http://arn.hypermart.net - Webpage.
Set_ffdc.exe: 784k.
Firstly my thanks to cTT for finding me this program, conveniently protected by ASPack :). In the first part I demonstrated how we could reconstruct a target whose original state we possessed, in the case of FFDC we will not have that luxury. Our first step will be to locate the entry point (use W32Dasm or even a HEX editor to search for 60 E8 00 00 00) and you'll find the familiar PUSHAD, CALL $+5 code that typifies ASPack.
You should of course Pedump /I the compressed file as we'll be needing it a little later. Next we'll bpx the loading code and establish which sections are compressed and then dump them to files. Remember to note the value of EDI so we can establish the RVA's of each section (also be careful with the last section).
Section RVA Raw Size ------- ---------- ------------ CODE 0x1000 0x8B600 DATA 0x8D000 0x1200 .idata 0x91000 0x2800 .rsrc 0xA0000 0x1F000Note that the .rsrc section was actually unpacked at RVA=0xA153C, ECX=0x1D6C4.
You should now have 4 files, once again its time for a little fun with your favourite HEX editor, UltraEdit is the tool for this. Firstly grab the PE header from the compressed file then follow my graphical illustration below for gluing the file back together.
0h --------------------------------------------------
PE Header from compressed FfdcShell.exe
400h --------------------------------------------------
Unpacked CODE section (Raw Size 8B600h)
8BA00h --------------------------------------------------
Unpacked DATA section (Raw Size 1200h)
also BSS section will point here
8CC00h --------------------------------------------------
Unpacked .idata section (Raw Size 2800h)
8F400h --------------------------------------------------
Original .edata section (Raw Size 200h)
.tls section (Raw Size 0h)
Original .rdata section (Raw Size 200h)
.reloc section (Raw Size 0h)
8F800h --------------------------------------------------
Unpacked .rsrc section (Raw Size 1F000h)
AE800h --------------------------------------------------
You should now have a new file of length 714,752 bytes.
Now all you'll need to do is find the real entry point RVA (0x8C264) and fix up the PE header and .rsrc section methodically as I described in Phase 1 (Hint: there are 3 resources to fix).
You can download the unpacked file here (333k), and obviously load the file into IDA to reverse its banal protection. If you have any trouble obtaining the actual program version used here drop me an e-mail and I'll make it available for you.
* I understand that this unpacked file for some reason won't run under Windows NT, I am currently investigating why this is the case.
