In issue #1 of tutorial I introduced manner of unpacking exe files using ProcDump . Shows, that programme this can be useful to crack commercial protections, TimeLock or Vbox4 by PreviewSoftware. This protection type is fairly easy to reverse. For example we will take programme Ulead Cool3D v2.0(use Vbox4).
If we will load programme U3dedit2. exe to debugger( SoftIce) following code will appear :
014F:004F1000 PUSH DWORD PTR [ESP+0C] 014F:004F1004 PUSH DWORD PTR [ESP+0C] 014F:004F1008 PUSH DWORD PTR [ESP+0C] 014F:004F100C PUSH 55E239F5 -----> prepare address 014F:004F1011 PUSH 55AD2D76 -----> of packed data 014F:004F1016 PUSH 55E23DA9 014F:004F101B PUSH 55E23D53 014F:004F1020 CALL [004F11F0] ----> run vbox4 014F:004F1026 PUSH FFFFFFFF 014F:004F102B CALL EAX -----> run programme 014F:004F102D RET 000C
Function CALL [004F11F0] calls procedure( PreviewExecGate..) from vbox4 dlls, which decode firs part of programme and in EAX is returned new EntryPoint(on my computer F0000) to decoded data. Stepping farther in programme, CALL EAX(press F8), we pass to new fragment of code:
014F:004F0000 PUSH DWORD PTR [ESP+0C] 014F:004F0004 PUSH DWORD PTR [ESP+0C] 014F:004F0008 PUSH DWORD PTR [ESP+0C] 014F:004F000C PUSH B6A4DD7F 014F:004F0011 PUSH BBC60E1F 014F:004F0016 PUSH 6D171A8C 014F:004F001B PUSH 415F4B5A 014F:004F0020 CALL [004F01D4] ---> next vbox4 function 014F:004F0026 PUSH FFFFFFFF 014F:004F002B CALL EAX 014F:004F002D RET 000C
As we can see code is analogous to preceding. CALL [4F01D4] invokes vbox4 functions, which starts procedures check conditions Trial and if every thing is ok then decodes rest of programme and in EAX is returned address of real programme(this time Cool3D). In chance unsuccesful trial check in EAX is address of ExitProcess function, that ends execution of programme. If we will trace farther our code (in Call Eax - F8) then we will enter on our main programme under address 6CF20. This address is worth to write down or remember, because this is simply correct EntryPoint of main programme, which is already full version without vbox4.
Ok.., we know everything that we needl. Solution of problem vbox4 is to copy unpacked programme from memory and save it into exefile. Maybe someone prefers to attempt with SoftIce and SoftDump( look at fravia. org) to do this. It will demand to know good structures of PE-EXE and is hard, describing this ain't my target. There is easy solution because we know splendid programme ProcDump, which makes possible recording of processes from memory to file and preserve all exefiles' structure.
As I already described in preceding parts ProcDump possesses file script. ini in which are instructions how to debug decoded programmes. In latest version ProcDump32 1.1.6 should be already ready section for Vbox:
[VBOX Dialog]
L1=LOOK FF,D0 ; find first call eax
L2=BP ; breakpoint on found address
L3=BPREG EAX ; sets break on address in register EAX
; as we know there's address of next part of code
L4=OBJR ; sets actual search address on EIP
L5=LOOK FF,D0 ; find second call eax
L6=BP ; then breakpoint it
L7=STEP ; and save decoded programme
Important is suitable proper setup of process of loading and of reconstruction the file. Because programme packed with vbox4 has also packed segments and data tables so we must mark options of reconstruction ie. Create New Import. In once of problems we switch on also options Ignore Faults in section Trace.
After affirmative unpacking of file we can also remove sections WeiJunLi from structure of new file( options PE Editor). From curiosities look in new file's EntryPoint - 6CF20.
Ok.., correct.
IMO, ProcDump is worth interest and some practise e. We can always find soft that's copressed not well-known type of compressor and then we will handle this. These, what do not know ProcDump should download it from http://www.suddendischarge.com/ in section NonDOs, or from http://pub.vse.cz/pub/msdos/SAC/pc/pack/.