12 Nov

Unity3D protection in Moonton games

This is Part 3 of the series about tricks in PE file format used by Unity3D-based games and cheats.

In Part 1 I analyzed some basic tricks used by Android game modders and ways how to defeat them. In Part 2 I covered more tricks used by modding teams and traced their origins to obscure Chinese Android games.

This part will cover tricks used by game developer Moonton in their games:

All games use modified versions of libmono.so containing few tricks that nobody else uses. Different versions of libraries have slightly different ways of implementing these tricks, most of my analysis is based on Mobile Legends: Bang Bang v1.3.25.3323.

Changed DOS signature

First thing you'll notice is that the normal MZ signature is missing in the Assembly-CSharp.dll and other DLLs.


That is because method mono_image_load_pe_data was changed to check for "ER" instead:

Changed .NET metadata stream names, offsets and sizes

Another trivial change is done inside load_metadata_ptrs - all stream names have "#" replaced with "$". So, instead of "#Blob" stream, you have "$Blob", and so on.

To accomplish that, load_metadata_ptrs was changed like this:

Obfuscated .NET metadata stream offsets and sizes

Final change is the most interesting one - Moonton has decided to obfuscate all .NET metadata stream offsets and sizes. They chose to use simple "binary NOT" operation - but it works really well. smile

Compare original load_metadata_ptrs in Mono code:

and decompiled code from libmono.so

In a different version of libmono.so from Puzzle Ark v1.0.21, both standard and hacked PE files are supported:

Update of my tool

All of Moonton's tricks are very easy to revert. For example, fixing DOS header is a matter of 3 extra lines:

Similarly, a check for .NET metadata stream names can be implemented.

Here you can download updated tool + source code:

Special thanks to Yuuki Kuroyama for bringing my attention to this protection.

31 Oct

Unity3D, Mono and invalid PE files, part 2

In the first part of the series I explained how some cheat authors try to protect their work against other cheaters. It was a quick introduction to Unity3D and bugs in Mono that cheat authors exploit.

Last week someone emailed me another example of a game cheat. My tool from the previous article failed to fix invalid metadata, so I decided to look at it again.

Cheats by BlackMod.net

The cheat I received was made by Mod4U from BlackMod.net team. It appears that Mod4U is one of the most active members of the team, judging by number of the releases. His/her cheats use invalid PE file tricks and are encrypted, as you'll see later in the article.

After looking at different mods from other team members, I've confirmed that Rito, Aurora and Legend also are using invalid PE files for hiding their work. But none of their cheats encrypt Assembly-CSharp.dll.

So, let's look at the cheats and see what new tricks BlackMod team members have found!

Just like in my previous article, I'll be using Mono sources from commit 74be9b6, so that they would more or less match the code used by Unity3D.

Unchecked CLI header values

Mono ignores pretty much every field from CLI header in mono_image_load_cli_header:

.NET runtime validates ch_size, ch_runtime_major, ch_runtime_minor fields. Other reversing tools validate some of the fields.

Unchecked MetaDataRoot values

Mono completely ignores md_version_major and other values of the MetaDataRoot in load_metadata_ptrs:

.NET runtime and tools based on older dnLib validate md_version_major and md_version_minor fields.

How long is the version string?

ECMA-335 specification paragraph II.24.2.1 specifically says

Call the length of the string (including the terminator) m (we require m <= 255); the length x is m rounded up to a multiple of four.

Mono throws specification out the window and does it in another, completely broken way:

Mono accepts version_string_len that is not rounded to multiple of four and rounds it up automatically. It also accepts string length larger than necessary.

This is a very interesting bug, as it affects most of the commonly used .NET reversing tools.

  • .NET 2.0 runtime doesn't actually follow ECMA-335 specification. It doesn't require string length to be aligned and doesn't align it. But it does require that metadata streams start at dword boundary.
  • dnLib/dnSpy will accept unaligned strings but will not align them. It will accept extra long strings. dnLib doesn't require streams to start at dword boundary.
  • CFF Explorer will happily read file with unaligned string length and will align it automatically. It will also accept file with extra long strings.

