_ _ _ _ _ _ _
/ \_____/ \______ / \____ / \___________/ \ / \_______/ \____
\ \ \ \ \_ \ \ \ \ \ \
_____/ . \ . \/ /\ \ / . \ . \________\ . \ /_ _____
| / /_ / /_ /_ / \ \ /_ / \_ /_ / / \ _/ \_ |
| / / \_/ \ \_/ \ \__/ \ / \_/ \ \_/ \ / / / \ |
|__\ \ / \ / / \ / . \___/ \_ / /__|
\ / / / \ / / \ / \ \____/ /
\____ /\____/ /___\__ \\____ /\____/\ / \______/ \_____ /
\_/ \____/ \_/ \_/ \__/ \_/
- t h e h o m e o f p o l i s h c r a c k e r s -
proudly presents:
`~*¤§[ a tutorial:Exepackers - how to defeat'em #2............................]§¤*~`
`~*¤§[ written by:Gustaw Kit...................................................]§¤*~`
`~*¤§[ date:24 November 1998...................................................]§¤*~`
`~*¤§[ translator:Zomo.........................................................]§¤*~`
In issue #1 of tutorial I introduced manner of unpacking exe files using ProcDump .
Shows, that programme this can be useful to crack commercial protections, TimeLock or Vbox4
by PreviewSoftware. This protection type is fairly easy to reverse. For example we will take
programme Ulead Cool3D v2.0(use Vbox4).
If we will load programme U3dedit2. exe to debugger( SoftIce) following code will appear :
014F:004F1000 PUSH DWORD PTR [ESP+0C]
014F:004F1004 PUSH DWORD PTR [ESP+0C]
014F:004F1008 PUSH DWORD PTR [ESP+0C]
014F:004F100C PUSH 55E239F5 -----> prepare address
014F:004F1011 PUSH 55AD2D76 -----> of packed data
014F:004F1016 PUSH 55E23DA9
014F:004F101B PUSH 55E23D53
014F:004F1020 CALL [004F11F0] ----> run vbox4
014F:004F1026 PUSH FFFFFFFF
014F:004F102B CALL EAX -----> run programme
014F:004F102D RET 000C
Function CALL [004F11F0] calls procedure( PreviewExecGate..) from vbox4 dlls, which
decode firs part of programme and in EAX is returned new EntryPoint(on my computer F0000)
to decoded data. Stepping farther in programme, CALL EAX(press F8), we pass to new fragment
of code: ______ ______ ______ ______
014F:004F0000 PUSH DWORD PTR [ESP+0C]
014F:004F0004 PUSH DWORD PTR [ESP+0C]
014F:004F0008 PUSH DWORD PTR [ESP+0C]
014F:004F000C PUSH B6A4DD7F
014F:004F0011 PUSH BBC60E1F
014F:004F0016 PUSH 6D171A8C
014F:004F001B PUSH 415F4B5A
014F:004F0020 CALL [004F01D4] ---> next vbox4 function
014F:004F0026 PUSH FFFFFFFF
014F:004F002B CALL EAX
014F:004F002D RET 000C
As we can see code is analogous to preceding. CALL [4F01D4] invokes vbox4 functions,
which starts procedures check conditions Trial and if every thing is ok then
decodes rest of programme and in EAX is returned address of real programme(this time Cool3D). In chance unsuccesful trial check in EAX
is address of ExitProcess function, that ends execution of programme. If we will trace farther
our code (in Call Eax - F8) then we will enter on our main programme under address 6CF20. This address
is worth to write down or remember, because this is simply correct EntryPoint of main programme, which is already full
version without vbox4.
Ok.., we know everything that we needl. Solution of problem vbox4 is to copy unpacked programme
from memory and save it into exefile. Maybe someone prefers to attempt with SoftIce and
SoftDump( look at fravia. org) to do this. It will demand to know good structures of PE-EXE and
is hard, describing this ain't my target. There is easy solution because we know splendid
programme ProcDump, which makes possible recording of processes from memory to file and
preserve all exefiles' structure.
As I already described in preceding parts ProcDump possesses file script. ini in which are
instructions how to debug decoded programmes. In latest version ProcDump32 1.1.6
should be already ready section for Vbox:
[VBOX Dialog]
L1=LOOK FF,D0
; find first call eax
L2=BP
; breakpoint on found address
L3=BPREG EAX
; sets break on address in register EAX
; as we know there's address of next part of code
L4=OBJR
; sets actual search address on EIP
L5=LOOK FF,D0
; find second call eax
L6=BP
; then breakpoint it
L7=STEP
; and save decoded programme
Important is suitable proper setup of process of loading and of reconstruction the file. Because
programme packed with vbox4 has also packed segments and data tables so we must
mark options of reconstruction ie. Create New Import. In once of problems we switch on also options
Ignore Faults in section Trace.
After affirmative unpacking of file we can also remove sections WeiJunLi from structure
of new file( options PE Editor). From curiosities look in new file's EntryPoint - 6CF20.
Ok.., correct.
IMO, ProcDump is worth interest and some practise e.
We can always find soft that's copressed not well-known type of compressor and then
we will handle this. These, what do not know ProcDump should download it from
http://www.suddendischarge.com/ in section NonDOs, or from
http://pub.vse.cz/pub/msdos/SAC/pc/pack/.
/ \ / \ / \ / \
_________________________________________________/ . // / // / // / /
| \__/ /_\__ /_\__ /_\__ /|
|[CP!]: http://crackpllist.cjb.net / // / // / // / / |
|________________________________________________/ // / // / // / /__|
\___/ \_______\\_______\\_______\