A Quick Guide To Using IceDump/Bhrama by Ghiribizzo

A Quick Guide To Using IceDump/Bhrama
by Ghiribizzo ~ 16 July 1999

Courtesy of fravia's page of reverse engineering

A very interesting "quick guide" by Ghiri, that I found to-day on my messageboard...
Sice afecionados will love (and enjoy) this essay.

A Quick Guide To Using IceDump/Bhrama by Ghiribizzo [OR&L/uKC] 1999
===================================================================

The following is a quick guide to help those who want to use IceDump5 and Bhrama
to unpack PE files.

What is IceDump/Bhrama?
-----------------------

Icedump is the SoftICE tool created by the Owl which allows you to dump memory
from SoftICE into a file. Icedump 5 has Bhrama support. Bhrama is a server in
Procdump that allows clients to instruct procdump when to dump. When Procdump is
unable to automatically unpack a file, you can semi-automatically unpack it by
tracing the code manually in SoftICE then telling Bhrama when it is a good time
to dump.

An Example (ASPacked Calc.exe)
------------------------------

I shall give you an example of how to use Icedump/Bhrama to semi-automatically
unpack calc.exe when packed with ASPack.

Ingredients
-----------

SoftICE (any version from 3.22 to 4.00) - I use 4.00 in this example

Icedump5 BETA - I use a slightly modified version of the 928 byte icedump image
in this example

ProcDump - I use pd149d4 in this example

calc.exe - find it in your windows directory

ASPack 1.08.03 - download it from www.entechtaiwan.com/aspack.htm

IceDump Patcher - download it from www.chocbar.demon.co.uk/ghiribizzo/id.zip

Preparing the Ingredients
-------------------------

1. Icedump

Firstly, we must install IceDump. You can use HIEW to do this manually, or use
my patcher. Note that to use the patcher you must either obtain an image
supporting this, recompile an image with the offset info, or add the 8 byte
offset information yourself. All future icedump images should contain the offset
information. The icedump image for the patcher should look like the following:

dd INIT_CALL
dd PAGEIN_PATCH_ORIGIN
[rest of icedump image]

See icedump.asm for more details. To build this 8 byte stub yourself, you need
the offset information from icedump.inc. e.g. the part corresponding to SoftICE
4.0 is as follows:

%if WINICE_VERSION = 0x400
%define PAGEIN_PATCH_ORIGIN 0xC6C7C
INIT_CALL EQU 0x0ACE6

Create the 8 byte stub file, in hiew, and use a binary copy to prepend it to the
rest of the icedump image. Alternatively, use a hexeditor which allows insertion
of bytes. Once you have the prepared image file, copy it to your softice
directory with the patcher and run the patcher, it will then automatically patch
icedump into softice for you.

2. Calc.exe

Find calc.exe in your \windows directory and run ASPack on it, to compress it.
Open up calc.exe with hiew and switch hiew to hex mode. Go to the entry point
(F8,F5) and alter the first byte there to CCh. We do this so that SoftICE will
break at the first instruction.

Cooking
-------

Start up SoftICE and procdump. Start the Bhrama server by clicking on the
'Bhrama Server' button. Open the packed calc.exe with the symbol loader but do
not load yet. Open the SoftICE console window and 'set i3here on'. Now load
calc.exe. SoftICE will break on the int3. You now need to set back eip by one
and reassemble the PUSHAD instruction we overwrote with the CCh.

Now trace through all the unpacking junk until just before the packer returns
control to the program. This is done via a PUSH EAX, RET combination in ASPack.
Trace into the RET and you arrive at the first instruction of the unpacked
program. Now issue a 'PAGEIN p Bhrama' command. Icedump will then give control
to procdump and you can then enter the filename for the dump. That's it!

Serving Suggestions
-------------------

It's a good idea to assign the dump command to the F3 hotkey to save yourself
some typing. Also, you should change the default Bhrama window name to something
else, if you're concerned about detection.