Invalid HeapSizes/MDStreamFlags value

Mono processes only the lowest 3 bits of HeapSizes in load_tables:

and completely ignores flag value 0x40 which is quite crucial.

See the dnLib sources:

When ExtraData flag is set, there is one more field present in .NET metadata::

.NET runtime and tools based on dnLib respect the flag but Mono completely ignores it. D'oh!

Invalid size of #~ stream

Mono doesn't check size of #~ stream at all. Really. It accesses all the #~ fields with no validation whatsoever:

So, you can set size of #~ stream to a random number and Mono will be happy. CFF will be happy as well. But any other tool will complain.

Invalid size of #Blob stream

Mono correctly reads offset and size for #Blob stream:

but doesn't check values for correctness. So, it will also accept insanely large values for heap_blob.size.

The only checks are done when reading from #Blob stream and only ensure that index is smaller than the declared #Blob size:

Assembly-CSharp.dll encryption

As I already mentioned, Mod4U is the only Blackmod team member who uses this type of protection. To learn how exactly the protection works, please read my previous post.

Today I'd like analyze different encryption methods used by Mod4U. Data show that Mod4U keeps stealing the protection mechanisms from others!

Not operation

On 24-Jun-2018, Mod4U released Dragon Spear v1.25 MOD. APK contains Assembly-CSharp.dll encrypted using simple NOT operation. It also contains libmono.so for armeabi-v7a architecture which is protected by some protector that I can't recognize.

Thanks to VirusTotal, we can track this libmono.so back to a Chinese game from year 2016, called Lance Town. Stolen! smile

Xor 0x71

On 12-Jul-2018, Mod4U uses different encryption in his/her Noblesse M Global v1.2.0 release. APK contains libmono.so for armeabi-v7a architecture and it's not protected at all. This is the exact same encryption that was used by AndroidThaiMod and described in my previous post.

Additional VirusTotal search shows that this protection has been used by different teams since August 2017. Stolen! smile

Sub 0x0D

Starting from 24-Jul-2018 release of Boxing Star v1.1.2, Mod4U uses yet another version of libmono.so. Now there are 2 libmono.so versions - one for armeabi-v7a and one for x86 architecture.

This version of libmono.so seems to be stolen from a different Chinese game! smile How else can you explain presence of the exact same code described in Pediy post about Chinese game and reference to ThreeKindom.dll? And the function name rvlt_modify_data_with_name - a reference to RevolutionTeam who released the game.

VirusTotal search confirms the theory. Stolen again! bigsmile

Cheats by platinmods.com

Platinmods is another Android modding team using pretty much the same tricks.

I took just a quick look at their releases (eg. BLEACH Brave Souls v7.3.1) and found that they employ another encryption method (Xor 0xFB).

According to VirusTotal, that particular version of libmono.so has been used by Vietnamese modding team W4VN.NET since April-2017.

Update for my tool

My original intention was to make a SIMPLE tool that helps you to fix the broken PE file and metadata. My tool does exactly that.

Most of the tricks that I described are trivial to fix. Check the value, if it's incorrect, overwrite it with correct value. Repeat until done. Something like this:

However, "Invalid #~/#Blob size" tricks are particularly difficult to fix. My tool cannot magically support all possible cases, not without writing full .NET metadata reader/writer. And I don't want to do that, sorry. wink

So, if you really, really need to fix invalid stream sizes, try running de4dot on the decrypted Assembly-CSharp-fixed.dll. de4dot versions from years 2016-2017 work best, versions from 2018 most likely will complain about "invalid parameter" or something like that. Same advice applies for dnSpy - versions from 2017 will open most (or all) decrypted files, versions from year 2018 will not.

