Sunday, July 20, 2014

We're Watching - Embedded Binary Execution and a NOCD

I recently discovered this cross between splinter cell and metal gear - although it's one of those silly translated Russian games with hilariously shoddy voice acting and even more obscure than some of the games I've come across (see Kabus22).

In Russia, it's called Gorky Zero 2: Aurora Watching, but here in Americaland, let's just all it Aurora Watching or A&W)

Anyway, this game appears to have a standard CD check when you copy the files.

It's basically doing a standard GetDriveTypeA check against 0x5 (CDROM) and then looking for the "Install.dat" file in that path to clear itself...
Well wtf - that was the only CD check I could find...

Sort of - the game executable isn't that binary. Crashing the game will show you this:
and the task manager will show this:

We have stubcode that basically runs an unpacked executable - where? let's check fopen...

fopen with rb of...

ok - so we open up the binary itself... looks like we're also seeking -8,SEEK_END
8 bytes from the end look like this:
it also reads in twice - 4 bytes at a time into an int.
0x1CA00 and 0x5BB030

so we fseek to 0x1CA00 and read in an amount of 0x5BB030

looking at this in the executable - it's basically the end of the stub exe all the way to the end.

then, we open the new binary and follow a very simple obfuscation algorithm to 'decrypt' our binary :)

Now, this may look confusing because it's an optimization of two's compliment on an integer when we're actually doing 8bit math. This is because -1 == 0xFFFFFFFF. The rollover is the same, basically, we're NOT'ing each byte (or XORing 0xFF) (basically bitflip).

I added in an "& 0xFF" to ensure we didn't have any overflow. This certainly isn't the most optimal way to NOT out bytes, but it will do for our purposes.

Now that we have the ACTUAL binary out, let's dive in :D
Ok - good! Looks like this will still run without it's wrapper process being present.

First jump is asking if the launch directory is a type 5 removable cdrom drive... patching that should get this going - let's just flip ZF for now, though.

Then we have another path - a:\blahblah\Aurora.ico ... basically, this function checks if the ico file on the disc is present to tell the game if the cd is in or not.  

The code basically looks something like this:
... stuff that gets a:\ and checks if it's a CDROM drive...
if(f = fopen("a:\Aurora Watching\Aurora.ico","rb")){
return true;
return false;
Anyway, breaking this logic by telling it to open the correct path or simply skipping the fopen, fclose, and breaking all the logic so this returns true...
will result in this:

and this :)