Unpacking PicturesToExe v2.15 (written GoKs)


Tools.
Unpacking.

As always at first we find out some properties researched program with the help of of editor ProcDump, we find out the following properties: Size of Image = 00172000 Image Base = 00400000 Now we shall glance in section Sections and we shall look in what of sections the table of import can be placed, as is known, the table of import inserted either in section rdata, or in section idata is usual. By comparing Virtual Size these sections, I have assumed, that the table of import is placed in section idata, as Virtual Size it has more, therefore we shall note of its performance: Virtual Offset (RVA) = 000E4000 Virtual Size = 00003000 For want Of loaded S-Ice program naturally issues the favourite message ASProtect, about the started debugger and to work refuses, for want of to attempt to hide the debugger with the help of FrogIce, all too terminates failure, the message on an error is issued. As the code unpacker any more will be clarified hereinafter, that I observed for want of to unpacking such programs as WinNavigator, Avawe Studio and some other. Now before us it is necessary a problem to stop program in S-Ice, in a code unpacker, to make it it is possible two by methods by interchanging performance of section CODE, or with the help of HIEW, by replacing op-code of an entry point on ññ and by delivering in S-Ice breakpoint:bpint 3, who already has experience that I will understand about what:) By Hitting at last in a code unpacker tracing slightly, we shall not reach yet a command:
0055E0Ñ5 PUSH ESP begins further very interesting code, look, will understand about what I, therefore we put bpx on address 0055Å0Ñ5, it that each time to not load program through the loader S-Ice, by the way if you changed performance of section CODE, after installation it breakpoint, interchange it back, and that at you nothing will be received. And one more note of address which I specify at you there will be completely other, I passed this code 3 times and each time of address varied: (Well, we shall return to unpacking to pass this senseless code more fast, scroll the window of a code in ñàéñå below and put bpx on a command ret, then F5, then up to the following ret, when the commands ret will be completed put on such plots:

Jmp ---- 
jmp ---- 
jmp ---- 
and when there will be such plots, ambassador stoped on these commands, press of time 5 F8 to not pass a command ret, which will introduce us from this useless "alive" code, and the exit will be in system dll Kernell32, when we in it shall appear tracing before withdrawal from it, and we shall leave here here:
5C83D1 PUSHAD     < we shall appear here
5C83D2 CALL 005Ñ8À1Â    
< in it we shall go further up to ret, and once again up to ret, we shall appear in a piece which something unpacks, that more fast it to by-pass we twist downwards window of a code up to 5C8995 popad
5C8996 jnz 005C89A0
5C8998 mov EAX, 01
5C899d ret
5C89A0 push 005BB314
5C89A5 ret      < here bpx, we shall leave in a code of such plan further:

5BB325 call 005AC8DC
5BB32A call 005AF150
5BB32F call 005B0F2C
5BB334 call 005B64B8
5BB339 call 005AC420   < to us here, traced up to next ret, we shall leave here here:
5BA84F push EBP
5BA850 push 005BA86D
5BA855 push dword ptr fs: [EAX]
5BA858 mov fs: [EAX], ESP
5BA85B mov EAX, [EBP + 08]
5BA85E call 005BA25C      
< here also happens check on availability of the debugger in memory and wholeness of a code, therefore we shall go in it, tracing up to first of jz and is visible that transition will not be (if not will be of transition, the message on availability loaded S-Ice) will appear, we change significance of a flag Z on opposite and the transition is realized. Now it is high time to deliver bpx on function LoadLibraryA, that catch the moment of its unpacking, F5 and at once - will work only - that delivered breakpoint, dump section idata:pagein d 4E4000 (RVA + IMAGE BASE) 3000 c:\idata.bin, previously by disconnecting bpx on LOADLIBRARYA.Trasing 5BAA48 mov EAX, [EBP + 08] is farther up to:
5BAA4B mov EAX, [EAX + 1C]
5BAA4E call 005BA1B0 < to us here, extremity of unpacking
5BAA53 pop EDI
5BAA54 pop ESI
5BAA55 pop EBX
5BAA56 pop ECX
5BAA57 pop ECX
5BAA58 pop EBP
5BAA59 ret 0004
By Entering in call 005BA1B0 again we shall see " an alive code ", tracing it is a little up to a command popad we write on paper significance of the register EAX = 004DFC88-it of OEP + Image Base, through 3 or 4 commands a command ret shall reach, it and is a jump on unpacked program, therefore by staying on this command we shall switch off all breakpoints and dump:pagein d 400000 (Image Base) 172000 (Size of Image) c:\dump.exe Now we have all for deriving the worker unpacked åõå-file. Let's open ours of dump.exe by the Hex-editor and we shall insert from address Å4000 (Offset) idata.bin, then editor ProcDump make for each section Virtual Size = Raw Size, Virtual Offset = Raw Offset, we shall go in section Directory and we shall improve RVA Import Table = RVA (idata), also we correct Entry Point, remember significance of the register EAX, at us of Entry Point = 4DFC88-Image Base = DFC88. WELL that's all is started all works, by interchanging significance of performance of section CODE c C0000040 on Å0000020, and disasembled Windasm, we have import, all is ready for a research the program, as I offer to you to do independently.