| |
ws
Registered: Apr 2012
Posts: 248 |
Malicious Packer?
I was interested in this entry Galaxy Cargo + Poker because i wanted to see if the badness of the raster routine had anything to do with PAL/NTSC timing. It turned out, that it is just very badly coded.
What puzzled me was, that the depacker was partially obfuscated by an EOR routine. I reverted that and started the program again, but for fun i also altered the chars in the SYS line to WS/G*P. Prog started and all of a sudden, my attached disk was empty, named "PREPARE TO DIE!". (I probably could have used Ians Unp64 V2.36, which gives a depacked largefile, but what i wanted was to have just an de-ofuscated original binary.) My mistake was to not examine the code any further.
This packer actually has a routine checking if the sysline was altered, and if so, the routine will format your currently inserted Disk or VOLUME to "PREPARE TO DIE!". Imagine if one had mounted a flashdrive or even an entire harddisk. Quite dangerous.
Does anybody know something about this >PWR< Packer(?) thing?
Are there any other examples of malicious C64 code like this, like screwing up your disk if things have been altered? |
|
... 22 posts hidden. Click here to view all posts....
|
| |
iAN CooG
Registered: May 2002
Posts: 3170 |
I have found different program protectors/coders that have malicious payload, formatting drive 8 in case of tampering.
FCG Protector
H.Leise Protector (pratically the same as above with small differences, both by Flash/FCG)
FSW Protector (Florasoft)
STL protector (Starline)
There is also "ICS Drive 8 Coder" that simply will crash if not loaded from drive 8, only found in ICS cracks.
I haven't found so far this PWR coder used in the wild, else I would have added its identification at least, but since it can be removed as a generic routine, seems not even needed. I can add it just for completeness.
Edit: done
Scanners added:
- PWR Coder, formats disk if sysline is tampered with. Added hack to allow any
sysline by forcing the check with itself so it's always "good". |
| |
chatGPZ
Registered: Dec 2001
Posts: 11290 |
Quote:Do any of the virtual filesystem implementations actually implement formatting a volume on a command from C-64?
That would be quite a bad idea already. =)
<offtopic>not format - but there is currently no concept of "chroot", so you can traverse the entire host filesystem and read/delete whatever you see</offtopic> |
| |
ws
Registered: Apr 2012
Posts: 248 |
Correction:
I must admit that the extension of my warning to "Volume", "Flash Drive" and "Harddisk" was done without sufficient knowledge of the actual access that C64 emulators are given to the host file system. My alertedness was solely based on the experience that, e.g. with Vice in deactivated true-drive emulation mode, one can list all files present on the host system in the directory from which Vice was launched, via dir listing ($).
Furthermore, my personal experience with the Amiga emulator WinUAE led me to the hasty and possibly false conclusion that almost every file available on the host system can be arbitrarily changed or deleted, if appropriately accessible by the emulator's file system. Also i have no experience working with CF-Card readers in a C64 context.
However, if a C64 program is designed to delete the contents of the currently mounted floppy without any prior warning (i am not sure if the terse announcement in the XADES intro scroller can be regarded as a sufficient warning), i still consider that worth reporting :-)
@ian: thank you for including the PWR Coder in Unp64! |
| |
ChristopherJam
Registered: Aug 2004
Posts: 1402 |
Perhaps only tangentially related, but I'm reminded of the time an annoying classmate of Silicon had been hassling him for a pirate copy of some game or other. My brother eventually relented, but only by giving the guy a copy that would trash the disk the first time you played it (something about seeking around with write enabled IIRC :D).
"What do you mean it stopped working? The game loaded when you got home didn't it? Must've been a shitty blank disk you gave me, and no I'm not giving you another copy." |
| |
tlr
Registered: Sep 2003
Posts: 1762 |
Quoting wsWhat puzzled me was, that the depacker was partially obfuscated by an EOR routine. I reverted that and started the program again, but for fun i also altered the chars in the SYS line to WS/G*P. Prog started and all of a sudden, my attached disk was empty, named "PREPARE TO DIE!".
These were presumably done to stop just that. A lot of text changed cracks were starting to float around, and crackers didn't want that so tools like these got coded. The ones by Flash are the ones I saw first, were there any earlier? |
| |
Burglar
Registered: Dec 2004
Posts: 1066 |
I actually did the same thing on an intro I coded for some group, added a screenram checker so they couldn't change creds, and if change detected quick-format the disk.
what I didn't know was that the format was also triggered by merely freezing the intro with action replay and restarting it ;)
"do you have a new copy? it autodestructed on restart?!" |
| |
Bansai
Registered: Feb 2023
Posts: 40 |
Quoting ChristopherJam"What do you mean it stopped working? The game loaded when you got home didn't it? Must've been a shitty blank disk you gave me, and no I'm not giving you another copy." I'm guessing if someone wanted to be truly rotten about this, alter the BAM, then at some point when the person says, "Hey, I have 300 blocks free so I'll copy more stuff onto this disk," the disk dies at their hand (apparently) outside of execution of your boobytrapped program/disk. Like you said, it's the blank disk's fault. |
| |
ChristopherJam
Registered: Aug 2004
Posts: 1402 |
Bansai: haha, evil.
Burglar: Oh nooo. Still, can't have people stealing intro graphix ;) |
| |
Rastah Bar
Account closed
Registered: Oct 2012
Posts: 336 |
I remember are crack where, on pressing the reset button (IIRC), a big grim reaper sprite would appear and the disk would be formatted. |
| |
ws
Registered: Apr 2012
Posts: 248 |
@Bansai: That is actually a pretty sweet/nasty idea for a tool "Very Fast Floppy Compressor"...
"A new and groundbreaking method of reorganizing and compressing suboptimally filled blocks!!!! 25% more free disk space guaranteed - in almost no time!"
Just display some stats, scrolling lists of data, some percentage counter, move the floppy-head around and alter the bam to 25-30% more blocks free. And since afterwards one could successfully store a new file, everything would look legit. Until the rude awakening upon trying to load one of the damaged files. :-D Evil! |
| Previous - 1 | 2 | 3 | 4 - Next |