Download here:

Conclusion

As predicted in my previous article, cheat authors are willing to exploit any and all bugs in Mono to hide their work from others. Some of the bugs they've discovered are really surprising and affect more than just one tool. I expect cheat authors to continue finding new and innovative ways to hide their code in the future as well.

Next time I'll look into... well, I have no idea! bigsmile

P.S. If you still can't make some DLL work, please send me an email (or leave a comment below). I'll look at it and try to help you.

18 Oct

Why morons shouldn’t be writing about security, part 4

Yesterday I read an article on ZDNet called "Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months" and it made my laugh hysterically.

Why? Because it's a bloody nonsense from start to end.

Let's just look at the main claim in the article.

... in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

What. The. Fuck.

How does this work? Luckily, ZDNet article gives a quick summary:

[Sebastian] Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.

Well... To modify a registry entry in the SAM hive on a running system, you must have SYSTEM privileges. But if you already have SYSTEM privileges, you're a God. You can do anything. And to give administrator rights to guest user, you don't need to edit registry, simple net localgroup administrators guest /add will suffice.

This screenshot from the original blog post shows how SAM looks like. To see those data, you must have SYSTEM privileges:

But if you don't have SYSTEM privileges, you won't see SAM contents at all, let alone be able to edit them:

In fact, you can see exactly that in the screenshot graciously provided by Sebastian Castro who "discovered" the "bug":

So, in fact it is a Rube Goldberg's way to modify some account settings, nothing else.

Who put you on stage?

Considering that this "discovery" is a total nonsense, it makes me wonder how is it possible that

The researcher has been on a tour this summer, presenting his findings at various cyber-security conferences, such as Sec-T, RomHack, and DerbyCon.

Seriously? Is it possible that these conferences accept any and all submissions and do no vetting process before adding them to the schedule? bigsmile

Conclusion

Nobody has done anything for 10 months because there's absolutely nothing wrong with Windows (in this case). If you have admin or SYSTEM rights, you can assign group memberships to other users. That's normal and expected.

Dear Mr. Catalin Cimpanu, please stop writing about security. Open a hotdog stand or something, that's much more suitable for your skill level.

16 Oct

About FLARE 2018

For last few years I'm taking part in the FLARE-ON competition. This year I finished 4th - which is not bad at all. smile

Mandatory bragging screen:

Now that the challenge is over, it's fun to read all the solutions. Of course, there are official solutions - they explain what the challenge does and one way how to solve it. Nice but I want more. smile

Then there are "writeups" which basically say "this is my code that gets the answer". Dude, if that makes your e-penis seem bigger, feel free to twit about it. But I don't care about your code. Really.

What I do care about, is how the challenge can be solved. So, here are few selected challenges and related writeups that actually make sense.

Challenge #2 - minesweeper

I wasted too much time on it, relatively speaking. Whopping 37 minutes, on a challenge #2!

I will blame the fact that I was barely awake at the time. In the end I resorted to editing variables in dnSpy, just like @bruce30262 does in his solution.

Other solutions:
* By @mathmare_ - remove IL that triggers failure.
* By @jared703 - find the correct spots.
* By @Eleemosynator - another "find the correct spots".
* By @bruce30262 - edit variables in dnSpy.

Challenge #5 - webassembly

It was my first real encounter with Webassembly, so I just used Chrome to debug it. Plus wabt just to get a better look at the disassembly. It wasn't that bad in this particular case.

Since I don't really do Linux and gcc, I wasn't able and willing to try WASM-to-C conversion and compilation to x86 code. bigsmile

Other solutions:
* By @ctfhacker #1 - uses Chrome, shows the recompilation as well.
* By @ctfhacker #2 - uses wasabi.

Challenge #6 - solving 666 tasks on Linux

My Linux skills suck and I wasn't able to find a reliable way to pipe output from my solver into the challenge.

So I solved the task like a trained monkey.

