Almost Manual Unpacking #2 (using Softice and Icedump)

Text written by r!sc . 19th-23rd febuary 2000 (im so idle..)

Target exe  : petgui.exe . 55,588 . v 2.2
Packed with : petite 2.2
Url         : www.un4seen.com/petite

i dont like unpacking programs no more . this tutorial isnt meant for newbies,
nor is it meant for the elite, damn it, it isnt even gonna be a tutorial, just
a quick readme trying to explain the basics of unpacking programs packed with
petite2.2. you should know unpacking a file isnt the only way you can patch its
'original' code, and in most cases, we can 'crack' our target's without needing
to unpack them first, but anyway, were gonna unpack petite just to kill a
couple of minutes time (or maybe just a little longer) . . . ..


Fire up Procdump's pe-editor, and attempt to borrow some information from our
target file. we want the process size, and if possible, the VA and the size of
the import table.. unluckily this file has no section names left intact. heh,
and it appears to have merged the sections . . . only three sections. this is
going to be harder than we thought? nah!

Size of image : 000E1000
Image Base    : 00400000

bpx loadlibrarya / getmodulehandlea

run petgui.exe . .. 

on your break . take a look at the code. check out the registers, look for 
interesting stuff . . . i found this..

esi==414924 : 4C400100 88410100 1C400100 00420100 F4410100 74410100 00400100
                ----     ----     ----
           dd 0001404c 00014188 0001401c etc      etc
              
add the imagebase to these, and we end up with pointers to the first thunk,
part of our import table. looks like ian luck has been doing evil things with
this pe-file . .. merged all the sections, killed the image_import_descriptors,
and if you look a bit closer, you will see no library names in the remainder of
our import table . . .. 

anyway, on the break for loadlibrarya, dump the whole process..

pagein d 400000 e1000 c:\petgui.bin ? ? ?

then trace to the exit point, so we know the original entry point...

0167:004E003C  61                  POPAD
0167:004E003D  669D                POPF
0167:004E003F  83C408              ADD     ESP,08
0167:004E0042  E931D5F2FF          JMP     0040D578 <-- original entry point..
0167:004E0047  E980B5ABBF          JMP     KERNEL32!_llseek
.. yak yak yak .. import mangling at its prime, the import table isnt here, but
it is, you see? hehehe


okay, load the dump into your favorite hex editor, and examine it carefully..

code section appears to be from 1000 - 14000 . . size 13000
rdata section appears to be from 14000 - 16000 . . size 2000
data section 16000 - 1a000 (but continues with NULL's for quite a lot of bytes)
rsrc from df000 - e1000 . . . . .

right, we can either leave the sections merged, and fix the pe-header, or leave
the sections merged, kill all those excess NULL's between data and rsrc, and
fix the pe-header, or we can create a new pe-file, with four sections, and fix
it all up . ..

im going for leaving it exactly as it is, but adding an extra section into the
header, fix rdata section, and cross my fingers before i execute the file..
'if it works' after this, we can kill those extra NULL's between the data and
rsrc section . and hopefully have a decent sized fully working file afterwards.

copy and paste the rdata section into a new file . from 14000h to 16000h in our
dump.. . right, offset 924h in the new file is where the 'first thunk' pointers
begin . we have a lot of NULL bytes here, somewhere we could paste the library
names? yah, search the dump for the library names, and copy/paste them into
offset A00h in our new rdata section.. see 'rdata.bin'

we have to re-create our image_import_descriptors now . we have the first thunk
pointers, we have the VA's of the librarys used, so we just have to er . use 
our heads and our hex editor to make some new image_import_descriptors..

dd 0,0,0,VA lib1,first_thunk_pointer1
dd 0,0,0,VA lib2,first_thunk_pointer2
...
dd 0,0,0,VA lib7,first_thunk_pointer7
dd 0,0,0,0,0

our rdata section VA is 14000 . we already have the first thunk pointers, our
first image_import_descriptor would look like this ..

00000000 00000000 00000000 004a0100 4C400100

the best way to rebuild these is to copy the first thunk pointers into a new
file, then edit this file with 'insert' turned on . insert 3 NULL dwords
infront of each pointer, and then the VA of each library name infront of each
pointer.. VA of each library name being its file offset + 14000h . 

00014a00, 00014a0d, 00014a18, 00014a22, 00014a2f, 00014a39, 00014a45 ..

see iid1.bin / iid2.bin / iid3.bin for hands on info?

lets just follow the first first thunk pointer, then follow one of those
pointers and see the asciiz huh?

well, blow me.. our first pointer, 0001404c .. points to 0000004c in our rdata
section.. at 0000004c is 0C4C0100 . reversed is 00014c0c .. points to c0c in
our rdata section.. at c0c is .. '_llseek',0,0,0 ..

this is wrong . these pointers SHOULD point 2 bytes infront of the asciiz, to
the HINT.. since they point directly to the asciiz, this makes it easier to
load the imports yourself, but screws windows up when it tries to load the 
imports. . we have two choices. 

#1. subtract 2 from each pointer in the first thunk's (a lot of work) ..
#2. insert 2 bytes infront of the asciiz's . hoping it aligns them all ..

okay, i go for #2 . the first asciiz i have is 'ExitProcess', starts at 0BCEh,
if i insert two bytes here, it pushes 'ExitProcess' so it begins at 0BD0h .. 
good, then delete two bytes after the asciiz's . . while were at it, paste our
new image_import_descriptors back into our rdata section.. 8ch bytes from 
offset 924h in rdata.bin ... .. see rdata.fixed.bin if your confused ..

copy fixed rdata.bin back into petgui.bin . . offset 86h in petgui.bin is the
number of sections . change this from 03 to 04.. rename to *.exe . . procdump
comes back into play now ...

fix all sections RAW Sizes and RAW Offsets . i had problems with procdump, but
everything turned out okay . . dont forget to fix the entrypoint and the 
directory entry for the import table .. 

new entry point : 0000d578
import table    : 00014924

section v-size    v-offset  raw-size  raw-offset
code    00013000  00001000  00013000  00001000
rdata   00002000  00014000  00002000  00014000
data    000c9000  00016000  000c9000  00016000
rsrc    00002000  000df000  00002000  000df000

save changes, run the exe :p . .it works sweet .. pitty its 900kb now though.
lets kill the un-needed NULL's from 1a000 - df000 . and re-fix the pe-header..

heh, see pet.exe . . . . .

the end

love r!sc - http://csir.cjb.net - 23rd febuary 2000 . . 

