Unpacking: a generic approach, including IT rebuilding.
Accessible for newbie and more advanced crackers

Tutorial written by Predator [PC/pGC]

published by +Tsehp March 2001

Aim: learn how to unpack almost any program, any packer.


Welp, it's been quite some time since I wrote my last tutorial.
I've written 3 tutorials now including this one, funny enough all 3 were explaining an ASProtect
packed target. It's quite interesting IMO :-)

Keep in mind that this tutorial won't tell you how to crack this program, it will show you instead
how to unpack it and this method is quite "generic" for any packed application.

So, the idea of this tutorial is that by using it, you'll be able to unpack many more programs -
using many different kinds of packers.

I'm NOT saying that if you have the knowledge explained you can just unpack everything.
This means you'll have to use your brain ;-)



Cool Mouse v3.4 - http://www.shelltoys.com/files/cmset.exe - 450kb
It's a program that uses your middle-mousebutton to do funny stuff with open windows, like
shadowing them. The protection is total crap (besides that it's packed with ASProtect).



1. Dumping the app, fixing the sections (tools: IceDump & PEditor)
2. Adding a section for the newly created IT (tool: PEditor, which is the name of a PE Editor ;)
3. Create the new IT (tool: Revirgin)
4. Combine the dump and IT (tool: HexWorkshop)
5. Update entrypoint, update IT rva and size (tool: PEditor)
6. Run and find out: 1 last change needed (tool: SoftICE).

Tools urls: http://protools.cjb.net/ and http://tsehp.cjb.net/ for Revirgin.



We'll dump the app using IceDump, and realign the sections using PEditor. This is
the best way, IMHO. First we've got to find the OEP (Original program EntryPoint).
How? Well, you could use IceDump's /TRACEX command for this. Second way would be
tracing the whole damn thing. Third way, which we will use, is bpx on GetVersion and
use some Zen feeling (or just a combination of logical thinking/guessing, haha).

bpx GetVersion in softice, run CMOUSE.EXE, the 3rd occurence of GetVersion is the one
we are interested in (inside CMOUSE itself). Scroll up a little, and you'll see something
like "PUSH EBP" followed by "MOV EBP, ESP". The RVA of PUSH EBP would be our OEP.
It's 876B (40876B in softice).

Now, we have to make the program loop so it can't hurt us and then we dump.
Type BPM 40876B X. Re-run CMOUSE.EXE and you'll land at the OEP. Type: A EIP and enter
"JMP EIP". You'll have to remember the 2 bytes you've just overwritten (55h,8Bh). Now
dump: /DUMP 400000 51000 c:/temp/dump.exe. Why 51000? If you use a PE editor (PEditor or
ProcDump for example) on CMOUSE.EXE you'll encounter an ImageSize of 51000h.

Ok, we've got a sweet dump now. First we'll fix the sections using PEditor. We use this tool because
it works fast for our aims. PEditor is -not- Procdump's build-in PE Editor btw.
Load dump.exe in PEditor and go to sections. Right-click on the first section (which has no name)
and choose the sweet option DUMPFIXER. Do so for every section please ;)

Don't close PEditor yet.

For those interested in IceDump's tracex command, it works like this. You just 'guess' where the OEP
could be located, for example somewhere between VA 401000 and 500000. Now be sure you are
currently debugging the process you want to unpack and type: /TraceX 401000 500000 <enter>. Now,
go make yourself some coffee, because this could very well take a while. Now, as soon as softice breaks,
it means that you are now looking at the first instruction executed between 401000 and 500000 area.
You could assume that this is the OEP.



Still in PEditor, we'll create a new section for our (not yet created) new Import Table
(IT). Do so by rightclicking on any section and choose "add a section" - give it a name,
and rightclick on the new section and choose edit. Change both the Virtual Size and Raw Size
to about 4000 (this should be more than enough). Remember the RVA of the section,
it was 51000 for me. That's all, exit PEditor please ;)



