Valek / Phrozen Crew - Cracking Tutor #04

Target : Blaze Media PRO 2002 Revision M
Target URL : http://www.mystikmedia.com
Tools : PEiD v0.8 or PE-Scan v3.13, ArmKiller v2.6 Beta 1, Import Reconstructor v1.4.2, HIEW
Tools URL : http://protools.cjb.net


INTRODUCTION
Welcome to my fourth tutor for the Phrozen Crew. This tutor focuses the more advanced side of cracking and deals with the unpacking and rebuilding of the unpacked version of this target.


IDENTIFICATION

Like with all other target programs, it is an advantage to know whether or not an application is packed with a encryption/protection scheme and if so, with which one. For this reason I recommend the PEiD (PE iDentifier v0.8) coded by snaker & Qwerton or PE-Scan v3.13 by Snyper.



I also recommend that if you use PEiD that you turn on the HARDCORE scanning option number 2 ON. The reason for this is that a lot of the more advanced packers/encryptors will try and fake identifiers by using other packers/cryptors' identification strings as well as virtually no identification markings at all. This will limit those chances to allmost none!



By the way, it IS packed with the Armadillo SPS v2.53+, making it a very "tough" target for most crackers! So how will we go about cracking this application? Wel first install it into a directory of choice and extract the Armkiller.Exe and Arm.Dll files into the main application directory.


UNPACKING
Execute ArmKiller and select the main BMP.Exe executable.

Congratulations! - You have successfully cracked Blaze Media PRO! ArmKiller will do its work and you will be greeted with the following message "The FIRST dump (dump.exe) is read...".


Click the OK button and wait for the second message box to pop up saying "The SECOND dump (dump.exe) is ready. You can now rebuild...".



Do NOT click the this OK button before we are totally finished rebuilding the mangled dump.exe!

Now run the Import Reconstructor and select the first BMP.Exe ProcessID you see...



s



Before you can continue to rebuild it, look in BMP directory, you'll se a small eip.bin file had been created. This little file contains the OEP (Original Entry Point) - this is the essential part to making the target run!




Please remember the following before u even *try* and use this OEP to rebuld the file, it IS the right OEP, in this case B4 14 but its in REVERSE order, you need to fix this so paste the following into the Import Reconstructor OEP box, ie. 14 B4, then click the "IAT Autosearch" button and you'll get a "Found something!" message box.

 

s

 

Click the OK button and now click the "Get Imports" button to load the import table to be fixed. Click the "Fix Dump" button, and select the DUMP.Exe file and wait for it to succesfully save it to DUMP_.Exe. Now you can exit Import Reconstructor and click the OK button on the leftover ArmKiller message box to close it. All you need to do now is delete or rename the original BMP.Exe, delete the .bin file, delete the unecessary DUMP.Exe and then rename the DUMP_.Exe file to BMP.Exe and your all done!


Enjoy!

Valek / Phrozen Crew

PS: Click on the Phrozen Crew logo to visit our website or on my logo to contact me via email