*************************************************************************************************
				Manually Unpacking of NeoLite V2.00
*************************************************************************************************

Author:		NeoWorx Inc.
Protection:	None
URL:		http://mud.sz.jsinfo.net/per/aaron/files/compressors/win/neolte20.zip
Tools:		SoftICE V4.05
		ProcDump V1.6.2
		Hex-Editor


--->	Intro...

Welcome to my next Tutorial !!!
Ok, well NeoLite is very simple and you'll see why soon ;)
I hope you like this Tutorial and learned something from it ;)


--->	Let's Begin...

This zip file includes:

Tut27_MUP_NeoLite V2.00.txt	(This Tutorial)
NeoLite_Notepad.exe		(Our Target)

Ok, first of all we need the OEP of the Packed Program, so open the Packed Program in ProcDump
(In ProcDump click on "PE Editor" and open the Target file) and it says:

Entry Point: 0000D17E

As always this is a Virtual Offset, so click on "Sections" to find out what the Raw Offset is :)
And you'll see 6 Sections.
Look at the last Section called ".neolit":

Name:			.neolit
Virtual Size:		00001BDE
Virtual Offset		0000D000
Raw Size		00001BDE
Raw Offset		00003000
Characteristics		E0000020

So how do we find out what we need as Raw Offset? Simple :)

OEP = 0000D17E - (0000D000 - 00003000)
OEP = 0000317E

Ok, close ProcDump and open the file in your Hex-Editor and put a "CC" (INT 3)
at the location 0000317E (Remember the original byte offcourse ;).
Now get into SoftICE (CTRL+D) and type "bpint 3", then leave SoftICE (CTRL+D) and open the
Packed Program (NeoLite_Notepad.exe) and SoftICE should popup.
Now type/press this:

d eip [enter]	(Go to the current location)
ALT+D		(Edit the data window)
E9		(Type our original byte)
ALT+D		(Return to the command window)

Now we can trace the stuff ;)
But let me show you the beginning of the codes when you've executed the "jmp" (Like i said
above this can easily been defeated ;):

0040D229	mov eax, dword ptr [esp+04]
0040D22D	and eax, dword ptr [0040D18F]
0040D233	call 0040D725				(The Unpacking Process)
0040D238	inc byte ptr [0040D228]
0040D23E	jmp eax					(Jump to the real OEP :)

As you can see you can skip the complete Unpacking Process by easily tracing to the instruction,
"jmp eax" :)
You can offcourse trace into the call for learning purposes :)
But it's not necessary here because NeoLite does nothing really difficult.
So trace till your just over the instruction "jmp eax" and then we're at the real OEP.
Write down the real OEP (004010CC) and now we're going to use the "EBFE" trick ;)
So type/press this:

d eip [enter]	(Go to the current location)
ALT+D		(Edit the data window)
EBFE		(Type EBFE, remember the original bytes)
ALT+D		(Return to the command window)

Ok, now you can press (CTRL+D) to get out of SoftICE and open ProcDump.
Then in the main window click with your right mouse button on the line that looks like this:

"C:\windows\desktop\NeoLite_Notepad.exe"

and select "DUMP (full)", then save the file with some filename at some location (i always use
desktop).
Now click with your right mouse button again on that line and select "Kill task" to terminate
the process.
Ok, now click on "PE Editor" (In ProcDump) and open the Unpacked file, then change the Entry
Point to this:

Entry Point: 000010CC		(without Image Base)

And click on "Ok" and close ProcDump.
If you run the file now then it'll run in a loop ;)
We need to replace the "EBFE" trick.
So open the Unpacked file in your Hex-Editor and get to the OEP (000010CC) and change this:

EBFE

into:

558B

Save the file and run it, it works ;)
You can delete the Unpacking Code but i'll leave that to you :) (i always do it, hehe)
If you delete the Unnecessary Code the file has even become smaller :P


--->	Greetings...

Everyone from TrickSoft			(www.TrickSoft.net)
Everyone from Cracking4Newbies		(www.Cracking4Newbies.com)
Everyone from Keygenning4Newbies	(Keygenning4Newbies.cjb.net)
And You...

			Don't trust the Outside, trust the InSiDe !!!

					  Cya...

					CoDe_InSiDe

Email:	code.inside@home.nl