			Tutorial Number 33

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 26th February 2000

Program Details:
Name: Notepad.exe packed with PECompact 1.24.1

Tools Used:
ProcDump
Softice
Symbol Loader

Cracking Method:
Unpacking

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

Notepad.exe packed with PECompact 1.24.1 
(option: maximum compression, JCALG1 library)
Aim: Unpacking it manually

_________________________________________________________________________


                        About this tutorial

This tutorial will show you how to unpack programs packed using PECompact 1.24.1.
The target program is notepad.exe which is available on most computers.
As I am still not very good at explaining certain stuff in unpacking, I
can only try my best to show you the simple method. Import table and stuff are
not dealt here. This unpacking method will let you run the program and
patch it.
For advanced method, you will have to read other tutorials.

_________________________________________________________________________


		Finding program's Entry Point

Open the packed notepad.exe with Symbol Loader.

Click the 2nd icon on Symbol loader which says
"Load the currently open module"

You will get a error message and ask if you want to load the executable
anyway. Click on "Yes".

If Softice is loaded, it should break on the entry point of the program.

I have pasted the following codes and have commented on them.


************************* What you see in SICE *************************

**You will be here when Softice breaks. Keep pressing F10 to trace through
  the codes.

0040AC44  FFFF                INVALID
0040AC4C  9C                  PUSHFD
0040AC4D  60                  PUSHAD
0040AC4E  E802000000          CALL      0040AC55
**If you step over this CALL using F10, the program will run. 
  Thus, reload the program and step into this CALL using F8 next time.

While tracing, you will experience lots of conditional jumps and
unconditional jumps. There are lots of loops which you will need to bypass
unless you want to trace through them over and over again.

for example:
*************************************
aaaaaaaa
...
wwwwwwww
xxxxxxxx JNZ zzzzzzzz		<-- Loop back to aaaaaaaa
yyyyyyyy JMP aaaaaaaa
zzzzzzzz New Instructions

If you keep tracing, you will jump back to aaaaaaa a lot of times.
To save time, bpx on zzzzzzzz and then press F5 to go back to windows
and let the program run until zzzzzzzz is reached, thus bypassing the need
to trace through the loop again and again.
*************************************

Finally, you will come across this section.

0040CA83  8BBD2E744000        MOV       EDI,[EBP+0040742E]
0040CA89  E85E040000          CALL      0040CEEC
0040CA8E  61                  POPAD
0040CA8F  9D                  POPFD
0040CA90  50                  PUSH      EAX
0040CA91  68CC104000          PUSH      004010CC
0040CA96  C20400              RET       0004

When I started to learn unpacking, whenever I come across POPAD or POPFD,
I become more alert. Like the previous 2 tutorials, 004010CC appears again
for notepad.exe. This is the original entry point for the packed notepad.exe.

So, at the RET at 0040CA96, type:
a eip (and press Enter)
jmp eip (and press Enter)
F5

This will change the codes at 0040CA96. You will notice that after typing
in "jmp eip" and pressing Enter, the intruction at 0040CA96 is now a JMP.
This will effectively make the program "pause". Pressing F5 allows you to
return to windows and you can dump the unpacked program onto your HD.

Using ProcDump, right click on the first list and choose "Refresh list".
Look for the packed notepad.exe and right click on it.
Choose "Dump (Full)" and save it.
Right click on it again and choose "Kill Task".

_________________________________________________________________________


			Changing Entry Point

If you remember, the entry point of the unpacked notepad.exe is 004010CC.
Using the PE Editor function of ProcDump again, open the unpacked notepad.exe.

Under "Header Infos", you will see that the entry point is 0000AC44 which
is wrong. Refer to my tutorial 31 on how to change the entry point to 
004010CC.

Now, run the unpacked notepad.exe.
It should run. 8)

__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

My thanks and gratitude goes to:-

MiZ from whom I learnt the basic of unpacking from.

All the writers of Cracks tutorials and CrackMes
and also to all the crackers that have been supporting my site and project forum.