Fire up Revirgin and then fire up CMOUSE.EXE. Now click on the CMOUSE.EXE process in Revirgin
and click on OK when you get the sweet errormessage ;)
Revirgin needs an IAT start + Size so we'll have to retreive those values somewhere.
Launch your hexeditor and edit your DUMP.EXE. Search for the following 2 bytes: FFh,25h
Look at the address it jumps to on the first occurence (or any other occurence). For example:
Now go to offset D2AC (offset and RVA is the same now). Scroll up a little and see. The IAT
starts at 40D000.
Now for the length; scroll down untill you see 9x '00' bytes. I'm not sure if 9 is a magic
number with this shit but it seems so ;) Furthermore after those 9x00 you'll see stuff that
doesn't look like the above anymore. IAT start: RVA D000, end: D2AE. D2AE - D000 = 2AE.
IAT length: 2AE.
So, let's enter these values in Revirgin. Press the IAT Resolver button. Now press
Resolve Again.
Only 2 entries remain unresolved. We can fix last entry, which is not resolved yet,
like this: rightclick on it - choose Tracer (be sure you copied tracer.dll+thread.dll to
your windows\system directory). After tracing, click on Resolve Again. Woah, there it is :)
Now, the very last entry. I've tried reconstructing this one with Revirgin but had no luck.
How to fix this, then? Well, quite easy. Look at the address: B0C218 for me. Load CMOUSE.EXE
and for example do bpx getversion again (wait for the 3rd occurence so you are inside
CMOUSE). Now type "U B0C218". You'll see a call to GetProcAddress a few lines below.
Go back to revirgin, rightclick on the entry and choose Edit. Change the "Module" to
KERNEL32.DLL (while GetProcAddress is an API located inside KERNEL32.DLL - look it up
in your API reference if you want) and change the Name to GetProcAddress. Now, press
Resolve Again. Woah, that's it. Everything is there now. You can save this as text with
Save Resolved, if you want. Well now, let's create our IT.bin then! Remember 51000? It's
the RVA of the beginning of our newly created section. Enter 51000 in the "IT RVA" field
and click on IAT Generator. Save the file, I used for filename "IT.BIN". Please remember
the value of IT Length inside Revirgin!

Before I forget, you might ask yourself the question - why rebuild the Import Table. And what the fuck
is it anyway? Well it's a part in the executable that leads to the addresses of the API's the program uses;
for example GetWindowTextA. We rebuild it now, while ASProtect (and other packers, too) fucks it
up which causes the program to crash if we don't fix it.

Secondly, it could happen you find an IAT that ends with a lot of 00-bytes (more than 9) but right after
it looks like the IAT continues! Well, not a biggie problem, it's just an IAT with big holes in it. It can
happen. Try scrolling down untill you see so many 00-bytes you are absolutely sure it's the end of the IAT.


Well, this is quite easy and quite fun ;) Dunno why.. it just is ;)
Run HexWorkshop (or another hexeditor that supports copy/paste in a sweet way) and open
DUMP.EXE and IT.BIN. Completely select all bytes in IT.BIN and copy it into memory. Now
go to the very end of DUMP.EXE (cursor -after- the -last- byte) - you'll see the offset:
51000 ;-) Now paste.. b00m. Now save. b0000m. ;)



Now run PEditor again and open DUMP.EXE. First fix the entrypoint, remember? OEP=876B.
Now click on "directory" button and change the IT RVA to 51000 and the IT SIZE to E0
(remember, E0 was calculated by and shown in Revirgin as IT Length). Well, that's about it.
The unpacked file DUMP.EXE should run in the same way as the packed file CMOUSE.EXE now.

So, run it!

If, when following these steps on a packed target, you get an error message when running the unpacked
app saying "Not Enough Memory" then increase the ImageSize of the PE using PEditor. Increase it by
at least the size of the new section containing the new IT. ;-) Makes sense, doesn't it?



Well, by running it you'll find out it crashes ;) How is this possible? Well, let's use
SoftICE to check this out. Inside the ice type FAULTS ON. Now run DUMP.EXE. Softice will
"break" at VA: 40821C. So uhm, right... WTF ;) Well, what if we just NOP this line. It's
2 bytes which means 2 nops. Type A 40821C and then: NOP <enter> NOP <enter>. Exit the ice
and woah..... target runs ;) Now run your hexeditor for the last time, go to VA 40821C
and change the 2 bytes overthere into 2x 90h.