This bash crap uses gdb to get current challenge from process memory and feeds it to my C# solver running under Mono. Output from solver gets fed to xclip which puts solution into the clipboard. Then I right-click mouse and paste solution into the challenge window. Repeat 666 times. The entire process takes around 20-30 minutes. Click-click-click-click..

Yes, it's extremely inefficient and braindead stupid - but the result is guaranteed and faster than spending hours trying to learn how to automate Linux tools.

Other solutions:
* By @MrAdz350 - uses Unicorn, pexpect.
* By @crudd40233929 - patches original binary to generate keys, uses pexpect.
* By @0xabc0 - uses Frida.
* By @bruce30262 - uses pwntools to send answers to challenge.
* By @ctfhacker - shows how to use angr. Solver needed 28 hours to finish! bigsmile

Challenge #12 - VM inside the VM

This challenge actually consisted of 2 separate parts - 16-bit bootkit and a nasty VM in the VM. Since it was the final challenge, everyone just focused on breaking the VMs. It's a shame because the bootkit part was extremely nice and deserved much more attention than it actually received.

Until the official solutions came out, I didn't know that Subleq code actually ran another VM! Why? Because my solution was data-flow analysis done with pen and paper. When I finished, it looked like this:

Yes, all 10 pages are from this challenge.

Close-up of one of the pages:

Each row contains a flag that I traced, columns are the "cell indexes" of Subleq VM and values are the values I observed during the run. Plus notes, plus attempts to recover the formula..

Kids, don't try this at home! smile

Other solutions:
* By @bruce30262 - writing 2 disassemblers.
* By @SalimSolid - tracing instruction pointer.
* By @invano #1 - cat'n'grep
* By @invano #2 - disasm + recognize high-level macros.
* By @Dark_Puzzle - snapshotting VMs and bruteforcing chars.

30 Sep

September update of unpackers

Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.

Enigma Virtual Box unpacker

  • Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
  • Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
  • Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
  • Fixed warning message about TLS directory. Mea culpa.

Molebox Virtualization Studio unpacker

  • Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
  • Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
  • Fixed out-of-memory error when unpacking huge data files;
  • Loads possible filenames from mole_dictionary.txt;

How to use mole_dictionary.txt

If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.

You must enter path relative to where the main executable is, for example: data\magic.dat. DO NOT enter full paths like C:\Program Files\My Program\data\magic.dat, they will not work.

You can also add comments for your convenience - any line starting with "//" is treated as a comment and ignored.

If your paths contain non-English characters, make sure you save mole_dictionary.txt in UTF-8 encoding with BOM.

Real-life example of mole_dictionary.txt

There are lots of different "editions" of Tantra Online game. They all need specific files like HTSound.dll, HTWeb.dll or system\MobInfo.tan to run properly. However, this specific version called Tantra Surya has packed all files inside HTLauncher.exe and .sps files

and enabled "hide files" feature:

My unpacker does the job but original filenames are lost:

To improve unpacking results, you can add list of files normally used by Tantra into mole_dictionary.txt. Let's start with something simple, files that normally are in Tantra root folder:

After that, unpacker works much better. It has recovered most of the DLL names and just 5 filenames are unknown:

Of course, the more possibilities you add, the better are chances that the filename will be recovered. smile So, let's look into some subfolders..

Take, for example, this map folder:

Compare it to the same map folder in some different Tantra edition, in my case - Prime:

Now we know what filenames to add to mole_dictionary.txt:

Run the unpacker again on the packed HTLauncher.exe and the result is much better:

You can keep on building your dictionary until all the unknown filenames are resolved. But that's your task, I will not do that for you.. smile

Have fun and as always - please let me know if you notice any issues!

26 Jun

x64dbg – 2 years later..

Almost 2 years ago I wrote a post about x64dbg and why I don't use it in my work. People still comment on the article, so I decided to revisit x64dbg and see if anything has changed in past two years.

Improvements

Some menus are slightly cleaned up. Not by much, though.

