/------------------------------HellSpawn 2K1-----------------------\
| 	Author: 		KahnAbyss	|
| 	Target: 		Kyodai Mahjongg	|
|			15.42		|
| 	Tools: 		SoftIce 4.05    	|
|			W32Dasm 8.9	|
|			FrogsIce 0.43	|
|			Procdump 1.6.2	|
| 	Protection:	Packed Exe 	|
|	Level:		Novice		|
\-----------------------------------------------------------------------------/

---------------------------------> INTRODUCTION <---------------------------------------------
	Ok in this tutorial I gonna teach you how to unpack
	exe packed with AsPack wich is a powerfull exe packer
	its kinda easy to trace but it have some anti soft ice stuff
	so lets get rocked!
----------------------------------------------------------------------------------------------------------------

Part 1a:	Unpacking The File using ProcDump
=====================================

Step 1:	Make  a copy of Kyodai.exe to Test.exe
	Open ProcDump and click on PE editor then
	select Test.exe click on Section and rightclick
	on Code select edit and change C0000040 to E0000020

Step 2: 	Open Test.exe with SoftIce Symbol Loader and click on Load
	SoftIce should popup now trace down the code with F10 a little bit
	Soon you gonna get caught in a loop:

	015F:809279 	or Ecx,Ecx	<--- Start Of The Loop
	015F:80927B 	jz 8092A9		<--- 1st Conditional jump
	015F:80927D	lodsb
	015F:80927E	cmp AL,E8
	015F:809280	jz 80928C
	015F:809282	jmp 809284
	015F:809284	cmp AL,E9
	015F:809286	jz 80928C
	015F:809288	inc Ebx
	015F:809289	dec Ecx
	015F:80928A	jmp 809279	<--- End Loop

	from here we gonna put a breakpoint on 8092A9 since its the 1st exit of
	the loop.
	
	press F5 and continue to trace it with F10
	you gonna be soon catch in another loop from 809211 to 8092E3
	put a break point on the end of the loop at 8092E9
	and you get to the last loop from 8093F7 to 8094C0

	015F:8094F2	jnz 809F4C	<--- end of unpacking data function
	015F:8094F4	mov Eax,00000001	
	015F:8094F9	ret 000C
	015F:8094FC	push 00000000	<--- Entry point
	015F:809501	ret

	put a breakpoint at 8094FC and you gonna see an address for me it was 4F47F4

Step 3:	Now that we have the entry point is easy we gonna make an endless loop at address
	809501. Type A 809501 to enter assembly mode then type jmp 809501 get out of here with ESC
	and press F5 to get out of SoftIce now enter procdump and find the running exe in option 
	select Rebuild Import Table then right click on the exe and select Dump (Full) give the name of
	new dumped file I called it Unpacked.exe then you should get an exe of  1,810,944 bytes use PE 
	editor to edit entry point you must substract the entry point to Image Base so in entry point we gonna 
	write 4F47F4 - 400000 = F47F4 now run the exe well its load but does nothing now we gonna have
	 to patch stuff for anti soft ice stuff:)

Part 1b:	Removing Anti-SoftIce Protection
===================================

Step 4:	Here we have several ways to find out how the software checks for softice you can
	use FrogsIce wich is a powerfull detector and its gonna tell you where it is in the code.
	At 1st I used it and got 2 offset in the log file

	=> Unpacked    
	** SOFTICE DETECTION **  code 0B, at cs:00496D38     
	Attempting to load: SICE  

	=> Unpacked    
	** SOFTICE DETECTION **  code 0B, at cs:00496D74     
	Attempting to load: NTICE 

	to have more details on the softice detection mode you just have to check in Code.txt section 0B
	if you type Shift-F12 in W32Dasm and go to 496D38 and press up a little bit you gonna see

	* Referenced by a (U)nconditional or (C)onditional Jump at Address:
	:00496D26(C)

	* Possible StringData Ref from Code Obj ->"\\.\SICE"

	:00496D19 68346D4900   	push 00496D34
	:00496D1E E899FAF6FF 	call 004067BC		<--- Call Search function
	:00496D23 83F8FF            	cmp eax, FFFFFFFF		<--- Test Results
	:00496D26 7408             	je 00496D30		<--- Jump if Sice not loaded
	:00496D28 50                      	push eax
	:00496D29 E86EFAF6FF  	call 0040679C
	:00496D2E B301                    	mov bl, 01

	You can try it with softice just load your exe in symbol loader and put a bpx on the line 496D26
	change the (Z)ero flag (r fl z) and press F5 now Kyodai should run fine:)
	You can now patch it in Hiew its your choice I did it since you load it often in the next tut part.

Step 5:	Open Unpacked.exe with Hiew press F4 and select Decode Mode F5 and type the offset
	for me it was 96326 then F3 then change 74 by 75 F9 to update and get out.
	You can also use a macro to do it without patching the file its great too	and could  be better
	since this protection is used often Add these lines in your WinIce.Dat reboot and type HideMe 
	at the Console

	MACRO NoSice="d @(esp+4);e @(esp+4) 0;x;"
	MACRO HideMe="bpx CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do \"NoSice\""

	Now we are ready to find a serial so go to the next Part of the tutorial:) 0 or 1