( Well now, why is this nescessary? It seems that ASProtect in this case is being checked for by the
target - if ASProtect isn't in memory (like now) the program crashes. That's all. )

That's it. DUMP.EXE runs, exactly like CMOUSE.EXE - the difference is that DUMP.EXE is
UNPACKED which means you can have a party and invite all your friends and drink a lot of
beer... or it just means you can disassemble/patch it now....



To unpack a packed application, in short, proceed like this. For the "how to" you should read the
above ofcourse. Start by finding the OEP. Dump the application. Realign the sections. Create a new
Import Table if this is nescessary (you'll find out if the app doesn't run, most probably the IT is
screwed up). Now merge the new IT with the dump you made. Finish by editing in the new OEP and
new IT + IT size. Now, close your eyes and run the file - hope it works ;) If it doesn't, just think for
a while what could be the problem. Like for example in section 6 of this tutorial



ASProtect's real protection is in fact the "hey let's fuck up the Import Table" part, it's becoming a
popular way of protecting files which are packed. With a tool like Revirgin it's not a real problem
anymore to get around -it doesn't just solve everything for you though.

Oh and btw, what if you can't find the RVA of the IAT in the way I just explained. This could happen
for example with an app I saw that calls a VA that you can't reach using your hexeditor.

Eg: call dword ptr [0D0193B0]. This VA doesn't exist on disk right now. Therefor you can't look it up
with your hexeditor. Solution: run the packed app and bpx on any api you can think of, just hope
SoftICE breaks ;) Now remember the VA of the call ApiName. Dump the process fully and go to the
VA in your hexeditor. Now proceed like you'd do when searching for FF,25 etc.
The only difference is that you should hexedit the dumped file instead of the packed file - and make
sure you got a "valid" FF,25 occurence.

Oh and btw (2): the unpacked exe will not run on every computer, as +Tsehp writes
in his readme.doc of Revirgin. It will run on most win9x computers though.
You can also see in the readme that this will be fixed in a future version hopefully.

Oh ;) and uhm ;) you can try packing the app after you applied your patches with UPX. Use like:
UPX -9 -f filename.exe. The -9 is for best compression ratio, the -f is for FORCE. ;)

Last but not least, always keep your tools UP2DATE.



All PC and all pGC members.
HackWizz for being a good friend.
CoDe_InSiDe (for the FF25->IAT trick)
Spectre because if I don't greet him he'll be pissed;)
+Tsehp and +Splaj (for Revirgin and Info)
And everyone else.. I hope noone will feel left out. All who know me are hereby greeted ;)



Feel free to contact me for anything you can think of. I don't take requests though and I will not
send you files. Visit my page http://rotaderp.cjb.net/ please and go to 'about me' for a link to my email

