_       _          _          _             _           _         _
      / \_____/ \______  / \____    / \___________/ \         / \_______/ \____
      \       \        \ \      \_  \       \        \        \         \      \
 _____/   .    \   .    \/   /\   \ /   .    \   .    \________\   .     \     /_ _____
 |   /    /_   /   /_   /_  /  \   \    /_   /   \_   /_       /  /       \   _/ \_   |
 |  /    /  \_/ \    \_/  \ \__/    \  /  \_/ \    \_/  \     /  /        /        \  |
 |__\    \      /          \ /      /  \      /  .       \___/   \_      /         /__|
     \         /     /     / \     /         /    \      /   \     \____/         /
      \____   /\____/     /___\__  \\____   /\____/\    /     \______/  \_____   /
           \_/      \____/       \_/     \_/        \__/                      \_/

              - t h e   h o m e   o f   p o l i s h   c r a c k e r s -

                                  proudly presents:

 `~*¤§[ a tutorial:Exepackers - how to defeat'em  #1............................]§¤*~`
 `~*¤§[ written by:Gustaw Kit...................................................]§¤*~`
 `~*¤§[ date:16 November 1998...................................................]§¤*~`
 `~*¤§[ translator:Zomo.........................................................]§¤*~`

How to unpack programmes packed not well-known exe-packer under Windows.

Compression of exe files can be really hard for begginers, it may prevent form reversing the programme.
I recive recently question on this topic, so I've decided to start serieses texts about this.
At the begging goes informations that we talked about on list(transl. CrackPL list is polish list 'bout reverse engee.). 
I came to a conclusion, maybe I would write some advices how to make such files eaisier to crack.
Todays target is WinAmp 2. 00 and we would use ProcDump 1. 0 beta. 
Obvious is, that every runnable file which is compressed or even  encoded can be always decompressed (decoded) 
because this happens in memory during starting of programme. Often is that compressed programme contains 
antidebug tricks and especially antiSoftIce. Problem of tricks is not most importnant at this time ( maybe next tut). 
Coz, at the beggining you should always look at starting code of programme( there where jumps' entry point ).
 For Win32 programmes  such code looks similarly and calls several standard API functions. 
For example  Win95's NotePad has entrypoint:     

014F:00401000  55                  PUSH    EBP            --> Entry Point
014F:00401001  8BEC                MOV     EBP,ESP
014F:00401003  83EC44              SUB     ESP,44
014F:00401006  56                  PUSH    ESI
014F:00401007  FF1548734000        CALL    [KERNEL32!GetCommandLineA]
014F:0040100D  8BF0                MOV     ESI,EAX
014F:0040100F  8A00                MOV     AL,[EAX]
................cut...............
014F:0040104C  50                  PUSH    EAX
014F:0040104D  FF1558734000        CALL    [KERNEL32!GetStartupInfoA]
................cut ..............
014F:00401064  6A00                PUSH    00
014F:00401066  6A00                PUSH    00
014F:00401068  FF155C734000        CALL    [KERNEL32!GetModuleHandleA]
014F:0040106E  50                  PUSH    EAX
014F:0040106F  E87B0E0000          CALL    00401EEF         -->Start of programme
014F:00401074  50                  PUSH    EAX
014F:00401075  8BF0                MOV     ESI,EAX
014F:00401077  FF1554734000        CALL    [KERNEL32!ExitProcess] -->The End.

For most software this looks similarly. Instead in chance of compression or encoding of programme
in place of entry point is decode(decopmress) function.
It looks in this way:
Start of programme 
Decompress function under address in memory
Check whether all is ok 
Jump( jmp) under address in memory that is our main programme. 
In such event one was in obligation find address where in memory located is decmopressed code 
and moment of jump to it. What, I will not describe manner how  to seek this because decompress
code  is as a rule short and can be traced with SoftIcem or other debugger.
Let's look in such case to starting code of WinAmp 2. 0 .

