM's Softice detection is quite simple. It tries to open a file like "\\.\SICE", "\\.\NTICE", etc and exits if success. So simply use Yoda's HOKO and you can play with SoftIce as you like.
I needed PTRW 2000 / WinMe because it makes a correct dump, which I wasn't able (I didnt' try hard to make
under NT/2k with Sice - addins.

1). Method of finding our entrypoint:
* under nt/2k, launch hoko (use CreateFileA hook and ret -1 if "\\.\NTICE" on CreateFileA)
* launch the AM protected game, wait 1-3 seconds, press ctrl-d, then search for the following pattern in memory :
if you cant find it, g and wait another second, then ctrl-d again. It is there, believe me.

L0 lea edi, [esi + ...]
L1 mov eax, [edi]
L2 or eax, eax
L3 jnz XXX

i.e. s 400000 L -1 8B, 07, 09, C0, 74

OK. note the above instruction, is something like lea edi, [esi + ...]
because this will be our new entry point.

now boot in w9x, load the .exe in PTRW, bpx at L0, and go.
we will receive a break due to our bpx @ L0

(Here I should tell you that even you make the perfect dump at this point, it won't work because:
a) - the .exe already loaded &LoadLibraryA and &GetProcAddress somewhere in memory, making our crack OS-dependant);
B) - you need to skip 2 more checks (2 JMPs);
c) - the game is reading itself, so because our dump is different than the original exe, another error will occur.

you will learn to avoid all these problems in a sec.

for the point c). we will be loading at L0 a little DLL, am.dll, which will overwrite LoadLibraryA and GetProcAddress (at loadtime) in the game (their locations are found very easy :
scroll down the code, you will see a call to [esi + ...] just a few lines below, notice the address on a
paper, I call them LLA. The GPA (GetProcAddress) is just after the LLA. Also note the values of the ESI and EDI registers, as when the EIP will be "L1". (i.e LEA EDI, ... is executed)
(ESI is always 401000, EDI is 401000 + some_value)

so, we will write a little stub. Search down the code, you will notice that we have plenty of space (0s) just
after this kind of jump, at L6...
L4 POPAD
L5 JMP ep
L6 db 0, 0, 0, 0,... (lots of them, cant miss'em

so, we'll jump at L6, make a call to loadlibrary, then jump back, then dump the exe.

at L0: overwrite with :
NOP 90
JMP L6 ; (E9 XX XX XX XX)

at L6:
CALL $+7 ; (E8 07 00 00 00)
db 'am.dll', 0 ; (7 bytes)
mov edx, @LLA ; address of LoadLibraryA you've noted before
call edx ; the stack is already with 'am.dll' on it
; return to host
pushad
mov esi, 401000 ; (BE 00 10 40 00) (prev. noted value)
mov edi, ... ; (BF xx xx xx xx) (prev. noted value)
JMP L1

ok, now is time to fix the point B). i.e. get rid of the subsequent AM checks.

search in memory for the address of the following
AS1 = "ActiveMark Client engine could not find a valid volume."
AS2 = "Unable to start ActiveMark Client engine due to an internal error."

ok, now search in memory for instructions : "PUSH AS1" and "PUSH AS2", (they appear only once)
and look just before. Sometimes there is a simple JNZ or JZ instruction, sometimes it takes a
little bit of effort but this is it : you just have to avoid (with a simple JMP) getting here.
(shouldnt' take you more than 5 minutes of debugging).

ok, now everything is set, just "pedump dump.exe", and go
the game should not crash, if we did it right.

Now, boot again in nt/w2k, make a quick tool that will scan dump.exe for "KERNEL32.DLL" (case sensitive)
where we find a PE import section. (a routine is presented below)

and fix the imports just before it...

---------------------------------------------
Now, all we need is our injected DLL, "am.dll"

the scope of this DLL is to check if the game tries to open itself, and present him with the
original exe if so .

For this you could also use Yoda's HOKO. (great tool, too bad its for money)

This am.dll presented here is configurable, meaning am_hooks.dll will have 4x2 bytes containing the
addresses of LoadLibraryA and GetProcAddress in the game. Quick and DIRTY :

With this, move the original game xxxx.exe into xxxx.ex_, copy the dumped.exe as xxxx.exe,
compile & copy the am.dll into the game dir, fix the imports on the dumped.exe, edit am_hooks.bin
and enter the addresses of LoadLibraryA and GetProcAddress, and there you go, launch the exe
and it will go. No more AM.