-- Predator [PC/pGC]
March 24, 2001


-- MY RESOLVED.TXT - produced by Revirgin --

index IAT_address value hint module function 
--- -------- -------- ---- -------- -------- 
0 0000D000 BFE81644 00D8 ADVAPI32.dll RegCloseKey
1 0000D004 BFE81376 00E1 ADVAPI32.dll RegDeleteValueA
2 0000D008 BFE81AF2 00F2 ADVAPI32.dll RegQueryInfoKeyA
3 0000D00C BFE813B7 00E7 ADVAPI32.dll RegEnumValueA
4 0000D010 BFE815EA 0103 ADVAPI32.dll RegSetValueExA
5 0000D014 BFE8182B 00E4 ADVAPI32.dll RegEnumKeyExA
6 0000D018 BFE8167D 00DC ADVAPI32.dll RegCreateKeyExA
7 0000D01C BFE81787 00DF ADVAPI32.dll RegDeleteKeyA
8 0000D020 BFE81534 00F7 ADVAPI32.dll RegQueryValueExA
9 0000D028 00461890 000B CMHOOK.dll ActivateRightRoll
10 0000D02C 00461010 0002 CMHOOK.dll InstallMouseHook
11 0000D030 00461830 0005 CMHOOK.dll ActivateIt
12 0000D034 00461EE0 000C CMHOOK.dll TellHookCustWin
13 0000D038 00461870 0007 CMHOOK.dll ActivateScroll
14 0000D03C 00461850 0008 CMHOOK.dll ActivateCaptionFeature
15 0000D040 00461880 000A CMHOOK.dll ActivateRightTray
16 0000D044 00461860 0009 CMHOOK.dll ActivateBodyFeature
17 0000D048 00461790 0003 CMHOOK.dll UninstallMouseHook
18 0000D050 BFEB1BF4 0046 COMCTL32.dll ImageList_ReplaceIcon
19 0000D054 BFE983FE 0011 COMCTL32.dll InitCommonControls
20 0000D058 BFEB1877 002D COMCTL32.dll ImageList_Create
21 0000D05C BFEEFC75 0010 COMCTL32.dll CreateUpDownControl
22 0000D064 BFF223C3 00AA GDI32.dll CreateSolidBrush
23 0000D068 BFF2289E 018B GDI32.dll SetMapMode
24 0000D06C BFF2148D 011A GDI32.dll GetObjectA
25 0000D070 BFF22621 0095 GDI32.dll CreateFontA
26 0000D074 BFF2507B 00A5 GDI32.dll CreateRectRgn
27 0000D078 BFF224D8 0089 GDI32.dll CreateCompatibleDC
28 0000D07C BFF247BF 0112 GDI32.dll GetMapMode
29 0000D080 BFF2254C 01AC GDI32.dll TextOutA
30 0000D084 BFF22842 00B0 GDI32.dll DeleteObject
31 0000D088 BFF22D2D 0088 GDI32.dll CreateCompatibleBitmap
32 0000D08C BFF22293 0072 GDI32.dll BitBlt
33 0000D090 BFF2283A 00AD GDI32.dll DeleteDC
34 0000D094 BFF224FE 0173 GDI32.dll SelectObject
35 0000D09C 10001720 0002 KBDHOOK.dll SendKeys
36 0000D0A4 BFF77039 027E KERNEL32.dll ReadFile
37 0000D0A8 BFF776D0 0229 KERNEL32.dll LoadLibraryA
38 0000D0AC BFF77ADB 00B9 KERNEL32.dll CreateFileA
39 0000D0B0 BFF77D63 0226 KERNEL32.dll LCMapStringA
40 0000D0B4 BFF757B4 02E0 KERNEL32.dll SetStdHandle
41 0000D0B8 BFF9100F 0196 KERNEL32.dll GetOEMCP
42 0000D0BC BFF9C947 0128 KERNEL32.dll FlushFileBuffers
43 0000D0C0 BFF77DCE 013E KERNEL32.dll GetCPInfo
44 0000D0C4 BFFA94BE 00B7 KERNEL32.dll CreateEventW
45 0000D0C8 BFF8E150 0138 KERNEL32.dll GetACP
46 0000D0CC BFF77D81 0252 KERNEL32.dll MultiByteToWideChar
47 0000D0D0 BFF7713B 02CF KERNEL32.dll SetFilePointer
48 0000D0D4 BFF77D3D 01BC KERNEL32.dll GetStringTypeA
49 0000D0D8 BFF88388 0291 KERNEL32.dll RtlUnwind
50 0000D0DC BFF75881 0179 KERNEL32.dll GetFileType
51 0000D0E0 BFF76FD1 0336 KERNEL32.dll WriteFile
52 0000D0E4 BFF9C63C 02D2 KERNEL32.dll SetHandleCount
