                     Manual Unpack Tutorial for Petite
                           - written by daimos -

About

I wrote this tutorial to give you a general idea on how to unpack manually
using a debugger and a hex editor. I am not an expert on this, but I can
tell you that I have been successful unpacking and unwrapping using the
methods I will describe. I will use Notepad as the target application, but
you can use others as a substitute.

This is not a newbie tutorial. I assume that you have a general
understanding the PE file format concepts and terminologies. Otherwise,
these tutorial will not make sense at all.

Tools

These are actually what I used.

   * SoftICE v3.23
   * ICEDUMP beta 4
   * Hiew v6.01
   * Petite v1.3a
   * Executable File Dump v2.23 (optional)

Overview

We all know what packing does. It compresses the EXE or DLL file, then at
runtime it will decompress it in memory and run it as if nothing has
changed. The program is never aware that it has been compressed, only the
file size has changed (smaller but in some instances its bigger).

There are two ways you can unpack a file. One, is to write a specific
unpacker that will decompress the file. Or two, dump the unpacked file from
memory after it has been decompressed. I chose the second method since its
easier and you dont have to understand the loader in detail (this is how
ProcDump works).

Unpacking Notepad

Make sure that Notepad.exe is packed with Petite v1.3a. Use the following
command to pack: petite -r* notepad.exe (compress all resources). Petite
will show some information like compression ratio for each section, types
of resources that was compressed, merging of sections and the overall
compression ratio.

The main idea behind dumping is to dump memory at the original EntryPoint.
Finding the EntryPoint is not hard, but it will always depend on the
packer. Now, lets try this with Notepad so load it in Symbol Loader. Since
we know the EntryPoint is at virtual address 401000, put a hardware
breakpoint at that address:

:bpm 401000 x

Let it run. It will break on 401000, which is the original EntryPoint. This
is the most ideal place to dump since no data sections has yet to be
initialized. The command to dump is pagein <address> <length> <filename>.
We want to dump the whole image starting from the header to the last
section. The header is located at ImageBase (address 400000) which will
become the starting address. The last section (.petite) has an RVA of C000
with length of F000. So we issue the command as:

:pagein 400000 C000+F000 newpe.exe

At this point, the file newpe.exe is not runnable. It needs to be fixed.
Probably the hardest part of manual unpacking is making the dump file work.
This is where knowledge of PE file format is most essential. Without an
understanding of the file format, chances of recovering the file is slim
unless you use an external tool.

The first thing to fix is the EntryPoint RVA. Since we no longer need the
Petite loader, there is no point in giving control to it. Use Hiew to edit
the EntryPoint RVA to 1000 (offset is +28 from PE header).

We next adjust the physical size of each section. Remember that the
original file is smaller, to adjust it we simply copy the value of
VirtualSize. Only .text, .data, .rsrc, .reloc & .petite (import section is
located here) needs to be fixed. .bss in all EXEs dont have any physical
size or file offsets. Next is the physical offsets. Same thing with file
sizes, we just copy the corresponding RVA values. I coded a program that
will do this, its called FixScn.

The file is now fixed and runnable. Although it is a bit bigger (can be
truncated after the import section) it works as usual. There are still some
miscellaneous fixing to do like RVA of fixups section in the Data
Directory.

Conclusion

My first attempt at unpacking a packed file was a disaster. But as you can
see, I still managed to do it. The PE file format is the key. It took me a
long time to learn it, but it is a time well spent. This tutorial might not
what you expect it would be, a step by step guide. But rather, this is the
approach I took, and it might give you a better idea for you own work.

 Copyright  by daimos, 1999
