How to write an automatik script for ProcDump 1.5 ?

Tools :  Softice 4.1  (Http://crackfr.cjb.net , a french site)
        :  Procdump 1.5 (Http://Procdump32.cjb.net,official site)

Target/packer :  PCSHRINK 0.71 Beta (Http://virogen.cjb.net but i hope site is down : try Phrozen Crew site 
(Http://www.Phrozencrew.com) or Protools's site (Http://www.Protools.com))  

Today we will see how to write a script for a packer's proggy so that Procdump cannot make: the apllyz compressed with PCShrink 
0.71 beta .This is a releaze of Virogen from Phrozen crew .PCShrink has a compression with a ratio  little lower than UPX (Markus 
Oberhumer, Laszlo Molnar), best ratio in my opinion . I did not find  proggyz compressed with PCShrink 0.71 beta, so I have taken 
PCShrink itself...

Step 1  

Take Symbol loader and open PCSHRINK 0.71 .Run the proggy and softice gets under way, at the beginning of the prog. While 
tracing with the F10 key, we arrive quickly at this:  

:00406721 lea esi, dword ptr [ebp+0040397D]
:00406727 mov ecx, 000000FC
:0040672C repz
:0040672D movsd
:0040672E pop edi
:0040672F jmp edi  

In 40672f,we see a  rather odd 'jmp edi'... If you already practised the manual unpacking a little, this jmp must challenge you.  In-
deed,coders usually recover the entry point of the proggys once that the latter are unpacked. But we are really at the beginning of 
the routine and our prog is not unpacked yet. At this time,PCShrink unpacked only a part of the proggy... We note the address of the 
' jmp edi' (40672f),we will need it. While continuing the trace with F10, we see this :

:41009c pop EDI 
:41009d repz movsb 
:41009f jmp 4101d8  

When you are here, the prog will have still unpacked some bytes but will not have unpacked all the prog. But for our script we will 
have need for this address : it is noted (41009f) .We continue the trace to  arrive finally at this: 

:0410296 popad 
:0410297 popfd---------------- we recover the registers 
:0410298 mov edx,0401000------ the original entry point is put in EDX 
:041029d jmp edx-------------- and we jump towards the register edx, the original prog... 

While arriving at the address 410298, the prog puts 401000 in edx.And, Generally, 401000 is the entry point of the proggyz turning 
under zindauze.And after this mov, you have a ' jmp edx' (It is what I said a few moments ago ).Now, there are no more error possi-
ble :  the ' jmp edx' is right the last instruction of the routine of unpacking. To check it, when you arrive at the address 41029d, do 
not execute it. Type under softice A 41029d .We are in ASM editor of softice. Replace 'jmp edx' by 'jmp eip'. Now our prog will 
make an infinity loop at the address 41029d. Take Procdump and change an option:  choose the option ' Rebuild New Import Table'. 
In the principal screen of Procdump,we locate easily our proggy. Make a right-click above and choose ' Dump (Full) '.Give a name 
to our safeguard:  dump.exe, for example. Now,we have got an exe unpacked but it's necessary to give the good entry point which is 
401000. Takes procdump again and go to the option ' PE Editor'.Open our dump.exe. Procdump indicates you as ' Image Ba-
se'=400000 .And our entry point is 401000. Therefore 401000-400000=1000= our entry point...  In the box ' Entry Point', put ' 1000 
' .Now, your exe is unpacked with a good entry point :  launch it to check . 

Step 2  

We will write a script,to automate all that with Procdump.I recall some commands used by Procdump  :   

LOOK:  it is with this order that procdump reference the signature of the cryptor or of the compressor .This command search a 
hexadecimal chain in the exe . If the chain is found, that means it is the good script.

BP:    with this command,you put a breakpoint (even principle that Softice) on the current memory address.  This order is preceded 
by  LOOK.You'll understand in few minutes.

STEP:  it is with this instruction that you will finish your script. STEP starts a step by step analysis of the code, which explains 
sometimes the slowness of the dump.  

WALK:  this command executes an instruction (in the proggy that you dump).  

EIP:   EIP recovers the next address of the proggy as being the original entry point of the program:  VERY practical!... 

The problem is that PCSHRINK jumps to quite different addresses in memory and it unpacks proggys gradually.  We know that at 
the address 41029d, the code launches the original proggy (unpacked) .We could have used the order LOOK FF,E2 (FF,E2 = Jmp 
edx, in Hxa).Bad luck:  like the prog  is unpacked gradually ,procdump does not find this chain. It will be necessary to put break-
points when the software begins to unpack. 