53 0000D0E8 BFFA9464 00A1 KERNEL32.dll CloseProfileUserMapping
54 0000D0EC BFF75770 01BB KERNEL32.dll GetStdHandle
55 0000D0F0 BFF77D9F 032B KERNEL32.dll WideCharToMultiByte
56 0000D0F4 BFFA946D 0076 KERNEL32.dll AddAtomW
57 0000D0F8 BFF8ABBC 016A KERNEL32.dll GetEnvironmentStrings
58 0000D0FC BFF9DB34 0310 KERNEL32.dll UnhandledExceptionFilter
59 0000D100 BFF96347 015A KERNEL32.dll GetCurrentProcess
60 0000D104 BFF9600D 0130 KERNEL32.dll FreeEnvironmentStringsA
61 0000D108 BFF7E06D 00A0 KERNEL32.dll CloseHandle
62 0000D10C BFF8516B 0181 KERNEL32.dll GetLastError
63 0000D110 BFF95DD3 02FD KERNEL32.dll TerminateProcess
64 0000D114 BFF7FFF0 0319 KERNEL32.dll VirtualAlloc
65 0000D118 BFF841CB 031B KERNEL32.dll VirtualFree
66 0000D11C BFF76EA3 0200 KERNEL32.dll HeapDestroy
67 0000D120 BFF8D4F8 00F8 KERNEL32.dll ExitProcess
68 0000D124 BFF88BF2 01FF KERNEL32.dll HeapCreate
69 0000D128 BFF8C5DA 0149 KERNEL32.dll GetCommandLineA
70 0000D12C BFF777AD 01B9 KERNEL32.dll GetStartupInfoA
71 0000D130 BFF92F1B 01DC KERNEL32.dll GetVersion
72 0000D134 BFF76EC4 01FD KERNEL32.dll HeapAlloc
73 0000D138 BFF76F10 0201 KERNEL32.dll HeapFree
74 0000D13C BFF76EE5 0203 KERNEL32.dll HeapReAlloc
75 0000D140 BFF76DA8 01A3 KERNEL32.dll GetProcAddress
76 0000D144 BFF77716 018D KERNEL32.dll GetModuleHandleA
77 0000D148 BFF813EC 015D KERNEL32.dll GetCurrentThreadId
78 0000D14C BFF776F7 018B KERNEL32.dll GetModuleFileNameA
79 0000D150 BFF773A9 035F KERNEL32.dll lstrlen
80 0000D154 BFF772BE 0356 KERNEL32.dll lstrcmpi
81 0000D158 BFFA0DA8 032C KERNEL32.dll WinExec
82 0000D15C BFF9C7F8 02C6 KERNEL32.dll SetEndOfFile
83 0000D160 BFFA94E2 0080 KERNEL32.dll BackupSeek
84 0000D168 7FD07109 0109 SHELL32.dll SHBrowseForFolder
85 0000D16C 7FD16AFF 0142 SHELL32.dll ShellExecuteA
86 0000D170 7FCB3BC4 011F SHELL32.dll SHGetPathFromIDList
87 0000D174 7FD18BE2 0148 SHELL32.dll Shell_NotifyIcon
88 0000D17C BFF55072 01EE USER32.dll ScreenToClient
89 0000D180 BFF54EFC 00FC USER32.dll GetDlgItem
90 0000D184 BFF51800 00E8 USER32.dll GetClassNameA
91 0000D188 BFF54FC5 00EB USER32.dll GetClientRect
92 0000D18C BFF51EEE 00F6 USER32.dll GetCursorPos
93 0000D190 BFF51BAD 018C USER32.dll KillTimer
94 0000D194 BFF5248D 0200 USER32.dll SetCapture
95 0000D198 BFF5156B 0239 USER32.dll SetWindowPos
96 0000D19C BFF524BF 01D1 USER32.dll PostQuitMessage
97 0000D1A0 BFF5252B 0159 USER32.dll GetWindowThreadProcessId
98 0000D1A4 BFF52FD5 0091 USER32.dll DialogBoxParamA
99 0000D1A8 BFF524BB 0212 USER32.dll SetForegroundWindow
100 0000D1AC BFF526FC 01E7 USER32.dll ReleaseCapture
101 0000D1B0 BFF55C71 005B USER32.dll CreateWindowExA
102 0000D1B4 BFF55171 018A USER32.dll IsWindowVisible
103 0000D1B8 BFF51C9F 0259 USER32.dll TrackPopupMenuEx
104 0000D1BC BFF524F7 008D USER32.dll DestroyMenu
105 0000D1C0 BFF52471 012F USER32.dll GetParent
106 0000D1C4 BFF525C5 000A USER32.dll AttachThreadInput
107 0000D1C8 BFF55708 01CF USER32.dll PostMessageA
