Purpose: Stamp Import Table Manually.
Tools:
Softice: 3.00 or above
Procdump v 1.40
Softdump from Master Cracker Quine
Dumppe by Turvey
Hex editor of your choice.
Target: Sruler.exe size 51,712 (bytes)
http://129.105.116.5/fravia/frarul1.htm
Packer: PEPACK v.099 size 14,848 (bytes)
http://www.suddendischarge.com
History: No History + A little knowledge about PE file structure is necessary.
+ It would not have been possible without "procdump" which did 95% of the work.
It's a great tool.
For learning purpose we will pack the target file "sruler.exe" with pepack.exe
So give the command. Make a backup of file sruler.exe just in case if we make
any error.
Pepack Sruler.exe
New sruler.exe file is 28,160 decimal bytes.
Now run Procdump. From Main menu selection click "Option".
Inside the option on bottom left click "Rebuild new import table" then
press OK!!
Click Unpack from the Main menu we have to select PEPACK Press OK.
Select the file "sruler.exe" then press open. Procdump will display a
message "Press OK when task is loaded (Check Task Bar)" you have to
press OK, few seconds later you will see a message
"Import Table Can't be Stamped (Not Found)" Press Ok.
Procdump will ask us to give the file name which it has unpacked successfully.
I gave "unpacked.exe" pressed OK the file is created on your hard disk.
Don't try to run it, it wont run. Remember the error "Import table can't be
stamped". So we have to manually stamp it how read below:
We will first use "Dumppe" to see more information about "unpacked.exe" so give
dumppe unpacked.exe > peinfo
I will highlight the most important for this purpose. Inside "peinfo" check
the below item
Directory Name VirtAddr VirtSize
------------------- -------- --------
Export 00000000 00000000
Import 000115F8 0000003C <<- Will change this later in procdump
Resource 0000C000 00001D40 Just keep a note of it in your brain
06 .idata Virtual Address 0000E000
Virtual Size 00001000
Raw Data Offset 0000B200 <-start of idata section in file
Raw Data Size 00000B4C <-this is the size of idata
Relocation Offset 00000000
Relocation Count 0000
Line Number Offset 00000000
Line Number Count 0000
Characteristics C0000040
Initialized Data
Readable
Writeable
So open the file "unpacked.exe" in your hex editor
Hex unpacked.exe
Go to the offset B200. Mark the position from B200 till BD4C i.e.
(B200 + B4C) & delete everything. What we have got is useless. We will have
to stamp this portion of file with the correct value so that the file can run.
Open MSDOS prompt & run softdump. I used like this
sdump95 idata.bin B4C
We will get a mapping address: 0x826d8000 <-- This will be different for you.
Make a note of this on paper. Press "Alt tab" & Open another "MS-DOS prompt".
So we have 2 "MS-DOS Prompt".
It's Time to use Softice. Since this file is packed softice was not able to break
from the first instruction, so here is an old techinque. Open the file "sruler.exe"
in your hex editor go to offset 5E06 & replace the value "5D" with "CC" save & exit.
Now go in Softice "Ctrl D" give the command "i3here on" close softice & now
run "sruler.exe" you will break into softice
xxxx:00411000 PUSHAD
xxxx:00411001 CALL 00411006
xxxx:00411006 INT 3
xxxx:00411007 SUB EBP,06 <---- You will be here
xxxx:0041100A CMP BYTE PTR [EBP+000004E0],01
xxxx:00411011 JZ 00411209
In softice say
r eip=411001
press "F8"
You will be at offset 00411006 we have put back the original value i.e.
