Manual Unpacking For Newbies by ACiD BuRN
yo !!
today , i will explain u how to unpack manually , but i take an app
, freware , packed with aspack or something , i don't care hehe !!
i will only show u how to have the string data reference in the app
, so no import table , but i don't care , Newbies tutors , don't forget
with this , you can patch the exe , so i think you will be happy :)
Tools needed : - Soft ice 3.x or 4
- Procdump 1.5 (only used as Files Dumped)
1st part : The loader!
u will use the loader of Sice to unpack , so Run it (loader32.exe)
and choose the exe u want to run!
for us , it is : Konix.exe.
ok , run it with the loader , but the prob is , this fucking app
won't break in Sice :(
hehe , np , run Proc Dump and use PE editor !
Edit the Code's section of the exe.
(pe editor , choose the file , sections , click on CODE and right
click , edit section )
ok , you see in sections caracteristic : C0000040
ok , change it to : E0000020
Don't nag me for ask me why , only trust me , this work all the time!
do it , that's all!
now , run the Loader of sice , run the app with it , and it will break
in Sice :))
great , worked hehe
2nd part : tracing and dumping the file from memory to the disk!
ok , so u just breaked on sice , u see invalid shit , but doesn't
matter.trace with F10 u will arrive here :
XXXXXXXX PUSHAD <-- when u unpack , if you see this , :)
XXXXXXXX CALL 45A006
XXXXXXXX POP EBP
XXXXXXXX SUB EBP,43D93E
............
XXXXXXXX CALL 0045A051
XXXXXXXX CALL 0045A2B2
XXXXXXXX CALL 0045A350
............
XXXXXXXX POPAD <-- Good to see this too :)
XXXXXXXX JMP EAX <-- Stop tracing here, coz it jump the real prog
.......
Well.. when u unpack u see some POPAD and a JMP , look for one who jump
to a register like EAX , EDX , ECX ...
but it is really often : EAX
ok , so when u are at the JMP EAX place , look the value on EAX and
writte it down on a paper for me it was : 43F0A0.You will use this soon
tust me !! heh
To know if you are at the good place , try to F10 once and look if it
jump to the real entry point of the programme.
For us , he did , so it is ok !
NOW , exit Sice , and re run the exe with the sice loader , and trace
to the Jump place.
NOW , type :
A {enter} <== this is to change the code at the current place
JMP EIP {enter} <== this is for make a unlimited Loop , like this
we can dump the file , without dumping shit
{escape}
F5
now the programme is doing an unfinite loop in Memory and we can dump
now !!!
ok , run procdump and you see in the main form the list of the curent
task , click on the one who contain Konix.exe. Now right click
and chose Full Dump.save the new exe with the name you want.
ex : Konixdumped.exe
now , click on it again , right click and do : kill task instead of
dump , this will kill this task and end the programme who is still
doing the unlimited Loop.
3rd parts : fix the programme entry point!
ok , look ate the exe u just have dumped , and you see the size is
bigger than the packed , great :)
but wait , if you run it , the prog will crash like a silly bastard:(
ok , u remember , u have noted the OEP (original entry point) on a
paper , the value you found in EAX. in this case , it was : 43F0A0
ok Run the Procdump's PE editor again and change the entry point
to 0x0003F0A0. (OEP - the image base : 43F0A0-400000=3F0A0)
i said you this number will help us !! hehe
now , close procdump , and the you unpacked / dumped executable
IT WORKS !!!!!!!!!!!!!!!!!!!!
yea , we did it !! hehe
Now Wdasm it and you will have String Data references :)
u can patch it now !! heh!!
Well , this tut is finish , hope u understand all this piece of
text , but if you have a comment or one question, mail me to :
ACiD_BuRN@nema.com or acid2600@caramail.com.
have Fun and happy cracking !
greets to my groups : ECLiPSE / PWA / CiA / oDDiTY
also greetingz to:
R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D
Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 ,
MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG ,
Fire Worx , Crackz , neural_en ...
Sorry if you are not here too many people to greetz !!!)