Step 3  

Do you remember the first desassemblage?  There was a jmp EDI (40672F). At this time, proggy has started to unpack. We will 
make a first ' LOOK' on this address .We  go to make a ' LOOK' ,but two addresses before. Why ?  Because jmp edi=FF,E7 in hxa 
,and this chain is several times present in the code . It's necessary to take an instruction more. The instruction which precedes the ' 
jmp edi' is ' pop edi' (5F in hexa).Also ' LOOK'  becomes ' LOOK 5F,FF,E7 ' .But we have taken an instruction more for our ' 
LOOK' : it is necessary to make 3 ' WALK' to find oneself at the good place in prog (2 ' WALK' would have been enough, but I put 
3 to be sure I will get where I want).The beginning of the script is :  

L1=LOOK 5F,FF,E7 ----- seeks chain 5F,FF,E7 
L2=WALK -------------- execute an instruction 
L3=WALK -------------- idem 
L4=WALK -------------- idem 
L5=BP ---------------- puts a breakpoint at the current address 

But as I already said,at this time, the proggy is not completely unpacked.We must get at the jmp edx (41029d). For the continuation 
of my script, I could use ' LOOK FF,E2 ' to arrive at the moment when the proggy is unpacked :  but like presently, procdump does 
not find the chaine.It will be necessary to put another breakpoint  .

Step 4  

And it is here that the second disassembling comes. While tracing the prog,we had arrived at 41009f jmp 4101d8(=F3,A4,E9).But 
this time, we will take 2 instructions which precede this jmp because like the step 3,procdump will not find  the good chains . The 
two instructions which precede the jmp are:  

:41009c pop EDI - = F3 in hexa 
:41009d repz movsb -. = A4 in hexa 
:41009f jmp 4101d8 -. = E9 + address (jmp=E9,address memory is not important)  

Our order ' LOOK' thus becomes ' LOOK F3,A4,E9 '.And as for the step 3,it is necessary to make 3 ' WALK' before placing the 
BP.Now, the script becomes this: 

L1=LOOK 5F,FF,E7 ----------------- seeks chains 5F,FF,E7 
L2=WALK -------------------------- execute an instruction 
L3=WALK -------------------------- idem 
L4=WALK -------------------------- idem 
L5=BP ---------------------------- puts a breakpoint at the current address
L6=LOOK F3,A4,E9 ----------------- seeks chain F3,A4,E9 
L7=WALK -------------------------- execute an instruction 
L8=WALK -------------------------- idem 
L9=WALK -------------------------- idem 
LA=BP ---------------------------- puts a breakpoint at the current address

This time,we approach the goal,because if you remember the tracing of the prog,the third disassembling brings us to the unpacked 
prog ...  

Step 5  

Therefore,we have traced the prog,we have arrived finally at the address 041029d jmp edx. This instuction is the last one of the 
unpacking routine. It is what we seek since a few moments ago (jmp edx = FF,E2 in hexa). But at this time, we have much unpak-
ked the proggy. May be we can to place our famous ' LOOK FF,E2 '?  This time , it goes! Procdump locates the chain FF,E2 well 
(and at the good place in memory).  To recover original entry point, I have used order ' EIP' .Now, final script is:  

-------------------------------------- cut here --------------------------------------- 

;WARNING ! SCRIPT WILL NO WORK IF YOU DO NOT REMOVE ALL COMMENTS ( ----- blablabla... ) !  

P1E=PCSHRINK 0.71 Beta -------------------------- give a name and a number (P1E) to script 

[PCSHRINK 0.71 Beta] ---------------------------- the name of script 
L1=LOOK 5F,FF,E7 -------------------------------- seek chains 5F,FF,E7
L2=WALK ----------------------------------------- execute an instruction 
L3=WALK ----------------------------------------- idem 
L4=WALK ----------------------------------------- idem 
L5=BP ------------------------------------------- put a breakpoint at the current address
L6=LOOK F3,A4,E9 -------------------------------- seeks chain F3,A4,E9 
L7=WALK ----------------------------------------- execute an instruction
L8=WALK ----------------------------------------- idem 
L9=WALK ----------------------------------------- idem 
LA=BP ------------------------------------------- put a breakpoint at the current address 
LB=LOOK FF,E2 ----------------------------------- seek chains FF,E2 
LC=WALK ----------------------------------------- execute an instruction 
LD=BP ------------------------------------------- put a breakpoint at the current address 
LE=EIP ------------------------------------------ recover the next address as being the original entry point 
LF=STEP ----------------------------------------- step by step Analyze  (not necessary i hope,if u use EIP)
OPTL1=00000000 ---------------------------------- some 
OPTL2=01010001 ---------------------------------- options put
OPTL3=01010001 ---------------------------------- by default for 
OPTL4=00030000 ---------------------------------- this script (' Rebuild New 
OPTL5=00000000 ---------------------------------- Import Table',etc...).
-------------------------------------- cut here ---------------------------------------

It is to be added in ' script.ini' in the directory of Procdump 1.5.

Oky ! I know that by reading this tutor,it's not really easy  to understand it... One solution : it is necessary to make this tutor step by 
step. In next tutor I hope to reconsider options OPTL1,OPTL2...  

If you have some questions about this tutorial, you can send me a mail : link is in the bottom left .Sorry for bad grammatical english, 
but it's not obvious ....

Do you ReMemBer aMsTrad Cpc's World (like 464,664,6128,6128+...) ? It is from this OlD SchOOL that I come : This CRaCK iS 
deDICaCED to my OLd FrienDs : Syntax Error,Dr Felix,Virus,DraPeau NOir,ForCE OnE, Micro Mag & Press Fire,Disc 
FuLL,Antoine...don't ForgeT, na da CpC RullEEzzzz ! o))

TaMaMBoLo/SaMSoUL CRaCKiNg
