*********************************************************************************************************
			Manually Unpacking of Simple PE Crypter Beta 3 (SPEC)
*********************************************************************************************************

Author:		Hayras
Protection:	None
URL:		http://www.mesa-sys.com/~codomain/packers/specb3.zip
Tools:		SoftICE V4.05
		ProcDump V1.6.2
		Hex-Editor


--->	Intro...

Welcome to my next Tutorial !!!
This time a Simple PE Crypter ;)
notice that i'll tell this a little faster so i assume you know a bit of what i'm talking about,
if you want to hear more details about some stuff of what i'm doing then read my other Tutorials ;P


--->	Author Words...

This is a very simple and limited pe crypter. It doesn't do anything other
than crypt the code and data section. No anti stuff or compression.


--->	Let's Begin...

Put the target file onto your desktop (that's the best place i think :)
Then load the Packed file in the "PE Editor" option in ProcDump.
Then check the "Entry Point" of the Packed file it's: 0000D000
Now look in "Sections" if it's the "Raw Offset", if not then search for the "Raw Offset" :)
Ok, now open the Packed file in your Hex-Editor and go to the OEP and replace the byte with "CC" (int 3).
Remember the original byte offcourse.
Save the file and set a breakpoint on "int 3" (bpint 3) and open the file, and SoftICE breaks.
Now replace the "CC" with the original byte and then trace all the way down till you'll see this:

---------------------------------------------------------------------------------------------------------

mov eax, [ebp+00402692]
add eax, [ebp+0040268D]
jmp eax

---------------------------------------------------------------------------------------------------------

EAX now contains the real OEP so write it down and trace over the "jmp eax".
Then use the "EBFE" trick and get out of SoftICE and open ProcDump.
Then right click on the target file and click on "DUMP (full)" and save the file as whatever you want.
Then open the new file in "PE Editor" and change the OEP to the real OEP, and offcourse don't forget
to change the "EBFE" trick back to it's original, save the file and your done :P
To get rid of the "hayras" Section use "PE Editor" in ProcDump and "Kill" it :)
That's all.


--->	Outro...

Well, a fast Tutorial this time and the reason for this is that it actually goes the same for all
Packed Files :)
So i didn't want to write more about it, as i mentioned above read my other Tutorials for a better
explanation.
And btw as you probably noticed it changes the Import Table to fix this problem dump the File
before it changes it :)


--->	Greetings...


Everyone from TrickSoft			(www.TrickSoft.net)
Everyone from Cracking4Newbies		(www.Cracking4Newbies.com)
Everyone from Keygenning4Newbies	(Keygenning4Newbies.cjb.net)
And You...

			Don't trust the Outside, trust the InSiDe !!!

					  Cya...

					CoDe_InSiDe

Email:	code.inside@home.nl