"5D" so type
a
pop ebp
Now go on ahead in tracing pressing "F10" till you reach here
xxxx:0041107E CALL 004114BE
xxxx:00411083 OR EAX,EAX
xxxx:00411085 JZ 0041126B
xxxx:0041108B MOV [EBP+00000505],EAX
xxxx:00411091 MOV ESI,[EBP+000004FD]
xxxx:00411097 ADD ESI,EBP
xxxx:00411099 LODSD <<- Load in EAX virtual address
xxxx:0041109A OR EAX,EAX
xxxx:0041109C JZ 004110CD
xxxx:0041109E MOV EDI,EAX
xxxx:004110A0 ADD EDI,[EBP+0000052D]
xxxx:004110A6 LODSD <<- Size of packed data to read
xxxx:004110A7 MOV ECX,EAX
xxxx:004110A9 LODSD <<- Check if More to process
xxxx:004110AA OR EAX,EAX
xxxx:004110AC JZ 00411099
xxxx:004110AE PUSH ESI
xxxx:004110AF PUSH EDI
xxxx:004110B0 MOV ESI,EDI
xxxx:004110B2 MOV EDI,[EBP+00000505]
xxxx:004110B8 REPZ MOVSB <<- Move the data util CX=0
xxxx:004110BA POP EDI
xxxx:004110BB PUSH EDI
xxxx:004110BC PUSH DWORD PTR [EBP+00000505]
xxxx:004110C2 CALL 004112F0 <<- This is the main routine which we will
trace when EAX at offset 411099 is
equal to 0000E000 i.e. EAX=0000E000
xxxx:004110C7 ADD ESP,08
xxxx:004110CA POP ESI
xxxx:004110CB JMP 00411099 <<- Jump again to unpack remaining sections
I hope everthing is very clear till here. Go on Pressing "F10" in the loop
until we encounter EAX=0000E000 at offset 411099. It is at this moment we will trace
inside the call routine 004112F0.
Call 004112F0 brings us here.
xxxx:004112F0 PUSH EBP
xxxx:004112F1 MOV EBP,ESP
xxxx:004112F3 PUSHAD
xxxx:004112F4 PUSH EBP
xxxx:004112F5 MOV ESI,[EBP+08]
xxxx:004112F8 MOV EDI,[EBP+0C]
xxxx:004112FB CLD
" " " " " " " "
" " " " " " " "
xxxx:00411407 MOV EBP,EAX
xxxx:00411409 PUSH ESI
xxxx:0041140A MOV ESI,EDI
xxxx:0041140C SUB ESI,EAX
xxxx:0041140E REPZ MOVSB
xxxx:00411410 POP ESI
xxxx:00411411 JMP 00411304
xxxx:00411416 POP EBP <<- Press "F6" Place the cursor here Press "F7"
It's difficult for me to understand but was able to pick what i was
searching for. So to reduce your time of pressing "F10" just say
"U 00411416" then press "F6" position your cursor at offset
xxxx:00411416 & press "F7" .
Now just say
m ds:0040e000 lB4C 826d8000
^^^^^^^^^ Memory Mapped address that we got from softdump
Press "g" in softice let it run properly.
Now start quiting everything. Close the "sruler.exe" Press "Alt Tab" will
go in MS-DOS. Press enter "sdump95.exe" will be closed with "idata.bin"
created.
Now copy the data from "idata.bin" into our "unpacked.exe" from
offset "B200", save it and exit. Wait it still won't run. Last final touchup
is still kept pending. Start Procdump again select Pe-Editor & load the
file "unpacked.exe" then select "directory" we have to change the
import directory
Directory Name VirtAddr VirtSize
------------------- -------- --------
Import 000115F8 0000003C <<- It's now time to change this.
Import 0000E000 00000B4C <<- Change it as shown.
Exit procdump & run the "unpacked.exe".
Thanks to All Cracker with their powerful tutorial who taught me 99% of what
I know. Well... I've also learned something by myself I must say.
That's it.
ZenLoren
zenloren@hotmail.com
P.S.: NOTE:
I have also encountered some situation in which procdump is not able to
unpack some files which are packed with "PEPACK" packer. So in that case
you can try to set the flag of OPTL4 in "script.ini" file from 2 to 3 see below
& it does the unpacking properly.
[PEPack]
L1=LOOK 61,FF,E0
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00020000 <<<<-- Try changing this to 00003000
OPTL5=00000000