| |
ws
Registered: Apr 2012
Posts: 250 |
Malicious Packer?
I was interested in this entry Galaxy Cargo + Poker because i wanted to see if the badness of the raster routine had anything to do with PAL/NTSC timing. It turned out, that it is just very badly coded.
What puzzled me was, that the depacker was partially obfuscated by an EOR routine. I reverted that and started the program again, but for fun i also altered the chars in the SYS line to WS/G*P. Prog started and all of a sudden, my attached disk was empty, named "PREPARE TO DIE!". (I probably could have used Ians Unp64 V2.36, which gives a depacked largefile, but what i wanted was to have just an de-ofuscated original binary.) My mistake was to not examine the code any further.
This packer actually has a routine checking if the sysline was altered, and if so, the routine will format your currently inserted Disk or VOLUME to "PREPARE TO DIE!". Imagine if one had mounted a flashdrive or even an entire harddisk. Quite dangerous.
Does anybody know something about this >PWR< Packer(?) thing?
Are there any other examples of malicious C64 code like this, like screwing up your disk if things have been altered? |
|
| |
ws
Registered: Apr 2012
Posts: 250 |
The culprit in this case is PWR Coder V1.89. (And also this one PWR Coder V1.89, All Fucked Up Import)
I recommended these production notes:
Upon execution you have to enter a source and target filename, aswell as a start sys adress, or alternatively zero for basic RUN. The source program will load and you will be provided with an inverted "!" in the upper left of the screen. Now press <SPACE> for your fucked up target to be saved. After the saving is done, a reset occurs.
This is a malicious tool and usage can result in loss of your data.
From the Scrolltext of the XADES Intro (sic!):
HEY YOU YES YOU HERE IS PWR BACK AFTER ONE WEEK WITH A NEW CODER YOU CANNOT CHANGE TEXTS IN THE CODED PRG IF YOU DO IT THE DISC WILL BE FORMATED THIS CODER WAS WRITTEN BY GKC [TILT] OF PWR GREETS TO ALL OUR CINTACTS
TL:DR; if you alter the text of the SYS line to anything but >PWR< , this program will format your disk upon execution. |
| |
Krill
Registered: Apr 2002
Posts: 2957 |
Quoting wsthe routine will format your currently inserted Disk or VOLUME to "PREPARE TO DIE!". Imagine if one had mounted a flashdrive or even an entire harddisk. Do any of the virtual filesystem implementations actually implement formatting a volume on a command from C-64?
That would be quite a bad idea already. =) |
| |
iAN CooG
Registered: May 2002
Posts: 3180 |
I have found different program protectors/coders that have malicious payload, formatting drive 8 in case of tampering.
FCG Protector
H.Leise Protector (pratically the same as above with small differences, both by Flash/FCG)
FSW Protector (Florasoft)
STL protector (Starline)
There is also "ICS Drive 8 Coder" that simply will crash if not loaded from drive 8, only found in ICS cracks.
I haven't found so far this PWR coder used in the wild, else I would have added its identification at least, but since it can be removed as a generic routine, seems not even needed. I can add it just for completeness.
Edit: done
Scanners added:
- PWR Coder, formats disk if sysline is tampered with. Added hack to allow any
sysline by forcing the check with itself so it's always "good". |
| |
chatGPZ
Registered: Dec 2001
Posts: 11327 |
Quote:Do any of the virtual filesystem implementations actually implement formatting a volume on a command from C-64?
That would be quite a bad idea already. =)
<offtopic>not format - but there is currently no concept of "chroot", so you can traverse the entire host filesystem and read/delete whatever you see</offtopic> |
| |
ws
Registered: Apr 2012
Posts: 250 |
Correction:
I must admit that the extension of my warning to "Volume", "Flash Drive" and "Harddisk" was done without sufficient knowledge of the actual access that C64 emulators are given to the host file system. My alertedness was solely based on the experience that, e.g. with Vice in deactivated true-drive emulation mode, one can list all files present on the host system in the directory from which Vice was launched, via dir listing ($).
