Welcome to my 22nd tutorial, today we will talk about Manual Unpacking!
What is Unpacking?
Unpacking is a way to get rid of packed program with an encryption, either using an
Unpacker, or manual unpacking the program.
Packing meanings taking an exe files and encrypts it (the PE header) so it will be hard to crack it.
Let's get started:
------------------
In this essay I will use CoDe_InSide's EP_v0.1 (PE) packer/Encrypter.
So I will encrypt NotePade.exe!
* Some windows user will probably notice that an encrypted file runs slow...(it runs Slow here as well), later u will see that we will dump and change some stuff in the file and it will run smoothly Ok so we got the packed NotePade.exe (don't run it yet, it will be slow ;D , for me at least) Open ProcDump..press "PE EDITOR" button, and load the encrypted NotePade.exe we made.
U will see a window with this in formation:
Entry Point: 0000D000 <= this is the Virtual Offset
Size of Image: 0000E000
Image Base: 00400000
Ok, now that we know the virtual offset (0000D000), click the "Sections" button,
U will see all section Information.
.text / .data / .idata / .rsrc / .reloc / PE (wonder what is this ;D )
Ok look under Virtual Offset of section PE, u will see 0000D000, but we must
Know the Raw offset, so look under Raw Offset of section EP, it is 0000D000 too
Wow we got lucky it's the same offset ;D (some may use different offsets), but here it's the same ;D
Ok, now that we know the Raw Offset.
Why wee need to know the raw offset anyway?
We need to know it, because hex editor don't use Virtual Offset (sICE use virtual offset Or as we call it RVA, real virtual address)
So when we are using hex values (hex editor) we need to know the Raw Offset!
So, our Raw Offset = 0000D000
Open up hex editor (any), and look for D000
U will see this in Hex-Editor:
D000: 50 83 C0 17 8B F0 97 33
Now, in order to use sICE to break when we load the program (usually BINT 3), we need to change the 50 -> CC (CC = int 3)
So in hex editor just change:
50
To:
CC
Now it will be like this -> D000: CC 83 C0 17 8B F0 97 33
Save the file and exit hexeditor.
Now load sICE (Ctrl+D).
Set a breakpoint: BPINT 3
Press enter, and exit sICE (Ctrl+D)
Load the encrypted file (notePade.exe), SICE will pop up here:
Now we need to change the "CC" back to "50" (the original value), because if we wont then sICE will exit And there will be an error message...so just press:
E EIP
U will see this:
0177:0040D000 CC 83 C0 17 P......3.3..$...- <= We will need to change this HEX value
Well I looked for a value (similar to entry point), but here I found something more Better...I found a jump to 004010DC (note: u need to move some rets ;D
) Anyway, so Just write down the OEP "10DC" on paper or something!
Now look up (above the ASM code) u will see this:
004010DC 55 8B (OEP start here), so we will make an infinite loop in this part.
We are going to use the "EBFE" trick! , Do this in sICE:
E EIP [enter]
EBFE : Change 558B to EBFE (Don't forget to remember 558B!)
ALT+D : To return to the Command Window
So we set a trap on the OEP ;D, now let's clear all breakpoints : BC *
And get out of sICE.
Now let's open procdump again...now in the TASK window, scroll down and look for
The Directory u have the encrypted file, mine is:
C:\mirc\download\notepade.exe
Now select the file, right click with mouse and choose: DUMP (FULL)
Save the new dump anywhere u like, chose a name of course ;D (i prefer the name DUMP.EXE ;D) Now again right click on it again and choose: KILL TASK (press ok after u get a message) Now, the dump we made does not run yet, we need to modify it to make it run...duh! ;D
So click "PE Editor" and choose the new dump file we made.
Now the entry point is still 000D000, so change it to the real OEP: 10DC(remember I told u To write it down ;D )
It will be like this now:
Entry Point: 00010DC
(OEP "004010DC" <= Image Base "00400000" + "000010DC")
Now on the "Apply Changes Method:" choose "To PE Header" <= so we can kick the encryption Code as well (to reduce some exe size ;D )
After choosing "To PE Header" tab, click "SECTIONS" button.
Now click on the section called: "PE" right click and choose "Kill Section"
This will ensure that the encryption code wont be on the dump.exe anymore ;D
Now we will change the Size of Image:
Size of Image = Last Virtual Offset + Last Virtual Size
So because we killed "PE" section, the last section is now ".reloc" (last section) To fix this take NOW the last Section ".reloc" and add the Virtual Offset and Size together.
Right click on .Reloc and choose "edit section" and edit the
Offset = 0000C000
Virtual Size = 00001000
Size of Image = 0000C000 + 00001000 = 0000D000
Click "CANCEL" button and we back to the Header Info screen,
We see that the "Size Of Image" = 0000E000 <= which is not correct!
Change "Size Of Image" = 0000E000 -> 0000D000
Press OK to rebuild the structure of dump.exe ;D
Exit procdump.
Try running the file (dump.exe)...what's going on, it's not working...why! >:/
Well it won't work because it runs in a loop that provides form the program from crashing!
Remember: 558B -> EBFE?
So open hex editor again and go to the OEP we found (10DC).
* Sometimes in winHEX u wont find exactly 10DC (don't know why), so go to the nearest offset I.e.: 10E0/10D0 (u will see EBFE there dont worry ;D ).
