beta.blog

PKLITE32 Manual Unpacking (MUP)

by on Nov.01, 2023, under News

I had the glorious idea today that I wanted to get the game LEGO Racers (from 1998) to work on a modern machine. Unfortunately, I no longer own any hardware with a CD drive, but luckily there are plenty of “NoCD fixes” out there in the wild. Interestingly, all of these appear to be 438 KB in size (438272 bytes).

At the first start I got directly confronted with an error message and the program crashed immediately:

Unable to open the video file: lmicmp.avi

Game over? Not quite yet. I opened up the file in OllyDbg and couldn’t find said error message. After a scan with Exeinfo PE / PEiD I noticed that the application appeared to be packed with PKLITE32. PK…what? Turns out it’s a packer from the DOS era but the 32-bit version wasn’t supported by any of the known unpacking tools for DOS.

Let’s take a look at this binary in Ghidra:

We can do the following steps either in a debugger (OllyDbg, x32dbg, …) or we simply patch the first byte of the instruction 004d1014 with 0x90 (INT3) and the application will crash immediately, since without attaching a debugger the exception will remain unhandled (The program LEGORacers.exe has encountered a serious problem and needs to close). However, even in a crashed state the program is still running (as long as we didn’t close the error message) so we may now fire up LordPE by yoda and dump the process:

We’ll now use ImpRec to fix the dumped process. The OEP is the address we found with Ghidra (004a867c) and we’ll subtract the image base seen in LordPE (004000000) giving us the address 000A867C. As usual, click Get Imports and then Fix Dump. Select the dump created with LordPE a minute ago.

The binary we’re getting is both, fully unpacked and also runnable.

Getting back to LEGO Racers: The solution to the problem was that I first had to specify two parameters:

LEGORacers.exe -horzres 1024 -vertres 768

After that I received another error.

Unable to initialize display – out of video memory

Since we can now read the source code, at least in assembler form, I discovered another switch.

LEGORacers.exe -horzres 1024 -vertres 768 -select3d

The select3d option opens a popup before starting the game to select the video renderer. Afterwards the game finally worked.


Leave a Reply

*

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!