Target : AceDiary v1.0
Target URL : http://www.soft1st.com
Tools : PEiD
v0.8 or PE-Scan v3.13, CASPR v1.110, ASPackDie v1.4, Import Reconstructor
v1.4.2+
Tools URL : http://protools.cjb.net
INTRODUCTION
Welcome to my first tutor for the Phrozen Crew. This is kinda an intermediate
to advanced tutor since it covers unpacking and rebuilding import tables
to enable you the cracker to successfully disassemle the target application.
IDENTIFICATION
Like with all other target programs, it is an advantage to know whether
or not an application is packed with a encryption/protection scheme and
if so, with which one. For this reason I recommend the PEiD (PE iDentifier
v0.8) coded by snaker & Qwerton or PE-Scan v3.13 by Snyper.
I also recommend that if you use PEiD that you turn on the HARDCORE scanning option number 2 ON. The reason for this is that a lot of the more advanced packers/encryptors will try and fake identifiers by using other packers/cryptors' identification strings as well as virtually no identification markings at all. This will limit those chances to allmost none!
UNPACKING
Im NOT going to explain in detail MANUAL UNPACKING since this tutor is
aimed at the beginner/ intermediate cracker level. Simply download and
extract CASPR from the Unpacking Gods to your Windows path, ie. "C:\Windows\System32"
or something similar. There is a GUI for CASPR out there but I prefer
just running it in the Command DOS box. After you had extracted CASPR
into a Windows path,
drop into a DOS box prompt by clicking on START -> RUN -> "command.com".
On NT/2K/XP systems, click START -> RUN -> "cmd". Now
change directories to where you have installed AceDiary to. Since the
main executable is named "AceDiary.exe" simple now type "CASPR
AceDiary.exe" (without the quotation marks of course). CASPR will
produce a file named "AceDiary.ex_" - leave this file for now.
Now extract and execute Yoda's ASPackDie v1.4 and select the main "AceDiary.exe" file. It will proceed to unpack this and save the unpacked version of the executable as "unpacked.exe".
Why BOTH these methods you ask? Let me explain:
1. CASPR is a GREAT unpacker since the file will be executable afterwards
2. Yoda has added a nice feature to his unpacker to add specific EXE header
information to the unpacked executable to make it W32Dasm disassembler
friendly where as in the past it did NOT want to disassemble the unpacked
files.
3. In this specific case, the "unpacked.exe" file produced by
Yoda's ASPackDie v1.4 unpacking tool will NOT run :< But don't worry,
thats why the next part is important.
4. CASPR's unpacked version DOES run but is NOT W32Dasm friendly. We are
going to use the CASPR unpacked version to repair the ASPackDie unpacked
file to ensure the end result is a RUNNING and W32Dasm friendly unpacked
file.
REBUILDING THE FILE
Now you should have the following new files:
1. AceDiary.ex_
2. Unpacked.exe
Extract but don't execute Import Reconstructor quite yet. First, rename
the "AceDiary.ex_" file to some other name with a proper .EXE
file extension, ie. "Ace.Exe". Now execute "Ace.Exe"
and type in your diary password. You are now faced with the main big AceDiary
panel - quite a nice GUI I must say! Once AceDiary has finished loading
up, execute Import Reconstructor. Once this has finished loading up too,
click on the "Attach to an Active Process" drop down list box
and click on the "Ace.Exe" filename. Click the AIT AUTOSEARCH
button and you will be greeted with a "Found something" message
box.
Click OK and then click on the GET IMPORTS button. Now click the FIX DUMP
button and select the non-running "unpacked.exe" file - now
wait... Import Reconstructor will show a message saying "***New Section
Added successfully..." etc.
When Import Reconstructor had done with repairing the file it will save
it as "unpacked_.exe". Now you can exit the Import Reconstructor
utility as well as AceDiary. The "unpacked_.exe" file will now
be now execute perfectly fine and will also be W32Dasm friendly and disasseble
correctly.
You can now proceed to delete the uneccesary files i.e.
1. unpacked.exe (NOT the needed unpacked_.exe file)
2. Ace.Exe
They are no longer needed.
DISASSEMBLING THE APPLICATION
Unless you like watching the unpacking and rebuilding process happen all
over again, I recommend that you now copy and paste the "unpacked_.exe"
file to make a backup of it because it IS possible to mess up the file
with the hex editor when you are not paying attention and then you have
to redo the whole process. I usually make a backup copy of the .EXE and
rename it to "target.exe"
Execute W32Dasm and load the "unpacked_.exe" file
into the disassembler and wait for it to finish disassembling it. It is
also recommended you save your "Project Files and Comments"
just in case you have to reboot for some reason. This will make it possible
for W32Dasm tot "instantly" reload the executable.
You are now ready to crack this application. This tutor is NOT intended
so teach you how to disassemble, trace and patch the application but rather
to show you how to unpack and FIX a *broken* unpacked file in such a way
to make it much easier for you to get a RUNNING executable thats W32Dasm
friendly.
Enjoy!
Valek / Phrozen Crew
PS: Click on the Phrozen Crew logo to visit our website or on my logo
to contact me via email
