Exepackers - how to defeat them
How to unpack programmes packed not well-known exe-packer under Windows.
Compression of exe files can be really hard for begginers, it may prevent form reversing the programme.
I recive recently question on this topic, so I've decided to start serieses texts about this.
At the begging goes informations that we talked about on list(transl. CrackPL list is polish list 'bout reverse engee.).
I came to a conclusion, maybe I would write some advices how to make such files eaisier to crack.
Todays target is WinAmp 2. 00 and we would use ProcDump 1. 0 beta.
Obvious is, that every runnable file which is compressed or even encoded can be always decompressed (decoded) because this happens in memory during starting of programme. Often is that compressed programme contains antidebug tricks and especially antiSoftIce. Problem of tricks is not most importnant at this time ( maybe next tut).
Coz, at the beggining you should always look at starting code of programme( there where jumps' entry point ).
For Win32 programmes such code looks similarly and calls several standard API functions.
For example Win95's NotePad has entrypoint:
014F:00401000 55 PUSH EBP --> Entry Point
014F:00401001 8BEC MOV EBP,ESP
014F:00401003 83EC44 SUB ESP,44
014F:00401006 56 PUSH ESI
014F:00401007 FF1548734000 CALL [KERNEL32!GetCommandLineA]
014F:0040100D 8BF0 MOV ESI,EAX
014F:0040100F 8A00 MOV AL,[EAX]
................cut...............
014F:0040104C 50 PUSH EAX
014F:0040104D FF1558734000 CALL [KERNEL32!GetStartupInfoA]
................cut ..............
014F:00401064 6A00 PUSH 00
014F:00401066 6A00 PUSH 00
014F:00401068 FF155C734000 CALL [KERNEL32!GetModuleHandleA]
014F:0040106E 50 PUSH EAX
014F:0040106F E87B0E0000 CALL 00401EEF -->Start of programme
014F:00401074 50 PUSH EAX
014F:00401075 8BF0 MOV ESI,EAX
014F:00401077 FF1554734000 CALL [KERNEL32!ExitProcess] -->The End.
For most software this looks similarly. Instead in chance of compression or encoding of programme in place of entry point is decode(decopmress) function.
It looks in this way:
Start of programme
Decompress function under address in memory
Check whether all is ok
Jump( jmp) under address in memory that is our main programme.
In such event one was in obligation find address where in memory located is decmopressed code and moment of jump to it. What, I will not describe manner how to seek this because decompress code is as a rule short and can be traced with SoftIcem or other debugger.
Let's look in such case to starting code of WinAmp 2. 0 .
:u 4d1000 l f
014F:004D1000 669C PUSHF
014F:004D1002 60 PUSHAD
014F:004D1003 E8CA000000 CALL 004D10D2 ---> decompress function
014F:004D1008 0300 ADD EAX,[EAX]
014F:004D100A 0400 ADD AL,00
014F:004D100C 0500060007 ADD EAX,07000600
:u eip l 8f
014F:004D10D2 58 POP EAX
014F:004D10D3 2C08 SUB AL,08
014F:004D10D5 50 PUSH EAX
................cut...............
014F:004D1108 50 PUSH EAX
014F:004D1109 800424BF ADD BYTE PTR [ESP],BF
014F:004D110D 833A00 CMP DWORD PTR [EDX],00
014F:004D1110 0F84A7140000 JZ 004D25BD ---> the end of decompression
014F:004D1116 F70200000080 TEST DWORD PTR [EDX],80000000
014F:004D111C 741B JZ 004D1139
................cut...............
014F:004D25BD 8B6C2418 MOV EBP,[ESP+18]
014F:004D25C1 8BFD MOV EDI,EBP
014F:004D25C3 81EF00004000 SUB EDI,00400000
014F:004D25C9 85FF TEST EDI,EDI
014F:004D25CB 7443 JZ 004D2610 --> some checks
................cut...............
:u eip l 2f
014F:004D2617 81C62A160000 ADD ESI,0000162A
014F:004D261D 6A05 PUSH 05
014F:004D261F 59 POP ECX
014F:004D2620 F3A4 REPZ MOVSB
014F:004D2622 61 POPAD
014F:004D2623 669D POPF
014F:004D2625 E94653F5FF JMP 00427970 --> jump to main programme
014F:004D262A E96B69F5FF JMP 00428F9A
After what I recognized, that in this place is jump to main programme, well after that there already begins standard code with API functions. When on start we will show content of memory ( d cs: 00427970 in Softice of course) then we'll see during steping, that decompress function writes all stuff there. Most important is for us JMP 00427970 after which follows realization already decompressed code and how to get there, has no matter, even with method of attempts and fails.
Now we will use ProcDump to decompress. It makes possible beteween decompression packed exes (what not always works), defining script to decompress even new or unknown packers.
There is file skript.ini, in which we define everything. There are already defined Shrinker, PESHIELD, WWPACK. Programme uses several commands to such definition, check by yourself.
We'll add new section i.e. WinAmp.
[INDEX]
P1=PEShield
......
P7=WinAmp
[WinAmp]
L1=LOOK E9,46,53,F5,FF
L2=BP
L3=STEP
What means seek(command LOOK) bytes of our jump JMP 00427970( E9,46,53,F5,FF -is that same but in hex), after finding breakpoint it (BP), and on the end do step by step analyse (STEP), save decrypted file to disk.
Pretty easy, isn't it? :).
Run ProcDump and choose Trace our type WinAmp, open file WinAmp.exe and programme beautifully decompresses oneself. And what's most important it works after this process. IMO, ProcDump is worth interest and some practise eg just on WinAmp.
Always We can always find soft that's copressed not well-known type of compressor and then we will handle this. These, what do not know ProcDump should download it from http://www.suddendischarge.com/ in section NonDOs, or from http://pub.vse.cz/pub/msdos/SAC/pc/pack/.