If something goes wrong, you will have to figure out for yourself

---------------------------------------------------------------

// am.cpp : Defines the entry point for the DLL application.
//

#include

typedef HANDLE WINAPI _LoadLibraryA_t
(
LPCTSTR lpLibraryName
);

typedef HANDLE WINAPI _GetProcAddress_t
(
HMODULE hModule,
LPCTSTR lpFunctionName
);

typedef HANDLE WINAPI _CreateFile_t(
LPSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);

static char g_szGame[MAX_PATH + 1];
static long g_szGameLen = 0;
static char* g_szHooksPointersFile = "am_hooks.bin";

DWORD g_pfnCreateFile_ORIG = 0;
DWORD g_pfnLoadLibraryA_ORIG = 0;
DWORD g_pfnGetProcAddress_ORIG = 0;

DWORD g_bLoadingKernel32 = FALSE;

HANDLE WINAPI xCreateFile(LPSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
HANDLE WINAPI xLLA(LPCTSTR lpLibraryName);
HANDLE WINAPI xGPA(HMODULE hModule, LPCTSTR lpFunctionName);

void FixPointers()
{

DWORD dwDummy;
DWORD dwLLA = 0;
DWORD dwGPA = 0;

HANDLE hFile = CreateFile(g_szHooksPointersFile,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

if (INVALID_HANDLE_VALUE != hFile)
{
ReadFile(hFile, &dwLLA, 4, &dwDummy, NULL);
ReadFile(hFile, &dwGPA, 4, &dwDummy, NULL);
CloseHandle(hFile);

*((DWORD*)dwLLA) = (DWORD)xLLA;
*((DWORD*)dwGPA) = (DWORD)xGPA;

}
}

BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{

switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

// initialize the pointers
g_pfnCreateFile_ORIG = (DWORD)CreateFileA;
g_pfnLoadLibraryA_ORIG = (DWORD)LoadLibraryA;
g_pfnGetProcAddress_ORIG = (DWORD)GetProcAddress;
g_szGame[0] = '\0';

// Get self name
g_szGameLen = GetModuleFileName(GetModuleHandle(NULL), g_szGame, MAX_PATH);

// mark pointers in the game

FixPointers();
break;

case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

HANDLE WINAPI xLLA(LPCTSTR lpLibraryName)
{
long k, nLen;
for (k = nLen = 0; !IsBadReadPtr(&lpLibraryName[k], 1) && lpLibraryName[k] != '\0'; k++)
nLen++;

if (nLen == 12)
{
if (lpLibraryName[0] | 0x20 == 'k' &&
lpLibraryName[1] | 0x20 == 'e' &&
lpLibraryName[2] | 0x20 == 'r' &&
lpLibraryName[3] | 0x20 == 'n' &&
lpLibraryName[4] | 0x20 == 'e' &&
lpLibraryName[5] | 0x20 == 'l' &&
lpLibraryName[6] | 0x20 == '3' &&
lpLibraryName[7] | 0x20 == '2' &&
lpLibraryName[8] | 0x20 == '.' &&
lpLibraryName[9] | 0x20 == 'd' &&
lpLibraryName[10] | 0x20 == 'l' &&
lpLibraryName[11] | 0x20 == 'l&#39
{
g_bLoadingKernel32 = 1;
}
else
{
g_bLoadingKernel32 = 0;
}
}

_LoadLibraryA_t* pfnMyLoadLibraryA = (_LoadLibraryA_t*)g_pfnLoadLibraryA_ORIG;
return (*pfnMyLoadLibraryA)(lpLibraryName);

}

HANDLE WINAPI xGPA(HMODULE hModule, LPCTSTR lpFunctionName)
{
if (g_bLoadingKernel32)
{
long k, nLen;
for (k = nLen = 0; !IsBadReadPtr(&lpFunctionName[k], 1) && lpFunctionName[k] != '\0'; k++)
nLen++;

if (11 == nLen)
{
if ((lpFunctionName[0] | 0x20) == 'c' &&
(lpFunctionName[1] | 0x20) == 'r' &&
(lpFunctionName[2] | 0x20) == 'e' &&
(lpFunctionName[3] | 0x20) == 'a' &&
(lpFunctionName[4] | 0x20) == 't' &&
(lpFunctionName[5] | 0x20) == 'e' &&
(lpFunctionName[6] | 0x20) == 'f' &&
(lpFunctionName[7] | 0x20) == 'i' &&
(lpFunctionName[8] | 0x20) == 'l' &&
(lpFunctionName[9] | 0x20) == 'e' &&
(lpFunctionName[10] | 0x20) == 'a&#39
{
return xCreateFile;
}
}
}

_GetProcAddress_t* pfnMyGetProcAddress = (_GetProcAddress_t*)g_pfnGetProcAddress_ORIG;
return (*pfnMyGetProcAddress)(hModule, lpFunctionName);
}

HANDLE WINAPI xCreateFile(LPSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{

if (IsBadReadPtr(lpFileName, 1))
return INVALID_HANDLE_VALUE;

long k, nLen;
for (k = nLen = 0; lpFileName[k] != '\0'; k++)
nLen++;

if (g_szGameLen == nLen)
{
for (k = 0; k < nLen; k++)
{
if ((lpFileName[k] | 0x20) != (g_szGame[k] | 0x20))
break;
}

if (k == nLen)
{
lpFileName[k -1] = '_';
}
}

_CreateFile_t* pfnMyCreateFile = (_CreateFile_t*)g_pfnCreateFile_ORIG;

return (*pfnMyCreateFile)(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
}
---------------------------------------------------------------

and the "optimised", DIRTY too, routine for fixing imports :

bool FixImports(char* pszFileName)
{
CString strOrigGame = CString(pszFileName);
char* szFileName = (LPSTR)(LPCSTR)strOrigGame;

