
                        Unpacking WWPack32 ver.1.2.X.XXX

                                  by Renegade


Disassembling a packed file we'll notice that WWPack32 adds a new section
to it:

.text    RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000
.bss     RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000
.data    RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000
.idata   RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000
.rsrc    RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000
.reloc   RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000
.WWP32   RVA: 00000000 Offset: 00000000 Size: 00000000 Flags: 00000000


We could now calculate the new entrypoint by adding the RVA to the image 
base (0040000), but using a decent disassembler like IDA this is not even
necessary:

+------------ Choose an entry point ------------+
|            Name                  Address   #  |
| start                            00000000     |
|                                               |
|                                               |
+_______________________________________________+


so the .WWP32 section starts with:

.WWP32:00000000 53                public start                                
.WWP32:00000000                   start proc near                             
.WWP32:00000000                   push    ebx                                 
.WWP32:00000000 55                push    ebp                                 
.WWP32:00000000 8B E8             mov     ebp, eax                            
.WWP32:00000000 33 DB             xor     ebx, ebx                            
.WWP32:00000001 EB 60             jmp     short _WWP32_000000                 
.WWP32:00000000 0D 0A 0D 0A 57 57+str->Wwpack32Decompr db 0Dh,0Ah             
.WWP32:00000000 50 61 63 6B 33 32+db 0Dh,0Ah                                  
.WWP32:00000000 20 64 65 63 6F 6D+db 'WWPack32 decompression routine...
.WWP32:00000000 70 72 65 73 73 69+db '(c) 1998 Piotr Warezak and Rafal...
.WWP32:00000000 6F 6E 20 72 6F 75+db 0Dh,0Ah                                  


Following the code at .WWP32:00000001 and tracing until the jump which 
leaves this section we'll find the code section.Of course it's more or
less always the same piece of code which takes us to the code section:

_WWP32_XXXXXX:                ; CODE XREF
add     [esi], eax
xor     edx, edx
mov     dl, [ebx]
inc     ebx
cmp     dl, 0
jz      short _WWP32_XXXXXX
add     esi, edx
jmp     short _WWP32_XXXXXX
_WWP32_XXXXXX:                ; CODE XREF
pop     eax
popa
pop     eax
mov     ebp, eax
add     eax, cs:[ebp+XXXh]
add     eax, XXXh
pop     ebp
pop     ebx
jmp     near ptr _OUR SECTION_XXXXXX


So we get to OUR SECTION and that's exactly the old entrypoint of the 
unpacked file.

Now we need to rebuild the old unpacked code section.Let's get more 
informations on the sections, for example using PEWizard.

         VSize   RVA     Size     Offset   Rel     Lines   ...
 .code   0x000X2 0x000X3 0x0000X  0x00000  0x0     0x0     0x0     0x0
 .data   0x00000 0x00000 0x00000  0x00000  0x0     0x0     0x0     0x0
 .rdata  0x00000 0x00000 0x00000  0x00000  0x0     0x0     0x0     0x0
 .reloc  0x00000 0x00000 0x00000  0x00000  0x0     0x0     0x0     0x0
 .rsrc   0x00000 0x00000 0x00000  0x00000  0x0     0x0     0x0     0x0
 .WWP32  0x00000 0x00000 0x00000  0x00000  0x0     0x0     0x0     0x0


The physical size is 0x0000X and the unpacked size has to be 0x000X2
Using a dumper we can now save the stuff to a file, the beginning of the
section is always image base + RVA, 00400000 + 0x000X3

Of course we have to change the physical size in our dumb file, and thus
also modify the offsets. We know already the size of the unpacked code
section.We can do this by adding the offset to the size and enter the 
result as new offset, and then always use the result we got from the
last addition as offset to add to the next section we want to calculate
the offset ;)


The header has to be re-aligned now, this can be done by using PE Rebuilder,
for example, or by modifying manually the offsets with the given value
of "FileAlign"
To conclude the alignment we have to divide the pysical size of the code
segment by the value of FileAlign,thus delete the last 16 bytes of this
section.
Then we subtract these 16 bytes also from the other offsets and the alignment
is finished.


Now change the entrypoint in the header (dumbed file) with the new entrypoint
we figured out before, converting it into a RVA using, for example, AOU.
Rebuild the PE with the modyfied code section and the file is unpacked!