Furthermore, my personal experience with the Amiga emulator WinUAE led me to the hasty and possibly false conclusion that almost every file available on the host system can be arbitrarily changed or deleted, if appropriately accessible by the emulator's file system. Also i have no experience working with CF-Card readers in a C64 context.
However, if a C64 program is designed to delete the contents of the currently mounted floppy without any prior warning (i am not sure if the terse announcement in the XADES intro scroller can be regarded as a sufficient warning), i still consider that worth reporting :-)
@ian: thank you for including the PWR Coder in Unp64! |
| |
ChristopherJam
Registered: Aug 2004
Posts: 1407 |
Perhaps only tangentially related, but I'm reminded of the time an annoying classmate of Silicon had been hassling him for a pirate copy of some game or other. My brother eventually relented, but only by giving the guy a copy that would trash the disk the first time you played it (something about seeking around with write enabled IIRC :D).
"What do you mean it stopped working? The game loaded when you got home didn't it? Must've been a shitty blank disk you gave me, and no I'm not giving you another copy." |
| |
tlr
Registered: Sep 2003
Posts: 1777 |
Quoting wsWhat puzzled me was, that the depacker was partially obfuscated by an EOR routine. I reverted that and started the program again, but for fun i also altered the chars in the SYS line to WS/G*P. Prog started and all of a sudden, my attached disk was empty, named "PREPARE TO DIE!".
These were presumably done to stop just that. A lot of text changed cracks were starting to float around, and crackers didn't want that so tools like these got coded. The ones by Flash are the ones I saw first, were there any earlier? |
| |
Burglar
Registered: Dec 2004
Posts: 1082 |
I actually did the same thing on an intro I coded for some group, added a screenram checker so they couldn't change creds, and if change detected quick-format the disk.
what I didn't know was that the format was also triggered by merely freezing the intro with action replay and restarting it ;)
"do you have a new copy? it autodestructed on restart?!" |
| |
Bansai
Registered: Feb 2023
Posts: 47 |
Quoting ChristopherJam"What do you mean it stopped working? The game loaded when you got home didn't it? Must've been a shitty blank disk you gave me, and no I'm not giving you another copy." I'm guessing if someone wanted to be truly rotten about this, alter the BAM, then at some point when the person says, "Hey, I have 300 blocks free so I'll copy more stuff onto this disk," the disk dies at their hand (apparently) outside of execution of your boobytrapped program/disk. Like you said, it's the blank disk's fault. |
| |
ChristopherJam
Registered: Aug 2004
Posts: 1407 |
Bansai: haha, evil.
Burglar: Oh nooo. Still, can't have people stealing intro graphix ;) |
| |
Rastah Bar
Account closed
Registered: Oct 2012
Posts: 336 |
I remember are crack where, on pressing the reset button (IIRC), a big grim reaper sprite would appear and the disk would be formatted. |
| |
ws
Registered: Apr 2012
Posts: 250 |
@Bansai: That is actually a pretty sweet/nasty idea for a tool "Very Fast Floppy Compressor"...
"A new and groundbreaking method of reorganizing and compressing suboptimally filled blocks!!!! 25% more free disk space guaranteed - in almost no time!"
Just display some stats, scrolling lists of data, some percentage counter, move the floppy-head around and alter the bam to 25-30% more blocks free. And since afterwards one could successfully store a new file, everything would look legit. Until the rude awakening upon trying to load one of the damaged files. :-D Evil! |
| |
Count Zero
Registered: Jan 2003
Posts: 1909 |
https://csdb.dk/release/?id=52462&show=notes#notes
Not sure if the soft format is applied by some protection program or manually. |
| |
ws
Registered: Apr 2012
Posts: 250 |
@Count Zero:
Thanks! That one was also "protected" with PWR Coder V1.89 , it seems! |
| |
iAN CooG
Registered: May 2002
Posts: 3180 |
It's a crypting layer in every prg by CIA Design and also, with different sysline, in Men at Work cracks like Star Slayer and Rolling Thunder
I've called it CIA Crypt v2.x not having any other clues ;) |
| |
Richard
Registered: Dec 2001
Posts: 620 |
There was another nasty compression tool (according to codebase), which was the FROGS version of "Fast Cruel V4.0+". It injects some kind of FROG infection into Fast Cruelled programs. |
| |
iAN CooG
Registered: May 2002
Posts: 3180 |
Well, those are just Trojan horses, not anti-hacking protections. "Coders" are about protections of programs from tampering. |
| |
iAN CooG
Registered: May 2002
Posts: 3180 |
Another coder/protector that formats in case of tampering just got uploaded
Checksum Protector V1.0 aka FCG Coder.