Now you can customize the context menus and hide all the crap you don't need or want. I'd preferred to have the crud removed altogether but it is a really nice feature:

Feature bloat

It's getting slightly better. Instead of three different assembler engines we have "just" two. However, other useless features like "Help on mnemonic" are still there. What for?

And some of the big bloat is still there (eg. Snowman and Yara). Those are standalone tools, not core features. In my opinion, it would make much more sense to have them as plugins so the user can choose whether to have them or not.

But it's still buggy

I tried to use x64dbg for one day - for doing actual work. And during that day, I encountered several serious bugs which seriously affected my work.

Assembler is buggy

Have you ever tried to assemble a simple instruction using x64dbg? For example, mov rax,1 ? You might get a different instruction instead..

As of time of writing, this is the latest x64dbg build available for download. The bug is reproducible on older builds as well.


Why is that? I'd say it's because of the feature bloat. There are 2 assembler engines and apparently at least one of them is not tested properly.

Can I work around it? Yes. Once I know that AsmJit is broken, I can use XEDParse all the time. But it shouldn't be like that in the first place!

Ignored exceptions are not ignored.

Ever tried ignoring exceptions? It kinda works. Sometimes. But not always. From what I see, it's totally random - but 100% reproducible.

Again - using the latest build, x32dbg this time:

Sounds like a minor annoyance to you? Try debugging executable that uses "int 3" as an anti-debug measure everywhere. It's basically impossible with x32dbg.

Conclusion

Some things have improved. But overall, it's still the same product it was 2 years ago - good for some simple tasks, unreliable for an actual work.

15 May

Unity3D, Mono and invalid PE files

Some time ago, Reoto asked a very nice question on Black Storm forum:

Can someone fix the .dll (.net) pe header to MS DOS?
How can I do that?
If you know about protecting .net files for Android, please help me.
I have another question.
Can I fix dnspy to resolve .dll pe header isn't .net?

Obviously, English is not author's first language but it seemed like an interesting problem, so I decided to look into it.

Here is one of the files in question: https://mega.nz/#!0g4VHaIR!KmpQirte4_3lv8MSxyjETiufjFGb-CITpFGrXwxSgGY

TL;DR: Mono loader used by Unity3D accepts invalid PE files. It can be used to break most .NET decompilers. dnlib and tools based on dnlib (dnSpy, de4dot) were updated on 20-Apr-2018 but the rest of the tools still can't handle such files.

Quick background on Unity3D and Mono

I quickly checked file in CFF and it looked like the file doesn't have proper PE header.

I fixed that. But even then it was not recognized as a .NET file.

So, the file is clearly invalid, yet it works just fine in Android! How is that possible?

Well, Android has no clue about PE files or .NET Framework. When you build your program in Unity3D and deploy it to Android, it uses Mono to run your code. Mono is supposed to be open-source alternative of .NET Framework. And it is incredibly buggy.

I'm not Unity3D or Android wizard but the whole monstrosity works something like this:

To make matters worse, even current versions of Unity3D are using a very old Mono version. Like 3+ years old. You can easily tell it by looking at the PE loader error messages. This is how it looks in IDA:

The commit df51163 is clearly missing.

Therefore, for the rest of the article I'll be using Mono sources from commit 74be9b6, so that they would more or less match the code used by Unity3D.

Cause of the problem

A good place to start looking for bugs would be Mono implementation of PE loader:

do_mono_image_load calls function mono_verifier_verify_pe_data which should filter out any invalid PE file and stop loading it. For some reason (which I really don't care about), this function does nothing in Unity3D and returns success.

After that, buggy mono_image_load_pe_data takes over and uses PE parser to load PE structures and .NET metadata. It is followed by equally buggy processing of .NET metadata in both mono_verifier_verify_cli_data and mono_image_load_cli_data.

But first things first..

