Identify cruncher

[mnemo]

Hi there!

Can someone identify the cruncher used for this exe?

scl_superball.lha

It's from 1999, so tools like xfd should recognize it, but they don't. This particular exe only runs on 68030+, so it will unpack, but then check for the CPU and just quit if the check fails.

The cruncher is a relocating one, the last data hunk contains the packed data and that is unpacked and written to the second hunk (BSS) of the file.

The init code looks quite unique, I think. Maybe someone has seen it before?

Thanks,
mnemo

Code:

start:
  bra.s main
  dc.b "some message"

main:
  movem.l a7-d0/d7-d0,-(a7)
  lea start-4(pc),a5 ; pointer to this hunk
  lea GetHunk(pc),a6
  moveq #0,d0
  jsr (a6) ;get the second hunk address
  move.l a4,60(a7) ;put return address on stack
  moveq #1,d0
  jsr (a6) ;get the third hunk address (decruncher)
  jsr (a4) ;run decruncher
  jsr -210(a6)
  jsr -636(a6)
  movem.l (a7)+,a6-a0/d7-d0
  rts ;run program

GetHunk:
  move.l a5,a4
.loop:
  move.l (a4),a4
  add.l a4,a4
  add.l a4,a4
  dbf d0,.loop
  addq.w #4,a4
  rts

[Don_Adan]

I dont have access to Amiga to check this, but this code looks for me like modified exe for any data packer. xfd dont recognizes modified exe. If you want to know which packer was used for this file, get part (f.e. 4-6 bytes hex) of depacker and try to find in xfdmaster.library or xfd external decrunchers.

[mnemo]

I tried finding a few bytes in xfdmaster.library, but to no avail. I don't have a tool handy to search hex bytes in all the XFD libs.

The code looks very compact and optimized and it's tightly integrated with the handling of the loaded hunks.

This code fragment seems to detect some settings for the decoder and should be specific enough to be found, but I haven't yet.

Code:

7000 moveq #0,d0
7200 moveq #0,d1
7400 moveq #0,d2
4e93 jsr (a3) ;getbit
6432 bcc.s .found
7200 moveq #0,d1
7402 moveq #2,d2
4e93 jsr (a3)
642a bcc.s .found
7201 moveq #1,d1
7404 moveq #4,d2
4e93 jsr (a3)
6422 bcc.s .found
7201 moveq #1,d1
7408 moveq #8,d2
4e93 jsr (a3)
641a bcc.s .found

a3 points to:

Code:

de07 add.b d7,d7
6604 bne.s .exit
1e20 move.b -(a0),d7
df07 addx.b d7,d7
.exit:
4e75 rts

[StingRay]

This game was made by former group mates of mine.

I have asked my very own tool which performs some heuristics on the input file and result is this:

[mnemo]

WOW! Thanks! That's it!

The init routine is the same as in my first post, except for the bra, changed references and message at the beginning. Now I just need to find out how to make Crunch unpack the exe - or do it myself, I think I understand the unpacking now. ;-)

[Don_Adan]

Crunch is supported by xfdmaster.library (as external depacker).

http://aminet.net/package/util/pack/xfdmaster

[mnemo]

xfddecrunch says "Not crunched", also Crunch itself says the exe is not crunched.

The crunched data normally seems to have the magic bytes "CRUa" before it, that was changed in the game to "0000 4e75". Changing it to 5352 5561 (CRUa) again makes no difference.

How exactly does xpk detect the packer?

[Don_Adan]

Quote:

Originally Posted by mnemo

xfddecrunch says "Not crunched", also Crunch itself says the exe is not crunched.

The crunched data normally seems to have the magic bytes "CRUa" before it, that was changed in the game to "0000 4e75". Changing it to 5352 5561 (CRUa) again makes no difference.

How exactly does xpk detect the packer?

Then You must edit requested bytes to CRUa ID and cut necessary data. I used for similar job FileMaster 2.2.
Every (except some my) xfd depacker has recognition code. You can learn/check some xfd depacker sources code here:

http://wt.exotica.org.uk/others.html

[mnemo]

Thanks. I added the magic bytes, saved the data as a single file and Crunch recognizes and decrunches it, but that's just the code with the relo data as delta values tagged on at the end.
The beginning of the decrunched data is messed up, maybe I need to strip one or two bytes at the end.

[mnemo]

Just took a look at the XFD Crunch external and it's obvious why it doesn't recognize the exe because there are some very hard coded CMPs at absolute offsets in there.

[mnemo]

OK, I did everything manually.
1. Load exe in monitor tool (I always use C-Monitor)
2. Create breakpoint before relocation in WinUAE
3. Run exe (unpacks to memory), triggers breakpoint
4. Save code segment and delta relocation table from WinUAE
5. Write small function in asm to convert delta relocation to absolute relocation table
6. Create skeleton exe in Devpac to integrate data into
7. Use monitor tool to load skeleton exe, code segment and relocation table at correct offsets into memory
8. Modify hunk structure to correctly represent the new exe
9. Save it all.
Unpacked exe works on 68030.

Phew!

[mnemo]

Quote:

Originally Posted by StingRay

I have asked my very own tool which performs some heuristics on the input file and result is this:

Now where can we get that "findcruncher" tool? :-D

[StingRay]

Currently it can be found in the SOURCES: partition of my HD. I will release it to the public once I have implemented all features I have in mind and also written a documentation. Especially the last point will probably delay the release for quite some time.

[mnemo]

Quote:

Originally Posted by StingRay

I will release it to the public once I have implemented all features I have in mind...

Just release it and add more features in the next sprint.