Manually UnPacking of EP_v0.1 ----------------------------- --------------------------------------------| Writer: Bengaly | Author: CoDe_InSide | Protection: None | URL: http://code.freeservers.com | Tools: SoftICE v4.05 | Hex-Editor | Procdump v1.6.2 | --------------------------------------------| Hello! Welcome to my 22nd tutorial, today we will talk about Manual Unpacking! What is Unpacking? Unpacking is a way to get rid of packed program with an encryption, either using an Unpacker, or manual unpacking the program. Packing meanings taking an exe files and encrypts it (the PE header) so it will be hard to crack it. Let's get started: ------------------ In this essay I will use CoDe_InSide's EP_v0.1 (PE) packer/Encrypter. So I will encrypt NotePade.exe! * Some windows user will probably notice that an encrypted file runs slow...(it runs Slow here as well), later u will see that we will dump and change some stuff in the file and it will run smoothly Ok so we got the packed NotePade.exe (don't run it yet, it will be slow ;D , for me at least) Open ProcDump..press "PE EDITOR" button, and load the encrypted NotePade.exe we made. U will see a window with this in formation: Entry Point: 0000D000 <= this is the Virtual Offset Size of Image: 0000E000 Image Base: 00400000 Ok, now that we know the virtual offset (0000D000), click the "Sections" button, U will see all section Information. .text / .data / .idata / .rsrc / .reloc / PE (wonder what is this ;D ) Ok look under Virtual Offset of section PE, u will see 0000D000, but we must Know the Raw offset, so look under Raw Offset of section EP, it is 0000D000 too Wow we got lucky it's the same offset ;D (some may use different offsets), but here it's the same ;D Ok, now that we know the Raw Offset. Why wee need to know the raw offset anyway? We need to know it, because hex editor don't use Virtual Offset (sICE use virtual offset Or as we call it RVA, real virtual address) So when we are using hex values (hex editor) we need to know the Raw Offset! So, our Raw Offset = 0000D000 Open up hex editor (any), and look for D000 U will see this in Hex-Editor: D000: 50 83 C0 17 8B F0 97 33 Now, in order to use sICE to break when we load the program (usually BINT 3), we need to change the 50 -> CC (CC = int 3) So in hex editor just change: 50 To: CC Now it will be like this -> D000: CC 83 C0 17 8B F0 97 33 Save the file and exit hexeditor. Now load sICE (Ctrl+D). Set a breakpoint: BPINT 3 Press enter, and exit sICE (Ctrl+D) Load the encrypted file (notePade.exe), SICE will pop up here: ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PROT32Ä 0177:0040CFFE INVALID 0177:0040D000 INT 3 <= sICE Breaks Here 0177:0040D001 ADD EAX,17 0177:0040D004 MOV ESI,EAX 0177:0040D006 XCHG EAX,EDI 0177:0040D007 XOR EAX,EAX 0177:0040D009 XOR ECX,ECX 0177:0040D00B MOV CL,24 0177:0040D00D LODSB 0177:0040D00E XCHG AL,AH ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Now we need to change the "CC" back to "50" (the original value), because if we wont then sICE will exit And there will be an error message...so just press: E EIP U will see this: 0177:0040D000 CC 83 C0 17 P......3.3..$...- <= We will need to change this HEX value 0177:0040D010 AC AA 86 C4 .........@...<@. Change CC 83 -> 50 83 So it will be like this: 0177:0040D000 50 83 C0 17 Press ALT+D to return to the Command Window, Ha...much better, now we can trace the code ;D Trace the code using F10, until here: ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄbyteÄÄÄÄÄÄÄÄÄÄÄÄÄÄPROTÄÄÄ(0)ÄÄ 0177:004010DC 55 8B EC 83 EC 44 56 FF-15 D8 63 40 00 8B F0 8A .....DV...c@....- 0177:004010EC 00 3C 22 75 13 46 8A 06-84 C0 74 04 3C 22 75 F5 .<"u.F....t.<"u. 0177:004010FC 80 3E 22 75 0D 46 EB 0A-3C 20 7E 06 46 80 3E 20 .