:u 4d1000 l f
014F:004D1000  669C                PUSHF
014F:004D1002  60                  PUSHAD
014F:004D1003  E8CA000000          CALL    004D10D2       ---> decompress function 
014F:004D1008  0300                ADD     EAX,[EAX]
014F:004D100A  0400                ADD     AL,00
014F:004D100C  0500060007          ADD     EAX,07000600

:u eip l 8f
014F:004D10D2  58                  POP     EAX
014F:004D10D3  2C08                SUB     AL,08
014F:004D10D5  50                  PUSH    EAX
................cut...............
014F:004D1108  50                  PUSH    EAX
014F:004D1109  800424BF            ADD     BYTE PTR [ESP],BF
014F:004D110D  833A00              CMP     DWORD PTR [EDX],00
014F:004D1110  0F84A7140000        JZ      004D25BD      ---> the end of decompression
014F:004D1116  F70200000080        TEST    DWORD PTR [EDX],80000000
014F:004D111C  741B                JZ      004D1139
................cut...............

014F:004D25BD  8B6C2418            MOV     EBP,[ESP+18]
014F:004D25C1  8BFD                MOV     EDI,EBP
014F:004D25C3  81EF00004000        SUB     EDI,00400000
014F:004D25C9  85FF                TEST    EDI,EDI
014F:004D25CB  7443                JZ      004D2610   --> some checks
................cut...............

:u eip l 2f
014F:004D2617  81C62A160000        ADD     ESI,0000162A
014F:004D261D  6A05                PUSH    05
014F:004D261F  59                  POP     ECX
014F:004D2620  F3A4                REPZ MOVSB
014F:004D2622  61                  POPAD
014F:004D2623  669D                POPF
014F:004D2625  E94653F5FF          JMP     00427970   --> jump to main programme
014F:004D262A  E96B69F5FF          JMP     00428F9A

After what I recognized, that in this place is jump to main porgramme, well after that there 
already begins standard code with  API functions. When on start we will show content of memory 
( d cs: 00427970 in Softice of course) then we'll see during steping, that decompress function
writes all stuff there. Most important is for us JMP 00427970 after which follows realization 
already decompressed code and how  to get there, has no matter, even with method of attempts 
and fails. 
Now we will use ProcDump to decompress. It makes possible beteween decompression packed exes
(what not always works), defining script to decompress even new or unknown packers.
There is file skript.ini, in which we define everthing. There are already defined Shrinker,
PESHIELD, WWPACK. Programme uses several commands to such definition, check by yourself.
We'll add new section i.e. WinAmp.     

[INDEX]
P1=PEShield
......
P7=WinAmp
[WinAmp]
L1=LOOK E9,46,53,F5,FF
L2=BP
L3=STEP

What means seek(command LOOK) bytes of our jump JMP 00427970( E9,46,53,F5,FF -is that same but
in hex), after finding breakpoint it (BP), and on the end  do step by step analyse (STEP), 
save decrypted file to disk. 
Pretty easy, isn't it? :). 
Run ProcDump and choose Trace our type WinAmp, open file  WinAmp.exe and programme beautifully 
decompresses oneself. And what's most important it works after this process.
IMO, ProcDump is worth interest and some practise eg just on WinAmp. 
Always We can always find soft that's copressed not well-known type of compressor and then 
we will handle this. These, what do not know ProcDump should download it from 
http://www.suddendischarge.com/ in section NonDOs, or from 
http://pub.vse.cz/pub/msdos/SAC/pc/pack/. 

                                                    ______   ______   ______   ______
                                                   /      \ /      \ /      \ /      \
 _________________________________________________/   .   //   /   //   /   //   /   /
 |                                                \__/   /_\__    /_\__    /_\__    /|
 |[CP!]: http://crackpllist.cjb.net                /    //    /  //    /  //    /  / |
 |________________________________________________/    //    /  //    /  //    /  /__|
                                                  \___/ \_______\\_______\\_______\