so there's this 90s warez cd series called "the legacy", a number of which are being dumped today

they're of the type of the "menu pretends to be something else if you don't run it with the correct password", so I took a look in IDA.

the config file is gzipped and memecrypted (custom algorithm with xor-sub-add) by the key (5 bytes initialised by xor/not/add/sub by the entered key, one of the bytes is always 0 as it's ANDed with itself and initialised to 0 lol)

the first (key+1) bytes of plaintext equals the null terminated key.

the actual archive files? they claim to be "FMV files" and actually are a 0xE byte header (first 4 bytes are magic number 4E 43 FF 10, u32 at 0x0A is number of files), followed by gzipped data

the uncompressed data is an array of structures: 93 byte header (32-bit length at 0x9, null-terminated path at 0xD), followed by [length] bytes of data

no memecrypto at all on the actual warez, just a custom archive format gzipped

lol

#ReverseEngineering #reversing #MS_DOS #warezCD

lol

so decided to look at this newly dumped warez CD: https://archive.org/details/blobby58_cracked

(yay for the wordart used in the menu, btw)

...there's some extra protection trojan horse there.

basically, autorun.inf points to GO.COM which is a compiled batch file: cd BLOB && MENU.EXE

menu.exe is a VB exe which runs RAR32.EXE (the actual menu in delphi).

...except, if "C:\PROGRAM FILES\EASY-CD PRO 95\ECDPRO.EXE" exists, then it will also delete "C:\PROGRAM FILES\EASY-CD PRO 95\*.*" and copy MSVB.DLL over C:\WINDOWS\WIN.COM

MSVB.DLL is a .COM file that's packed by hackstop, which isn't effective if you allow usage of modern tools: run it in dosbox debugger, let it run, when it actually executes, break and step out of any interrupt routine, and CS:IP hits the unpacked code which can be dumped out of memory (it's a .COM file so guaranteed to be a single segment)

anyway, it claims to run FORMAT C: (although forgets the ">" in the dos prompt); waits for a keyboard press which then acts as if "Y" was pressed. instead of formatting the drive, it prints a "progress" and busy loops (but also writes unremarkable data to C:\WINDOWS\BLOB.DAT to simulate disk activity)

after the "format" completes it shows a message in yellow " THANK YOU FOR FLYING WITH BLOBBY INTERNATIONAL.... HAVE A NICE DAY.. ", sets C:\WINDOWS\BLOB.DAT to hidden, and exits to dos.

all text printing is done by int 10h.

also, there's a bug with the file writing: if opening C:\WINDOWS\BLOB.DAT fails (due to C:\WINDOWS not existing for example), the carry flag is not checked, and will proceed to use the error code as file handle. for C:\WINDOWS not existing, that means it writes to stderr instead of a file. lol.

#reversing #ReverseEngineering #DOS #MS_DOS #TrojanHorse #warezCD