Invalid PE signature

First of the errors is inside do_load_header. It gets called indirectly from mono_image_load_pe_data:

It checks only first 2 bytes of PE signature, so you can change it to "PE\0\1" or "PEPE" and it will still work under Mono.

Invalid NumberOfRvasAndSizes value

Next bug is located get_data_dir used indirectly by mono_verifier_verify_cli_data.

and get_data_dir looks like this:

Both verify_cli_header and get_data_dir ignore NumberOfRvasAndSizes field in PE header and access "CLR Runtime Header Entry".

Identical bug is in load_cli_header called from mono_image_load_cli_data:

They do not use broken get_data_dir function but the check of NumberOfRvasAndSizes field is still missing. That's why our PE file can have NumberOfRvasAndSizes == 0xA and it still works under Mono.

Invalid metadata size

Mono does a very limited checking of .NET metadata size in load_metadata_ptrs.

However, this check is insufficient. For example, you can set .NET metadata size = 0, most of .NET reversing tools will break but Mono will happily accept the file.

Invalid number of .NET streams

.NET metadata streams are loaded by load_metadata_ptrs.

You can use an arbitrary large number of streams in .NET Metadata header, as Mono will ignore all the invalid data. It probably will spam Android log with "Unknown heap type" messages, but the file will still run.

Invalid number of rows in .NET tables

Final nail in the coffin is the incorrect processing on .NET metadata tables. Tables are loaded in load_tables method which seems to be correct on the first look:

However, the definition of .NET metadata table information (_MonoTableInfo) is wrong:

As a result of this definition, they ignore high-order byte in row count. You can set number of rows to, say, 0xCC000001, .NET metadata will be invalid but Mono happily accepts the file. WTF?

Extra protection by AndroidThaiMod

Game hacks created by AndroidThaiMod.com take the Unity3D/Mono abuse to the next level. They exploit all the bugs I already mentioned. In addition to that, they replace the original libmono.so with their own version. In their version there are few extra lines of code in the function mono_image_open_from_data_with_name:

This change allows AndroidThaiMod to distribute their DLLs encrypted with "extra-strong" XOR encryption. smile

Another fun fact - their cheats only hack ARM version of Unity3D runtime. x86 version, even if present in original APK, gets removed from the hacked APK. So, if you have an Android device with x86 CPU, you're out of luck - AndroidThaiMod cheats won't work there.

Few AndroidThaiMod files I was able to find on Google:
https://drive.google.com/file/d/1g2_43rP9LLrXSmGL-Lw36GTehSUmg3CJ/view
https://drive.google.com/file/d/0B7jRiqM-QmgUeUF2RldrRUFmcUk/view

Other possibilities of abuse

As I mentioned, Mono PE loader is extra buggy. Pretty much all fields in PE header are not validated properly. Plenty of fields in .NET structures are ignored. PE32+ header processing is broken beyond belief. File/section alignment is not enforced. You can have several streams named "#~" and Mono will happily use one of them. Or you could just search for a phrase "FIXME" in Mono sources - you'll find lots of other dirty hacks that can be exploited.

Can it be fixed?

Probably. But considering how broken and messy the entire Mono codebase is, I wouldn't bet on it.

For example, on 13-Apr-2018 Mono developers made this awful commit called "Verify all 4 bytes of PE signature.":

There was no explanation why it was done, what are the side effects and whether they plan to fix all the broken code or if this was just a one-off fix. What a surprise!

And, as I already mentioned, Unity3D is using 3+ years old version of Mono. So, you'll probably have to wait until year 2021 until Unity3D gets they necessary fixes. bigsmile

Workarounds

Even if Mono and Unity3D was fixed, it doesn't help us to analyze existing broken files.

One workaround was to update dnlib (commit c40e148) and reversing tools to support such broken files. It allows to analyze existing files using dnSpy and de4dot. But Reflector and other tools still won't work. So, I decided to make my own tool which will fix broken files and will allow you to use any .NET reversing tool you like.

