*********************************************************************************************************************************
			Manually UnPacking of LameCrypt V1.00 Alpha
*********************************************************************************************************************************

Author:		LaZaRuS
Protection:	None
URL:		http://free.hosting.and.email.at.ebox.ru/~protools.fbi.ru/files/packers/lamecryp.zip
Tools:		SoftICE 4.05
		ProcDump V1.6.2
		Hex-Editor


--->	Intro...

Welcome to my next Tutorial !!!
Now we're going to "Manually UnPack" LameCrypt V1.00 Alpha by LaZaRuS.
This is a very simple "Encryptor" but also very nice to play with :)
It's not a "Packer" because it only Encrypts the first Section whatever that is.
I'll tell it very detailed so you can understand everything :)
Oh and btw this was for me the first time i'm going to "Manually Unpack" ;)


--->	Author Words...

This is surely the lamest EXE Cryptor that was ever developed. In this very early stage it does
nothing but crypt the first section of the PE header (whatever it is) with the genuine XOR 90
method. Let's hope this gets better when newer versions are released.


--->	Let's Begin...

Ok, In this Zip File i included the following Items:

Tut13_MUP_LameCrypt V1.00 Alpha		: This Tutorial
Lame_Notepad.exe			: Our Target "Encrypted" with LameCrypt

Ok, so Unzip these items to your Desktop (I think that's the best place :).
Now what do we need to know to "Manually Unpack" this File (Lame_Notepad.exe).
2 Things:

1.	We need to know the original OEP (Original Entry Point).
2.	We need to know when the "Encryptor" Jumps to the OEP.

Well i first want to mention that this "Encryptor" is indeed very LAME :)
this one is very easy to find this stuff out, other Encrypters/Packers are much harder.
So we're going to find the "Original" OEP first.
Let's open ProcDump and select "PE Editor".
Then search for the original "Notepad.exe" and open it.
Then you'll get a new window and you'll see under "Header Infos":

Entry Point	--->	Important
Size of Image	--->	Not very important
Image Base	--->	Important

If you've opened "Notepad.exe" (Original) then you'll probably see something like this:

Entry Point	--->	000010CC
Size of Image	--->	0000D000
Image Base	--->	00400000

Ok, to get the OEP we need to do the following:

(Image Base	+	Entry Point)	= OEP
(00400000	+	000010CC)	= 004010CC

So 004010CC is the OEP we need, write it down on some paper :)
Ok, now we need to know where the "Encryptor" begins in our "Encrypted" File (Lame_Notepad.exe).
Because we're going to put an "CC = Int 3" at the beginning to Break on that.
Close this Window so we return to the main window of ProcDump and select "PE Editor" again.
But now open our "Encrypted" File (Lame_Notepad.exe) and you'll see this:

Entry Point	--->	0000D000
Size of Image	--->	0000E000
Image Base	--->	00400000

(Image Base	+	Entry Point)	= OEP
(00400000	+	0000D000)	= 0040D000

So here 0040D000 is the OEP we need for the "Encrypted" File, write it down.
But to be sure it is the correct one, we're going to take a look at the "Sections", why?
Because as you maybe know there are "Virtual Offsets" and "Raw Offsets".
"Virtual Offsets" are the ones you see in Memory (Think about SoftICE) and,
"Raw Offsets" are the ones you see with an Hex-Editor (These are often changed you'll see what i mean).
So Select the button "Sections" and you'll see this:

Name		Virtual Size	Virtual Offset	Raw Size	Raw Offset	Characteristics
.text		00003E9C	00001000	00004000	00001000	C0000020
.data		0000084C	00005000	00001000	00005000	C0000040
.idata		00000DE8	00006000	00001000	00006000	40000040
.rsrc		00004FB8	00007000	00005000	00007000	40000040
.reloc		00000A9C	0000C000	00001000	0000C000	42000040
lamecryp	0000001F	0000D000	0000001F	0000E000	00000000

Ok, notice the "lamecryp" Section this is the Section made by the "Encryptor".
Now look at the "Virtual Offset" of this Section it says:	0000D000
Remember what we got as Entry Point:	0000D000
It's the same :)
Now check the "Raw Offset" it says:	0000E000
The "Raw Offset" is the one you see with an Hex-Editor.
So we need to replace the 0000D000 with 0000E000, new OEP:

(Image Base	+	Entry Point)	= OEP
(00400000	+	0000E000)	= 0040E000

So 0040E000 is the real OEP, write it down.
Now close ProcDump completely, and open the "Encrypted" File in a Hex-Editor.
But remember that the "Image Base" isn't used when your opening a file in an Hex-Editor, why?
Simple, because the "Image Base" is used in Memory not in "Real Life" :)
Then go to the Offset 0040E000 (-Image Base = 0000E000) and you'll see this:

0000E000:	60 66 9C BB 00 40 00 00 80 B3 00 10 40 00 90 4B
0000E010:	83 FB FF 75 F3 66 9D 61 B8 CC 10 40 00 FF E0

This is the complete Code for the Encrypter, hehe not very big ;)
Now we're going to replace the "60" at the beginning with "CC" (Int 3):

0000E000:	60

	Change into

0000E000:	CC

Then save the file and close it.
Now get into SoftICE (CTRL+D) and type "bpint 3" (this command breaks when an Int 3 function is called).
Now close SoftICE (CTRL+D) and open the Lame_Notepad.exe and SoftICE pops up and you'll see this:

