Author Topic: De-Rap and De-GMER  (Read 4260 times)

0 Members and 1 Guest are viewing this topic.

October 18, 2008, 12:49:54 pm
Read 4260 times

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
No, it is nothing against GMER :)

De-Rap is a tool to patch RapSFX files so that these can be unpacked by using WinRAR.
De-GMER will reverse patches done by GMER/Catchme so that you get working sample again.

I have released both tools at my old website:
http://www.mc-antivirus-test.com/

October 19, 2008, 01:50:06 pm
Reply #1

sowhat-x

  • Guest
Thanks bobby - especially for De-Rap,quite nifty tool :)

In a somewhat similar concept (of modifying .rar archives I mean),
I saw this small tool 'advertized' around in a few reverse engineering forums recently:
http://www.softpedia.com/get/Security/Decrypting-Decoding/Winrar-Unlock.shtml
"Winrar Unlock was designed to unlock winrar archives (including SFX),
allowing you to modify the content freely
."

Now I personally haven't tested the aformentioned tool's capabilities...my curiosity was raised though,
so I spent some time today checking,how someone can manually "unlock" rar archives...
Here's what I got,in case it saves some time / helps anyone out there...

===================
Quote
52 61 72 21 1A 07 00 CF 90 73 00 00 0D -> Typical rar
52 61 72 21 1A 07 00 B5 30 73 04 00 0D -> Locked rar
52 61 72 21 1A 07 00 41 70 73 0C 00 0D -> Locked rar (Solid Archive)
52 61 72 21 1A 07 00 15 37 73 44 00 0D -> Locked rar (With Recovery Record)

So far,so good...in all cases,it's just a matter of 3 bytes patching in the header.
In short:
Code: [Select]
xx xx 73 xxShould be changed to:
Code: [Select]
CF 90 73 00===================

Stuff gets slightly more complicated,when "Authenticity Verification" has been enabled.
Haven't checked the Auth Verification removal under different systems yet,
but I also don't see a reason why it shouldn't work correctly.
At first step,the header obviously needs to be pached...

Quote
52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00 00 00 00 -> Typical rar
52 61 72 21 1A 07 00 39 1D 73 00 00 0D 00 00 00 CB E3 08 -> Not Locked (With Authenticity Verification)
52 61 72 21 1A 07 00 43 BD 73 04 00 0D 00 00 00 CB E3 08 -> Locked rar (With Authenticity Verification)
52 61 72 21 1A 07 00 E3 BA 73 44 00 0D 00 00 00 CB E3 08 -> Locked rar (With Authenticity Verification plus Recovery Record)

In short:
Code: [Select]
xx xx 73 xx 00 0D 00 00 00 xx xx xxChanges to:
Code: [Select]
CF 90 73 00 00 0D 00 00 00 00 00 00
Second step:along with the above header's byte patching,
Auth Verification record itself (located towards the end of file) also has to be removed.
Else,the archive becomes/appears corrupted.
There exists the following "pseudo-marker" (if I could call it this way...)

Quote
?? ?? 7A 00 C0 E0 00 00 00 00 00 00 00 00 00 02 00 00 00 00 .. .. .. C4 3D 7B 00 40 07 00
2 wildcarded bytes + pseudo-marker + .. .. .. (random size values) + end-marker

7A 00 C0 E0 is what interests us mostly,the pseudo-marker to say so...
The ?? ?? are just 2 extra wildcarded bytes located exactly before,that also need to be removed.
In these 2 wildcarded bytes (non standard values,they differ from archive to archive),
is where the "cut/removal" should start.
The .. .. .. is also a non standard number of bytes that contains the rest of Auth Verification record:
it's size changes/is depended on computer's name,archive's name etc etc...
So how do we know where the "cut/removal" should end?
Exactly before the following end-marker... C4 3D 7B 00 40 07 00