I found several uses of this one but never found the actual coder so far. |
| |
ws
Registered: Apr 2012
Posts: 250 |
Thanks! Seems to follow the same principle as PWR Coder, from the looks of it. |
| |
iAN CooG
Registered: May 2002
Posts: 3180 |
found another nasty one
Protector V1.3
tampering with the protected prg will resutl in drive set to write mode, trashing everything.
Found used in Typhoon |
| |
hedning
Registered: Mar 2009
Posts: 4714 |
I don't know if this one was discussed before. The Bonanza Crew spread a lot of disks with some kind of protection against tampering with the disks. I had to reach out to Mason to add cleaned up versions of their releases four years ago, like Super Real Darwin + [seuck].
If you tamper with the disk in any way the disk will get erased. Here's the Darwin spread disk in it's evil original form: https://www.dropbox.com/scl/fi/swwzr8yaln7pxbn44ajiy/Bonanza.zi.. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11327 |
A bunch of those people who sold cracks also put timebombs into their stuff...like you can run it 100 times, then it deletes itself |
| |
Krill
Registered: Apr 2002
Posts: 2957 |
Quoting chatGPZA bunch of those people who sold cracks also put timebombs into their stuff...like you can run it 100 times, then it deletes itself And today, it's the game producers themselves doing this. =) |
| |
chatGPZ
Registered: Dec 2001
Posts: 11327 |
Not really. That'd be a disaster if anyone noticed it. |
| |
Krill
Registered: Apr 2002
Posts: 2957 |
Quoting chatGPZNot really. That'd be a disaster if anyone noticed it. I meant that they're selling games as a service with subscription fees. =) |
| |
AlexC
Registered: Jan 2008
Posts: 298 |
Actually Sony has installed a rootkit on CD in the past and many if not all anti-cheating / DRM systems could be quite malicious from end-user perspective not to mention disliking being run under debugger which can be equivalent of running with AR enabled back in the 80's. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11327 |
Quote:I meant that they're selling games as a service with subscription fees. =)
I know - but i am not falling for the bite. "Buying" a game never meant you have the right to play it until eternity under all circumstances. |
| |
Fungus
Registered: Sep 2002
Posts: 679 |
When you buy something sold with a perpetual license, it is yours to play until the end of the universe. EULA are not legal contracts and I hope to hell someone challenges this in court because it's bullshit.
Also just avoid ubisoft and any other such company like Sony then. It's anti-consumer and shouldn't be legal. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11327 |
So you took the bite instead :) (And i can play my Sony and Ubisoft games as long as i want, really. Hooray for them!) |
| |
Fungus
Registered: Sep 2002
Posts: 679 |
Until your internet goes down ;) Or they take your ability to play it away, like The Crew. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11327 |
Works offline just fine. And nothing has been "taken away", ever.
Edit: correction, the PS3 Store "closed" recently (you can no more buy games - but of course still play what you have bought). About 15 years after anyone would want to use it. |
| |
ws
Registered: Apr 2012
Posts: 250 |
To chime in on that: funny, i have just a few months ago ripped all my PS3 games from the console and managed to put them in RPCS3. Well surely i cannot play any online stuff, but then again: i have none of the games that require that. So. Yeah, it could be seen as kind of a malicious business model :-D |