---------------------------------------------------------------------------------------------------------------------------------

:0040D000 CC                      int 3					<--- WE'LL LAND HERE AFTER THE BREAK !!!
:0040D001 669C                    pushf					<--- Push EFlags
:0040D003 BB00400000              mov ebx, 00004000			<--- Move 00004000 in EBX

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E013(C)
|
:0040D008 80B30010400090          xor byte ptr [ebx+00401000], 90	<--- XOR the bytes with 90
:0040D00F 4B                      dec ebx				<--- EBX -1
:0040D010 83FBFF                  cmp ebx, FFFFFFFF			<--- Compare EBX with FFFFFFFF
:0040D013 75F3                    jne 0040E008				<--- If not equal repeat this loop, else continue
:0040D015 669D                    popf					<--- Pop EFlags
:0040D017 61                      popad					<--- Pop all Registers
:0040D018 B8CC104000              mov eax, 004010CC			<--- Hmm... this looks like our OEP :)
:0040D01D FFE0                    jmp eax				<--- Jump to 004010CC

---------------------------------------------------------------------------------------------------------------------------------

Now don't press F10 or anything because we're on the "CC" and not the normal "60" we need to change it back :)
Now you might wonder "Hey, i see 0040D000 where's 0040E000 ?" :)
That's because we're now looking at the "Virtual Offset" the ones you see in Memory, remember.
So type first "BC *" to disable the breakpoint and then type "d eip" to get to the exact location and then press (ALT+D) to get
in the data window so we can then replace the "CC" with "60" do it, and then press (ALT+D) again to return to the message window.
Now it says instead of "CC":

:0040D000 CC                      int 3

	to this

:0040D000 60                      pushad

Ok now we can trace through it, as you see it puts 00004000 (Length of .text Section) in EBX.
Then it XOR's EBX+00401000 (00401000 = the beginning of the .text Section not the OEP) with 90.
Decrease EBX with 1
Compare EBX with FFFFFFFF
If not equal we repeat the loop, else we're done Encrypting and we jump to the "Original" Code of the program.
If your just gonna trace through this process then your stupid because it takes a while ;)
So what we're going to do now is we're going to set a breakpoint after the "jne 0040D015".
Now type "bpx 0040D015" followed by "enter" and then press (CTRL+D), now the program will stop after the loop and the Encryption is done :)
Now we come to this interesting Code:	mov eax, 004010CC
It's our "Original" OEP :)
So trace till your on the "jmp eax" and then press one more time (F10) and we're at the beginning of the "Original" Code.
Now we're going to use a little trick in some Tutorial i saw, we're going to let the program run in a loop :)
First type "d eip" to get the exact location now press (ALT+D) to get in the data window and change these 2 bytes:

55 8B

to

EB FE

Why EB FE?
Because it means "Jump one back" so it keeps jumping to itself and the program runs in a loop :)
Now disable any breakpoint by typing "BC *" and then get out of SoftICE by pressing (CTRL+D).
Your computer may go a little slow now because the "Lame_Notepad.exe" is still running :)
Open ProcDump again and then search in the main window for something like this:

c:\windows\desktop\Lame_Notepad.exe

Then right click on it with your mouse and select "Dump (FULL)".
It'll prompt you to enter a new Filename to save the process, enter anything you want and save the New File.
Then right click again with your mouse on it and select "Kill Task" to terminate the process.
It'll ask you to confirm the Termination and select "YES".
Now we have a fully working Unpacked File of Lame_Notepad.exe.
Now run the New File and......!!!!! Oooppps Crash =/
Hehe offcourse it crashes because first of all the OEP isn't changed to the real OEP and we replaced those 2 bytes at the (Original) OEP :)
So open up ProcDump (If you've closed it) and select "PE Editor" then select the File "Lame_Notepad.exe" and press open.
Now we change this:

Entry Point	--->	0000D000

to

Entry Point	--->	000010CC	(without Image Base)

Ok, this OEP problem solved, now we need to change those 2 bytes, so close ProcDump and open the New File in an Hex-Editor.
Then get to the OEP (000010CC) and change this:

EB FE

to

55 8B

Save the file and run it, now it fully works ;P
But wait a minute... :(
I still see that damn Section (lamecryp), and i still see the Encryptor Code down in the File.
I don't like that so we're going to remove it :)
So fire up ProcDump ones again ;) and select "PE Editor" and open the New File.
You'll see 2 options:

1.	Only to PE Header	--->	Changes are only made to the PE Header
2.	To PE File		--->	Changes are made to the entire File

Then select the second option because we want to remove the Code as well.
Now click on the button "Sections" and right click on "lamecryp".
Then select "Kill Section" and the Section is terminated :)
Now the program is fully restored to it's original, ok Job done ;)

If you got any questions, comments, whatever send it to:

email:	code.inside@home.nl


--->	Outro...

Ok, i want to say one thing about this Tutorial !!!
This is probably the easiest "Encrypter" you've ever seen, the other "Encrypters/Packers" are
much harder !!!
but this one is good to practise with ;)
Ok that's all i'm gonna quit now :)


--->	Greetings...

Everybody from TrickSoft		(www.TrickSoft.net)
Everybody from Cracking4Newbies		(www.Cracking4Newbies.com)
Everybody from Keygenning4Newbies	(Keygenning4Newbies.cjb.net)
And You...

			Don't trust the Outside, trust the InSiDe !!!

					  Cya...

					CoDe_InSiDe
