Tutorial Number 32 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 26th February 2000 Program Details: Name: Notepad.exe packed with NeoLite v2.0 Tools Used: ProcDump Softice Symbol Loader Cracking Method: Unpacking Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system Notepad.exe packed with NeoLite v2.0 (option: maximum compression) Aim: Unpacking it manually _________________________________________________________________________ About this tutorial This tutorial will show you how to unpack programs packed using NeoLite v2.0. The target program is notepad.exe which is available on most computers. As I am still not very good at explaining certain stuff in unpacking, I can only try my best to show you the simple method. Import table and stuff are not dealt here. This unpacking method will let you run the program and patch it. For advanced method, you will have to read other tutorials. _________________________________________________________________________ Making Softice break on Entry Point Open the packed notepad.exe with Symbol Loader. Click the 2nd icon on Symbol loader which says "Load the currently open module" You will get a error message and ask if you want to load the executable anyway. Click on "Yes". If Softice is loaded, it should break on the entry point of the program. But it didn't break and the packed notepad.exe runs at will. Time to change the characteristics of the sections... By changing the characteristics, you will get Softice to break on the entry point. Load the packed notepad.exe using ProcDump (using PE Editor) You will see this window with "PE Structure Editor" as the title. Click on the button called "Sections" You will get another window with "Sections Editor" as the title. You will see the various sections of the packed notepad.exe. The first section is .text and its characteristics is C0000080. Change the characteristics by left clicking .text and then right click and choose edit section. You will get another window with 'Modify section value" as the title. Change the Section Characteristics from C0000080 to E0000020. Keep pressing OK till you return to the main ProcDump window. You can leave ProcDump alone for the moment. **Much as I would like to explain why this is necessary, I couldn't. 8P You might want to read up on PE structure to find out why. From what I was told, E0000020 will make the section executable thus Softice will break on the entry point. _________________________________________________________________________ Finding Entry Point and Dumping Now, hope you didn't close symbol loader. If you did, open the packed notepad.exe and load the executable again. When you click on "Yes" this time, you will find yourself in Softice... I have pasted the following codes and have commented on them. ************************* What you see in SICE ************************* **You will be here when Softice breaks. Keep pressing F10 to trace through the codes. 0040D17E E9A6000000 JMP 0040D229 (JUMP) 0040D229 8B442404 MOV EAX,[ESP+04] 0040D22D 23058FD14000 AND EAX,[0040D18F] 0040D233 E871030000 CALL 0040D5A9 **unpacking the program in memory this done by the CALL above You can trace into it and see what it does if you want. 8) 0040D238 FE0528D24000 INC BYTE PTR [0040D228] 0040D23E FFE0 JMP EAX **This "JMP EAX" will bring the program to the original Entry Point Take note of EAX which is 004010CC in this case. Now, type the following at 0040D23E: a eip (and press Enter) jmp eip (and press Enter) F5 This will change the codes at 0040D23E. You will notice that after typing in "jmp eip" and pressing Enter, the intruction at 0040D23E is now a JMP. This will effectively make the program "pause". Pressing F5 allows you to return to windows and you can dump the unpacked program onto your HD. Using ProcDump, right click on the first list and choose "Refresh list". Look for the packed notepad.exe and right click on it. Choose "Dump (Full)" and save it. Right click on it again and choose "Kill Task". _________________________________________________________________________ Changing Entry Point If you remember, the entry point of the unpacked notepad.exe is 004010CC. Using the PE Editor function of ProcDump again, open the unpacked notepad.exe. Under "Header Infos", you will see that the entry point is 004010CC which is the correct entry point, thus no change is required. Now, run the unpacked notepad.exe. It should run. 8) __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. My thanks and gratitude goes to:- MiZ from whom I learnt the basic of unpacking from. All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.