Tutorial Number 33 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 26th February 2000 Program Details: Name: Notepad.exe packed with PECompact 1.24.1 Tools Used: ProcDump Softice Symbol Loader Cracking Method: Unpacking Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system Notepad.exe packed with PECompact 1.24.1 (option: maximum compression, JCALG1 library) Aim: Unpacking it manually _________________________________________________________________________ About this tutorial This tutorial will show you how to unpack programs packed using PECompact 1.24.1. The target program is notepad.exe which is available on most computers. As I am still not very good at explaining certain stuff in unpacking, I can only try my best to show you the simple method. Import table and stuff are not dealt here. This unpacking method will let you run the program and patch it. For advanced method, you will have to read other tutorials. _________________________________________________________________________ Finding program's Entry Point Open the packed notepad.exe with Symbol Loader. Click the 2nd icon on Symbol loader which says "Load the currently open module" You will get a error message and ask if you want to load the executable anyway. Click on "Yes". If Softice is loaded, it should break on the entry point of the program. I have pasted the following codes and have commented on them. ************************* What you see in SICE ************************* **You will be here when Softice breaks. Keep pressing F10 to trace through the codes. 0040AC44 FFFF INVALID 0040AC4C 9C PUSHFD 0040AC4D 60 PUSHAD 0040AC4E E802000000 CALL 0040AC55 **If you step over this CALL using F10, the program will run. Thus, reload the program and step into this CALL using F8 next time. While tracing, you will experience lots of conditional jumps and unconditional jumps. There are lots of loops which you will need to bypass unless you want to trace through them over and over again. for example: ************************************* aaaaaaaa ... wwwwwwww xxxxxxxx JNZ zzzzzzzz <-- Loop back to aaaaaaaa yyyyyyyy JMP aaaaaaaa zzzzzzzz New Instructions If you keep tracing, you will jump back to aaaaaaa a lot of times. To save time, bpx on zzzzzzzz and then press F5 to go back to windows and let the program run until zzzzzzzz is reached, thus bypassing the need to trace through the loop again and again. ************************************* Finally, you will come across this section. 0040CA83 8BBD2E744000 MOV EDI,[EBP+0040742E] 0040CA89 E85E040000 CALL 0040CEEC 0040CA8E 61 POPAD 0040CA8F 9D POPFD 0040CA90 50 PUSH EAX 0040CA91 68CC104000 PUSH 004010CC 0040CA96 C20400 RET 0004 When I started to learn unpacking, whenever I come across POPAD or POPFD, I become more alert. Like the previous 2 tutorials, 004010CC appears again for notepad.exe. This is the original entry point for the packed notepad.exe. So, at the RET at 0040CA96, type: a eip (and press Enter) jmp eip (and press Enter) F5 This will change the codes at 0040CA96. You will notice that after typing in "jmp eip" and pressing Enter, the intruction at 0040CA96 is now a JMP. This will effectively make the program "pause". Pressing F5 allows you to return to windows and you can dump the unpacked program onto your HD. Using ProcDump, right click on the first list and choose "Refresh list". Look for the packed notepad.exe and right click on it. Choose "Dump (Full)" and save it. Right click on it again and choose "Kill Task". _________________________________________________________________________ Changing Entry Point If you remember, the entry point of the unpacked notepad.exe is 004010CC. Using the PE Editor function of ProcDump again, open the unpacked notepad.exe. Under "Header Infos", you will see that the entry point is 0000AC44 which is wrong. Refer to my tutorial 31 on how to change the entry point to 004010CC. Now, run the unpacked notepad.exe. It should run. 8) __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. My thanks and gratitude goes to:- MiZ from whom I learnt the basic of unpacking from. All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.