Tutorial Number 31 Written by Etenal Bliss published by tsehp Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 25th February 2000 Program Details: Name: Notepad.exe Tools Used: ProcDump Softice Symbol Loader Cracking Method: Unpacking Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system Notepad.exe packed with Shrinker v3.4 Aim: Unpacking it manually _________________________________________________________________________ About this tutorial This is the first of the series of SIMPLE unpacking tutorial I am going to write. The target program is notepad.exe which is available on most computers. As I am still not very good at explaining certain stuff in unpacking, I can only try my best to show you the simple method. For advanced method, you will have to read other tutorials. _________________________________________________________________________ Making Softice break on Entry Point Open the packed notepad.exe with Symbol Loader. Click the 2nd icon on Symbol loader which says "Load the currently open module" You will get a error message and ask if you want to load the executable anyway. Click on "Yes". If Softice is loaded, it should break on the entry point of the program. But it didn't break and the packed notepad.exe runs at will. Time to change the characteristics of the sections... By changing the characteristics, you will get Softice to break on the entry point. Load the packed notepad.exe using ProcDump (using PE Editor) You will see this window with "PE Structure Editor" as the title. Click on the button called "Sections" You will get another window with "Sections Editor" as the title. You will see the various sections of the packed notepad.exe. The first section is .shrink0 and its characteristics is C0000082. Change the characteristics by left clicking .shrink0 and then right click and choose edit section. You will get another window with 'Modify section value" as the title. Change the Section Characteristics from C0000082 to E0000020. Keep pressing OK till you return to the main ProcDump window. You can leave ProcDump alone for the moment. **Much as I would like to explain why this is necessary, I couldn't. 8P You might want to read up on PE structure to find out why. From what I was told, E0000020 will make the section executable thus Softice will break on the entry point. _________________________________________________________________________ Finding Entry Point and Dumping Now, hope you didn't close symbol loader. If you did, open the packed notepad.exe and load the executable again. When you click on "Yes" this time, you will find yourself in Softice... I have pasted the following codes and have commented on them. ************************* What you see in SICE ************************* **You will be here when Softice breaks. Keep pressing F10 to trace through the codes. 0041454F FFFF INVALID 00414556 55 PUSH EBP 00414557 8BEC MOV EBP,ESP 00414559 56 PUSH ESI 0041455A 57 PUSH EDI 0041455B 756B JNZ 004145C8 (NO JUMP) 0041455D 6800010000 PUSH 00000100 00414562 E8D60B0000 CALL 0041513D 00414567 83C404 ADD ESP,04 0041456A 8B7508 MOV ESI,[EBP+08] 0041456D A3B4F14000 MOV [0040F1B4],EAX 00414572 85F6 TEST ESI,ESI 00414574 7423 JZ 00414599 (JUMP) 00414599 33FF XOR EDI,EDI 0041459B 57 PUSH EDI 0041459C 893D8C184100 MOV [0041188C],EDI 004145A2 FF1510224100 CALL [KERNEL32!GetModuleHandleA] 004145A8 8BF0 MOV ESI,EAX 004145AA 68FF000000 PUSH 000000FF 004145AF A1B4F14000 MOV EAX,[0040F1B4] 004145B4 897D10 MOV [EBP+10],EDI 004145B7 C7450C01000000 MOV DWORD PTR [EBP+0C],00000001 004145BE 50 PUSH EAX 004145BF 56 PUSH ESI 004145C0 FF15F4214100 CALL [KERNEL32!GetModuleFileNameA] 004145C6 EB03 JMP 004145CB (JUMP) 004145CB E830EAFFFF CALL 00413000 004145D0 FF7510 PUSH DWORD PTR [EBP+10] 004145D3 FF750C PUSH DWORD PTR [EBP+0C] 004145D6 56 PUSH ESI 004145D7 E806000000 CALL 004145E2 **If you trace over this CALL at 004145D7, the packed notepad.exe will run free. Reload it again using symbol loader if this happens. The next time you get to this CALL, press F8 to trace into it. You will see what's below then. BPX on 004145D7 first. 