108 0000D1CC BFF544C1 0258 USER32.dll TrackPopupMenu
109 0000D1D0 BFF52098 0246 USER32.dll ShowWindow
110 0000D1D4 BFF524E7 026A USER32.dll UpdateWindow
111 0000D1D8 BFF559F9 0195 USER32.dll LoadIconA
112 0000D1DC BFF54362 01D8 USER32.dll RegisterClassA
113 0000D1E0 BFF55918 00D3 USER32.dll FindWindowA
114 0000D1E4 BFF5573D 0123 USER32.dll GetMessageA
115 0000D1E8 BFF55769 025E USER32.dll TranslateMessage
116 0000D1EC BFF54733 0093 USER32.dll DispatchMessageA
117 0000D1F0 BFF51BA9 00B7 USER32.dll EndDialog
118 0000D1F4 BFF5235E 0219 USER32.dll SetMenuDefaultItem
119 0000D1F8 BFF551F5 0102 USER32.dll GetForegroundWindow
120 0000D1FC BFF51804 0155 USER32.dll GetWindowTextA
121 0000D200 BFF52356 023A USER32.dll SetWindowRgn
122 0000D204 BFF55674 00E6 USER32.dll GetClassLongA
123 0000D208 BFF5178C 0039 USER32.dll CheckRadioButton
124 0000D20C BFF5569E 0203 USER32.dll SetClassLongA
125 0000D210 BFF52D8A 0208 USER32.dll SetCursor
126 0000D214 BFF51990 0182 USER32.dll IsDlgButtonChecked
127 0000D218 BFF520A4 00B5 USER32.dll EnableWindow
128 0000D21C BFF51BD4 023B USER32.dll SetWindowTextA
129 0000D220 BFF55A0F 0191 USER32.dll LoadCursorA
130 0000D224 BFF5325A 0269 USER32.dll UnregisterHotKey
131 0000D228 BFF5176D 0036 USER32.dll CheckDlgButton
132 0000D22C BFF51269 024D USER32.dll SystemParametersInfoA
133 0000D230 BFF55591 0285 USER32.dll wsprintfA
134 0000D234 BFF5171D 020E USER32.dll SetDlgItemTextA
135 0000D238 BFF512DE 0197 USER32.dll LoadImageA
136 0000D23C BFF54C52 013C USER32.dll GetSysColor
137 0000D240 BFF55A38 018F USER32.dll LoadBitmapA
138 0000D244 BFF5216A 00D9 USER32.dll FrameRect
139 0000D248 BFF51E88 00A8 USER32.dll DrawIconEx
140 0000D24C BFF51AE0 00A3 USER32.dll DrawEdge
141 0000D250 BFF511C4 027C USER32.dll WinHelpA
142 0000D254 BFF521BC 005A USER32.dll CreatePopupMenu
143 0000D258 BFF54460 0007 USER32.dll AppendMenuA
144 0000D25C BFF556DE 00CE USER32.dll EnumWindows
145 0000D260 BFF52DF4 0038 USER32.dll CheckMenuRadioItem
146 0000D264 BFF551B1 00F9 USER32.dll GetDesktopWindow
147 0000D268 BFF515D1 01B9 USER32.dll MoveWindow
148 0000D26C BFF51B3F 014A USER32.dll GetWindow
149 0000D270 BFF54F53 0153 USER32.dll GetWindowRect
150 0000D274 BFF55836 01F7 USER32.dll SendMessageA
151 0000D278 BFF52491 0272 USER32.dll VkKeyScanA
152 0000D27C BFF524CF 008E USER32.dll DestroyWindow
153 0000D280 BFF552F6 013F USER32.dll GetSystemMetrics
154 0000D284 BFF5322F 01E0 USER32.dll RegisterHotKey
155 0000D288 BFF5308E 022F USER32.dll SetTimer
156 0000D28C BFF555A7 014E USER32.dll GetWindowLongA
157 0000D290 BFF5412E 01AD USER32.dll MessageBoxA
158 0000D294 BFF52FA0 0051 USER32.dll CreateDialogParamA
159 0000D298 BFF55BCD 0085 USER32.dll DefWindowProcA
160 0000D29C BFF5564D 0236 USER32.dll SetWindowLongA
161 0000D2A0 BFF51670 00D4 USER32.dll FindWindowExA
162 0000D2A4 BFF524EF 00DE USER32.dll GetAsyncKeyState
163 0000D2AC 7FE16112 006E comdlg32.dll GetOpenFileNameA