I needed a PE/.NET reading library which is very simple and low-level. dnLib/Mono.Cecil is way too abstract. After a quick search, I decided to use parts of McCli - but any other library would do just fine.

The code is very straightforward. Read PE structure->validate->fix->repeat.. wink

Conclusion

Games and cheats made using Unity3D are great. It's possible to make very unique protections that will stop most Windows/.NET reversing tools but the program will still work on Android. Enjoy the fun times! smile

Unity3D fixer with source code:

27 Feb

February update of unpackers

Enigma Virtual Box unpacker v0.51

  • Hopefully solved the UI-freeze issues.
  • Improved loading speed for big files (100+ MB).
  • Added a warning for the user when loading big file:
  • Added support for Enigma Virtual Box v8.00.
  • Enigma Virtual Box v8.00 finally added support for TLS callbacks. My unpacker will detect such files and will try to fix TLS directory automatically.

Known issue - for x64 executables exception directory is not restored. The unpacked executable will work until an exception happens. If you find any such executable, please send it to me and I'll work to improve the unpacker.

demoleition v0.60

  • Hopefully solved the UI-freeze issues.
  • Fixed bug with certificates and overlays that I introduced few versions ago.
  • Fixed bug with multi-packed files
  • Main form shows that only Molebox v2.x is supported.
  • Improved loading speed for big files (100+ MB) and added warning for users.

demoleition VS v0.01


This is first BETA release of static unpacker for Molebox v4.x. It works for most of the files in my collection but is not well tested by any means. If you notice any bugs (trust me, you will!), please let me know.

Known limitations: way too many. Few most important ones:

  • Error checking is very limited. If something bad happens, it will most likely crash.
  • Main file is saved as _unpacked.bin. Overlay (if present) is saved as overlay.bin.
  • The biggest problem is the "hide files" feature of MoleboxVS. It does not store original filename, just the MD5 hash of it. So, in those cases it's almost impossible to restore original filenames. I added big fat warning for those cases.
  • Loading large files will make the UI freeze. I'll fix it after the bugs in unpacker itself are fixed.

So, why release it? I've had it like this for 5+ years now. It almost works. But without your feedback it will stay in this "almost working" state forever. The more bugs you report, the bigger the chance that I'll finally finish this project.. So, have fun!


Bugs reported by users. I'll work to fix the when I get some free time.

  • Some data files can't be unpacked. Error
  • Sometimes main EXE file will not be unpacked. No error message but _unpacked.bin file won't be created.
  • Mysterious unpacking problem on some files. Error
  • Very large data files can't be unpacked. Error
10 Jan

F00F bug or why morons shouldn’t be writing about security (again)

Every once in a while, I read an article about security which is so incredibly bad that I just have to comment on it.

This time, it's an article from iTWire called "When F00F bug hit 20 years ago, Intel reacted the same way". It's written by Sam Varghese who claims to have decades of experience in the field. Let's see..

Make Intel CPU to hang remotely and anonymously?

Let me write that down!

Any Intel Pentium/Pentium MMX could be remotely and anonymously caused to hang, merely by sending it the byte sequence "F0 0F C7 C8".

This statement is incorrect in so many ways!

Yes, there was a bug in Pentium CPUs. CPU would freeze when executing instruction lock cmpxchg8b eax which has the opcode "F0 0F C7 C8". Can you see the difference?

  1. CPU doesn't hang on merely seeing the data sequence "F0 0F C7 C8". It hangs when trying to execute these bytes. Big difference! And if someone is able to run arbitrary instructions on your CPU, you have much bigger problems than just a simple hang.
  2. There is no f*ing way to run any code on any CPU remotely and anonymously. You can remotely exploit a bug in firmware/OS/software to execute some code - that's called remote code execution. But that is not specific to Intel CPUs and have nothing to do with the F00F bug in particular.

Dear Sam Varghese, please stop writing about security. Open a hotdog stand or do anything else that doesn't involve computers. You just don't get them.