004145E2 64A100000000 MOV EAX,FS:[00000000] 004145E8 55 PUSH EBP 004145E9 8BEC MOV EBP,ESP 004145EB 6AFF PUSH FF 004145ED 6810E04000 PUSH 0040E010 004145F2 68EC5D4100 PUSH 00415DEC 004145F7 50 PUSH EAX 004145F8 64892500000000 MOV FS:[00000000],ESP 004145FF 83EC14 SUB ESP,14 00414602 C745E401000000 MOV DWORD PTR [EBP-1C],00000001 00414609 53 PUSH EBX 0041460A 56 PUSH ESI 0041460B 57 PUSH EDI 0041460C 8965E8 MOV [EBP-18],ESP 0041460F C745FC00000000 MOV DWORD PTR [EBP-04],00000000 00414616 8B450C MOV EAX,[EBP+0C] 00414619 83F801 CMP EAX,01 0041461C 7510 JNZ 0041462E (NO JUMP) 0041461E E886030000 CALL 004149A9 00414623 FF05C0F14000 INC DWORD PTR [0040F1C0] 00414629 E882F6FFFF CALL 00413CB0 0041462E 8B35C0F14000 MOV ESI,[0040F1C0] 00414634 85F6 TEST ESI,ESI 00414636 0F848D000000 JZ 004146C9 (NO JUMP) 0041463C 833DC4F1400000 CMP DWORD PTR [0040F1C4],00 00414643 7526 JNZ 0041466B (NO JUMP) 00414645 833D6417410000 CMP DWORD PTR [00411764],00 0041464C 741D JZ 0041466B (NO JUMP) 0041464E A164174100 MOV EAX,[00411764] **EAX will now be 000010CC 00414653 030588184100 ADD EAX,[00411888] **EAX will now be 004010CC 00414659 8945DC MOV [EBP-24],EAX **[EBP-24] will now contain 004010CC 0041465C FF7510 PUSH DWORD PTR [EBP+10] 0041465F FF750C PUSH DWORD PTR [EBP+0C] 00414662 FF7508 PUSH DWORD PTR [EBP+08] 00414665 FF55DC CALL [EBP-24] **If you trace over this call, notepad.exe will run again. From above, since [EBP-24] = 004010CC, it means that the packed program is calling 004010CC. If you trace into this call, you will get notepad.exe running pretty soon. If you have traced through more shrinker v3.4 packed programs, you will always see this "CALL [EBP-24]". So, the programs are actually going to the entry point of the unpacked program. Reload the packed notepad.exe and once you break, you can press F5 and you will break at 004145D7 where you set a bp before. Trace into it till you come to 00414665 where the program is about to go to its unpacked entry point. Now, type the following: a eip (and press Enter) jmp eip (and press Enter) F5 This will change the codes at 00414665. You will notice that after typing in "jmp eip" and pressing Enter, the intruction at 00414665 is now a jmp. This will effectively make the program "pause". Pressing F5 allows you to return to windows and you can dump the unpacked program onto your HD. Using ProcDump, right click on the first list and choose "Refresh list". Look for the packed notepad.exe and right click on it. Choose "Dump (Full)" and save it. Right click on it again and choose "Kill Task". _________________________________________________________________________ Changing Entry Point If you remember, the entry point of the unpacked notepad.exe is 004010CC. Using the PE Editor function of ProcDump again, open the unpacked notepad.exe. Under "Header Infos", you will see that the entry point is 0001454F which is wrong. If you try running the unpacked notepad.exe without changing the entry point, it will crash. Change the entry point to 004010CC and click on "OK". Now, run the unpacked notepad.exe. It should run. 8) __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. My thanks and gratitude goes to:- MiZ from whom I learnt the basic of unpacking from. All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.