bedrock
September 27th, 2003, 07:44
I hope this little tool i wrote will be useful to some, probably not many though. This has mostly just been a learning exercise for me. I have read and learnt much informations from this board, i have especially learnt much information from the boards regulars such as squidge and nikolatesla20. This thread in particular was a great help:
http://www.woodmann.net/forum/showthread.php?t=4512 (wasn't sure if i could make it clicky back to board)
I am sharing source with my little tool to help others develop, i found it very difficult to find example sources for developing this little unpacker/dumper so hopefully this will be useful to others. My source isn't brilliant, but it seems to be functional (at least for me).
Now exe32pack isn't a particularly complex packer, but i have a couple of targets that use this packer so i thought i would write my tool for it. A brilliant tutorial by snyper helped in the initial stages, and allowed me to programatically read OEP from within the packed file. Essentially all i have done is automate the manual unpacking process for this packer.
I use the Win32 debugging API's to create a debugger loop, and then use the debug registers (DRx) to set a hardware breakpoint on execute at the OEP address, from here, it's simple ReadProcessMemory and dump the target to disk, a simple fix correct EP and RA = VA in the header and there you go.
One thing i would like to do in the furture of this tool is to remove the exe32pack section from the dump (this will make it significantly smaller), but doing this will mean that i need to fixup IAT, or require external use of ImpREC, i still need to learn more about IAT and first thunks etc...
Hope this is useful to someone...
Hmm, dont seem to be able to add as attachement, only 45k
I'll find some webspace and upload it and post link back here soon
edit: as attachments are now working on the board, and my bandwidth is steadily being consumed, i've added file to this thread.
ps. Should've also mentioned i've only tested this on WinXP SP1, would imagine it would work on other NT based systems though
--
bedrock
http://www.woodmann.net/forum/showthread.php?t=4512 (wasn't sure if i could make it clicky back to board)
I am sharing source with my little tool to help others develop, i found it very difficult to find example sources for developing this little unpacker/dumper so hopefully this will be useful to others. My source isn't brilliant, but it seems to be functional (at least for me).
Now exe32pack isn't a particularly complex packer, but i have a couple of targets that use this packer so i thought i would write my tool for it. A brilliant tutorial by snyper helped in the initial stages, and allowed me to programatically read OEP from within the packed file. Essentially all i have done is automate the manual unpacking process for this packer.
I use the Win32 debugging API's to create a debugger loop, and then use the debug registers (DRx) to set a hardware breakpoint on execute at the OEP address, from here, it's simple ReadProcessMemory and dump the target to disk, a simple fix correct EP and RA = VA in the header and there you go.
One thing i would like to do in the furture of this tool is to remove the exe32pack section from the dump (this will make it significantly smaller), but doing this will mean that i need to fixup IAT, or require external use of ImpREC, i still need to learn more about IAT and first thunks etc...
Hope this is useful to someone...
Hmm, dont seem to be able to add as attachement, only 45k
I'll find some webspace and upload it and post link back here soon
edit: as attachments are now working on the board, and my bandwidth is steadily being consumed, i've added file to this thread.
ps. Should've also mentioned i've only tested this on WinXP SP1, would imagine it would work on other NT based systems though
--
bedrock