>"u.F..< ~.F.>  0177:0040110C 7F FA 80 3E 00 74 0B 80-3E 20 7F 06 46 80 3E 00 ..>.t..> .F.>. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄPROT32Ä 0177:004010DA ARPL [EAX],AX ==> 004010DC JMP 004010DC <= here is the OEP (Original Entry Point) 0177:004010DE IN AL,DX 0177:004010DF SUB ESP,44 0177:004010E2 PUSH ESI 0177:004010E3 CALL [KERNEL32!GetCommandLineA] 0177:004010E9 MOV ESI,EAX 0177:004010EB MOV AL,[EAX] 0177:004010ED CMP AL,22 0177:004010EF JNZ 00401104 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ How did i know how trace until here? Well I looked for a value (similar to entry point), but here I found something more Better...I found a jump to 004010DC (note: u need to move some rets ;D ) Anyway, so Just write down the OEP "10DC" on paper or something! Now look up (above the ASM code) u will see this: 004010DC 55 8B (OEP start here), so we will make an infinite loop in this part. We are going to use the "EBFE" trick! , Do this in sICE: E EIP [enter] EBFE : Change 558B to EBFE (Don't forget to remember 558B!) ALT+D : To return to the Command Window So we set a trap on the OEP ;D, now let's clear all breakpoints : BC * And get out of sICE. Now let's open procdump again...now in the TASK window, scroll down and look for The Directory u have the encrypted file, mine is: C:\mirc\download\notepade.exe Now select the file, right click with mouse and choose: DUMP (FULL) Save the new dump anywhere u like, chose a name of course ;D (i prefer the name DUMP.EXE ;D) Now again right click on it again and choose: KILL TASK (press ok after u get a message) Now, the dump we made does not run yet, we need to modify it to make it run...duh! ;D So click "PE Editor" and choose the new dump file we made. Now the entry point is still 000D000, so change it to the real OEP: 10DC(remember I told u To write it down ;D ) It will be like this now: Entry Point: 00010DC (OEP "004010DC" <= Image Base "00400000" + "000010DC") Now on the "Apply Changes Method:" choose "To PE Header" <= so we can kick the encryption Code as well (to reduce some exe size ;D ) After choosing "To PE Header" tab, click "SECTIONS" button. Now click on the section called: "PE" right click and choose "Kill Section" This will ensure that the encryption code wont be on the dump.exe anymore ;D Now we will change the Size of Image: Size of Image = Last Virtual Offset + Last Virtual Size So because we killed "PE" section, the last section is now ".reloc" (last section) To fix this take NOW the last Section ".reloc" and add the Virtual Offset and Size together. Right click on .Reloc and choose "edit section" and edit the Offset = 0000C000 Virtual Size = 00001000 Size of Image = 0000C000 + 00001000 = 0000D000 Click "CANCEL" button and we back to the Header Info screen, We see that the "Size Of Image" = 0000E000 <= which is not correct! Change "Size Of Image" = 0000E000 -> 0000D000 Press OK to rebuild the structure of dump.exe ;D Exit procdump. Try running the file (dump.exe)...what's going on, it's not working...why! >:/ Well it won't work because it runs in a loop that provides form the program from crashing! Remember: 558B -> EBFE? So open hex editor again and go to the OEP we found (10DC). * Sometimes in winHEX u wont find exactly 10DC (don't know why), so go to the nearest offset I.e.: 10E0/10D0 (u will see EBFE there dont worry ;D ). Change back EBFE -> 558B Save the file... Run Dump.exe...IT WORKS!!!!!!!!... File has been decrypted (Manually unpacked). Have fun ;D My thanks and gratitude goes to: -------------------------------- ----CODE_INSIDE----- ;for helping in cracking -----BLAcKgH0sT------;for being good friend :) -------FusS------ ;asm / keygenning helper