HANDLE hFile = CreateFile(szFileName,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN,
NULL);

if (INVALID_HANDLE_VALUE == hFile)
{
return false;
}

DWORD dwDummy;
DWORD dwSize = GetFileSize(hFile, &dwDummy);

HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, dwSize, "__KRNL32OFFS_SCAN2");
if (!hMap)
{
printf("CreateFileMapping failed\n");
}

DWORD* pMapMem = (DWORD*)MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
ULONG _bFound = 0;
ULONG _nOffset = 0;
if (pMapMem)
{
__asm
{
cld

mov _bFound, 0

mov ecx, dwSize
shr ecx, 2
mov edi, pMapMem

_loop:
mov eax, 0x4e52454b // 'KERN'
repnz scasd
cmp ecx, 0
jnz _found1
jmp _notfound

_found1: cmp [edi], 0x32334c45 // 'EL32'
jz _found2
jmp _notfound

_found2: cmp [edi + 4], 0x4c4c442e // '.DLL'
jnz _notfound

inc ecx
shl ecx, 2
mov eax, dwSize
and eax, 0xfffffffc
sub eax, ecx
mov _nOffset, eax
jmp _done

_notfound:
cmp ecx, 8
ja _loop

_done:
}

}
else
{
return false;
}

UnmapViewOfFile(pMapMem);

DWORD dwAddressOffset = _nOffset - 0x70;
CloseHandle(hMap);
CloseHandle(hFile);

char buff[512];
char libbuff[1024];
GetSystemDirectory(buff, 512);

DWORD a[24];
HINSTANCE h;
memset(a, 0, 24 * sizeof(DWORD));

a[0] = (DWORD)LoadLibrary;
a[1] = (DWORD)GetProcAddress;
a[2] = (DWORD)ExitProcess;

a[4] = (DWORD)RegCloseKey;

strcpy(libbuff, buff);
strcat(libbuff, "\\comdlg32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[6] = (DWORD)GetProcAddress(h, "PrintDlgA");;
FreeLibrary(h);
}

strcpy(libbuff, buff);
strcat(libbuff, "\\crypt32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[8] = (DWORD)GetProcAddress(h, "CertOpenStore");;
FreeLibrary(h);
}

a[10] = (DWORD):PtoLP;

strcpy(libbuff, buff);
strcat(libbuff, "\\netapi32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[12] = (DWORD)GetProcAddress(h, "Netbios");
FreeLibrary(h);
}
a[14] = (DWORD)CoInitialize;
a[16] = (DWORD)ExtractIconA;
a[18] = (DWORD)::GetDC;

strcpy(libbuff, buff);
strcat(libbuff, "\\wininet.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[20] = (DWORD)GetProcAddress(h, "InternetOpenA");;
FreeLibrary(h);
}

strcpy(libbuff, buff);
strcat(libbuff, "\\winmm.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[22] = (DWORD)GetProcAddress(h, "joyGetPos");;
FreeLibrary(h);
}

CFile f;
if (f.Open(strOrigGame, CFile::modeReadWrite))
{
f.Seek(dwAddressOffset, CFile::begin);
f.Write(a, 24 * sizeof(DWORD));
f.Close();
}
else
{
return false;
}

return true;
}

**Ariel_001** · 12-12-2003, 04:27 AM

if someone here successfully unpacked kazaa can please host it somewere. I really want to edit out some of shareman crap.

**infamousalbo101** · 12-12-2003, 04:56 AM

Yes It does help

**Kunal** · 12-13-2003, 11:32 AM

C'mon someone just send me the god dam file

.

Ferasso/ RN, can you put it on some webpace for us please?

**nettwister** · 12-17-2003, 07:12 PM

Originally posted by Ferasso@28 November 2003 - 16:54
Open kazaa.exe in hex editor, go to offset 12FACC, there you will find a byte BB, and change it to CC. Save and to into SICE and:
bpint 03
Run the file, Sice breaks.
e eip bb
bc*
bpmb 576E71 x
F5

Wait... sice breaks
a eip
jmp eip
nop
enter
F5

Go into lord PE, fully dump kazaa, then kill task.
Open it in PE editor, set the entry point to 176E71
Save. Open it in hex editor, find EBFE90 and replace with 558BEC. Done.

Unpacked succesfully with this trick, but I have fixed the import table with ImportREC. After that, the file didn't run successfully. But I'm sure that ImportREC has fixed the hole import table, 'cos in the screen, there wasn't unresolved item in the import table list. Where did I make a mistake?

Thread: Unpacking Kazaa 2.6

Thread Tools

Bookmarks

Bookmarks

Posting Permissions