| |
ws
Registered: Apr 2012
Posts: 251 |
Malicious Packer?
I was interested in this entry Galaxy Cargo + Poker because i wanted to see if the badness of the raster routine had anything to do with PAL/NTSC timing. It turned out, that it is just very badly coded.
What puzzled me was, that the depacker was partially obfuscated by an EOR routine. I reverted that and started the program again, but for fun i also altered the chars in the SYS line to WS/G*P. Prog started and all of a sudden, my attached disk was empty, named "PREPARE TO DIE!". (I probably could have used Ians Unp64 V2.36, which gives a depacked largefile, but what i wanted was to have just an de-ofuscated original binary.) My mistake was to not examine the code any further.
This packer actually has a routine checking if the sysline was altered, and if so, the routine will format your currently inserted Disk or VOLUME to "PREPARE TO DIE!". Imagine if one had mounted a flashdrive or even an entire harddisk. Quite dangerous.
Does anybody know something about this >PWR< Packer(?) thing?
Are there any other examples of malicious C64 code like this, like screwing up your disk if things have been altered? |
|
| |
ws
Registered: Apr 2012
Posts: 251 |
The culprit in this case is PWR Coder V1.89. (And also this one PWR Coder V1.89, All Fucked Up Import)
I recommended these production notes:
Upon execution you have to enter a source and target filename, aswell as a start sys adress, or alternatively zero for basic RUN. The source program will load and you will be provided with an inverted "!" in the upper left of the screen. Now press <SPACE> for your fucked up target to be saved. After the saving is done, a reset occurs.
This is a malicious tool and usage can result in loss of your data.
From the Scrolltext of the XADES Intro (sic!):
HEY YOU YES YOU HERE IS PWR BACK AFTER ONE WEEK WITH A NEW CODER YOU CANNOT CHANGE TEXTS IN THE CODED PRG IF YOU DO IT THE DISC WILL BE FORMATED THIS CODER WAS WRITTEN BY GKC [TILT] OF PWR GREETS TO ALL OUR CINTACTS
TL:DR; if you alter the text of the SYS line to anything but >PWR< , this program will format your disk upon execution. |
| |
Krill
Registered: Apr 2002
Posts: 2968 |
Quoting wsthe routine will format your currently inserted Disk or VOLUME to "PREPARE TO DIE!". Imagine if one had mounted a flashdrive or even an entire harddisk. Do any of the virtual filesystem implementations actually implement formatting a volume on a command from C-64?
That would be quite a bad idea already. =) |
| |
iAN CooG
Registered: May 2002
Posts: 3186 |
I have found different program protectors/coders that have malicious payload, formatting drive 8 in case of tampering.
FCG Protector
H.Leise Protector (pratically the same as above with small differences, both by Flash/FCG)
FSW Protector (Florasoft)
STL protector (Starline)
There is also "ICS Drive 8 Coder" that simply will crash if not loaded from drive 8, only found in ICS cracks.
I haven't found so far this PWR coder used in the wild, else I would have added its identification at least, but since it can be removed as a generic routine, seems not even needed. I can add it just for completeness.
Edit: done
Scanners added:
- PWR Coder, formats disk if sysline is tampered with. Added hack to allow any
sysline by forcing the check with itself so it's always "good". |
| |
chatGPZ
Registered: Dec 2001
Posts: 11348 |
Quote:Do any of the virtual filesystem implementations actually implement formatting a volume on a command from C-64?
That would be quite a bad idea already. =)
<offtopic>not format - but there is currently no concept of "chroot", so you can traverse the entire host filesystem and read/delete whatever you see</offtopic> |
| |
ws
Registered: Apr 2012
Posts: 251 |
Correction:
I must admit that the extension of my warning to "Volume", "Flash Drive" and "Harddisk" was done without sufficient knowledge of the actual access that C64 emulators are given to the host file system. My alertedness was solely based on the experience that, e.g. with Vice in deactivated true-drive emulation mode, one can list all files present on the host system in the directory from which Vice was launched, via dir listing ($).
Furthermore, my personal experience with the Amiga emulator WinUAE led me to the hasty and possibly false conclusion that almost every file available on the host system can be arbitrarily changed or deleted, if appropriately accessible by the emulator's file system. Also i have no experience working with CF-Card readers in a C64 context.
However, if a C64 program is designed to delete the contents of the currently mounted floppy without any prior warning (i am not sure if the terse announcement in the XADES intro scroller can be regarded as a sufficient warning), i still consider that worth reporting :-)
@ian: thank you for including the PWR Coder in Unp64! |
| |
ChristopherJam
Registered: Aug 2004
Posts: 1408 |
Perhaps only tangentially related, but I'm reminded of the time an annoying classmate of Silicon had been hassling him for a pirate copy of some game or other. My brother eventually relented, but only by giving the guy a copy that would trash the disk the first time you played it (something about seeking around with write enabled IIRC :D).
"What do you mean it stopped working? The game loaded when you got home didn't it? Must've been a shitty blank disk you gave me, and no I'm not giving you another copy." |
| |
tlr
Registered: Sep 2003
Posts: 1787 |
Quoting wsWhat puzzled me was, that the depacker was partially obfuscated by an EOR routine. I reverted that and started the program again, but for fun i also altered the chars in the SYS line to WS/G*P. Prog started and all of a sudden, my attached disk was empty, named "PREPARE TO DIE!".
These were presumably done to stop just that. A lot of text changed cracks were starting to float around, and crackers didn't want that so tools like these got coded. The ones by Flash are the ones I saw first, were there any earlier? |
| |
Burglar
Registered: Dec 2004
Posts: 1085 |
I actually did the same thing on an intro I coded for some group, added a screenram checker so they couldn't change creds, and if change detected quick-format the disk.
what I didn't know was that the format was also triggered by merely freezing the intro with action replay and restarting it ;)
"do you have a new copy? it autodestructed on restart?!" |
| |
Bansai
Registered: Feb 2023
Posts: 48 |
Quoting ChristopherJam"What do you mean it stopped working? The game loaded when you got home didn't it? Must've been a shitty blank disk you gave me, and no I'm not giving you another copy." I'm guessing if someone wanted to be truly rotten about this, alter the BAM, then at some point when the person says, "Hey, I have 300 blocks free so I'll copy more stuff onto this disk," the disk dies at their hand (apparently) outside of execution of your boobytrapped program/disk. Like you said, it's the blank disk's fault. |
| |
ChristopherJam
Registered: Aug 2004
Posts: 1408 |
Bansai: haha, evil.
Burglar: Oh nooo. Still, can't have people stealing intro graphix ;) |
... 22 posts hidden. Click here to view all posts....
|
| Previous - 1 | 2 | 3 | 4 - Next |
