Unpacking kkrunchy (Farbrausch) executable

[trodas]

Guys, SuperPi mod1.5 XS is packed with kkrunchy packer (the file in the right):
http://postimg.org/image/gnk1hqkz3/

I find, that Quick Unpack should work well with kkrunchy ( http://www.openrce.org/forums/posts/783 ), so I give it a try. Find it there:
http://dfiles.eu/files/7w625zzad
...and since it started in Russian language, I used this little guide from here:
http://www.aldeid.com/wiki/QuickUnpack

...and really get unpacked 764 416 bytes long file from the 104 960 bytes long input file:
http://fugger.ipage.com/super_pi_mod-1.5.zip

I run it, it starts, two last menus are working, but the first one, where you choose the "Select digits of pi to be calculated" fail to show the respective text as well, as fail to show the drop down option menu. Therefore no futher testing are made.

I just wanted to take a peek at the unpacked executable after discovering the ughly 24h calculation limit at 32M test (1M is not affected, but 32M calculation always fail when longer that 24h ...!):
http://forum.hwbot.org/showthread.php?t=141901&page=5
http://www.xtremesystems.org/forums/showthread.php?292870


Also when used depacked, it might leave more memory to run the test, so I wanted to try it, but I fail. What should I do differently?

[trodas]

Well, I did not managed to find out how the switch the languages (I probably should try to delete the russian support files...) in Quick Unpack, but when using the standard "Generic OEP Finder by deroko & Archer", I get the Oep and do unpack, the file is 764 416 bytes in size:
http://www.mediafire.com/?3mwd7f2aawu6tj2 - http://depositfiles.com/files/afzuuc85l

...and seems to work now, however:

kkrunchy claims that

Quote:

Important: kkrunchy performs a (reversible) transform on input code to make it compress better. This is far more sophisticated and effective than the relative-to-absolute jump address transform most executable packers do...

But in the file, there is still the start that says: "MZfarbrauschPE" and there are still big seemingly empty areas in the executable, witch make me worry a bit about "what is going on"...

So if anyone can shred some light on this, I will be gratefull. PS. deleting the "russian.lng" in Quick Unpack root dir cause it to complain, BUT show the english language Much better


PS. my main complain is, that the resulting file cannot be opened in ResHacker v4.22 or the older v3.4.0.79 ... while previously (when in packed forum) that was possible, altrough nothing except the icon was editable...

[giv]

So from your picture i see that the differences come from the MZ header area (1), Section names (2), some author removed (3).
If the unpack is done correct the resources should be there and they can be manipulated except if a resource protection is used (encrypted or placed outside the main Virtual Space of the executable - in case of some protectors).
Edit:
Is a simple file to unpack and the file resources can be altered also. The OEP is a little bit lower than the end of the packer stub.

Code:

0041005E >  6A 00           PUSH 0x0
00410060    E8 7BFC0100     CALL super_pi.0042FCE0

Just see unpacked and modifyed file in attach.
See the "About" menu.

Edit 2.
I get the kkruchy homepage and grab the packer:

Quote:

http://www.farbrausch.de/~fg/kkrunchy/

Here is the packer itself unpacked.

Quote:

http://www37.zippyshare.com/v/l95rOKtU/file.html

The packer it have some nice features like import protection, OEP tricks, antidumps...
The unpacked file must be corrected in the size of sections . You can do that by yourself.

[trodas]

Yea, I hear that the v1.6 was just sort of rip-off of the v1.5 mod to "steal the downloads" or let people think, that they should download something more recent...

Anyway, thanks a lot for the right unpacking and correcting the size, but I cannot load the result into ResHacker to see, if it is editable now, because I cannot get the attached file, as I'm not Family
Could you pls do a external link?

I get for the suggested (by Quick Unpack) OEP ... how to do manual corrections to fix the sizes of resources? Mine are bloated into epic proportions

[giv]

Ok.
Here is uploaded to public host.

Quote:

I get for the suggested (by Quick Unpack) OEP ...

That is a bad approach. I have done manual. The stub is UPX like. Very easy.

Quote:

... how to do manual corrections to fix the sizes of resources?

I do not post tutorials or tutorials like instructions anymore due to so many disappointing facts.
Is easy. Just research.

[trodas]

Thanks a lot for the unpack (and slight edit ) ...! So now I could start the unpacked version to see, if there will be any difference. That is helpfull.
Hopefully Fugger manage to convince the guy who patched the program to produce better version, w/o the 24h timelimit that was introduced probably with the enhanced mS time precision...

I understand why you don't produce tutorials and that is okay with me Thank you once again for help!

[cybercoder]

Unfortunately it seems lately a lot of executable packers get detected as malware, apparently this is one of them. Kinda sucks as its a perfect assembly keygen packer.

[giv]

Because are pirated (stolen/leaked legitimate copy) or the AV you use is not good as it should.

[mudlord]

Quote:

Originally Posted by giv

Because are pirated (stolen/leaked legitimate copy) or the AV you use is not good as it should.

The problem with kkrunchy is the second part. Its just a fundamental problem all AVs have. They see kkrunchy as a black box as well as most other packers, and so they flag it as suspicious (UPX gets through since its so easy to generically unpack). The taggant system was meant to help mitigate the problem, but in practise it does almost nothing (unless you are a protector vendor, and want to stop people ripping off your DRM). Code signing stuff with digital signatures also is pretty useless.

I just think the AV system is fundamentally f***ed.

A alternative to kkrunchy though is beroexepacker, but it might suffer the same problems. It has a lot more support for things in EXEs and DLLs and when tuned right, can give the same compression ratios as kkrunchy because it can use the same compression algorithm.