an automatik script for Procdump (PECompact)   by Samsoul

How to write an automatik script for Procdump? Tools: Procdump 1.5 (http://Procdump32.cjb.net) : Softice 4.1 (http://crackfr.cjb.net) : PECompact 0.975b (http://Protools.com or http://Pecompact.cjb.net) : Brain/Ganja (yup ! if u like it!) Today we will see how to write a script for ProDUMP.If you already read my tutorials for Procdump (PCSHRINK 0.71 Beta...), the technique employed to write this script is similar. I already traced, with Softice, the routine of unpacking from PECompact to see how this latter worked... So I located in this same routine, the places where I could use the Breakpoints for Procdump. Step 1 Take Symbol loader and open PECompact. Trace the proggy by pressing F10. Quickly, we arrive at this: un-assembling 1 15f:0040aab1 repz movsd 15f:0040aab3 pop EDI 15f:0040aab4 jmp EDI We are at the beginning of the routine . Consequently, jmp EDI (40aab4) will not make a jump towards the unpacked prog . It is necessary to continue the unpacking of the proggy. But we note the address where is jmp EDI coze we will need it... While conti- nuing the trace with the F10 key, we arrive at this: un-assembling 2 15f:0040c57f call 40c617 15f:0040c584 xchg eax,ecx 15f:0040c585 pop esi 15f:0040c586 pop EDI 15f:0040c587 repz movsb 15f:0040c589 jmp 40c6f8 After the call 40c617 (in 40c57f), the routine will make a jump to another place of the code. This call 40c617 makes a handling of bytes (move some bytes of the proggy to another place of the code): the unpacking started... We note also this place of the code. We still did not see something which resembled our point of entered (400000...). We continue the trace and we fall on that: un-assembling 3 15f:0040c6f8 pop edi 15f:0040c6f9 lea esi,[ebp+004075ed] 15f:0040c6ff mov eax,[ebp+0040728b] 15f:0040c705 add [ebp+004074ae],eax 15f:0040c70b push edi ----------- beginning of the loop 15f:0040c70c lodsd 15f:0040c70d or eax,eax --------- loop end ? 15f:0040c70f jz 0040c72e --------- Year ! we jump to 40c72e ------ cuted ! ------- 15f:0040c72a pop esi 15f:0040c72b pop edi 15f:0040c72c jmp 0040c70b ---- return to beginning of loop While arriving at this part of the code, you will be taken in a loop. It starts in 40c70b and finishes in 40c72c. Like this loop is rat- her long, put a breakpoint in 40c7Φ (which corresponds to the end of the loop, see comments): under softice, type BPX 40c7Φ and start again with F5. Softice is blocked well in 40c7Φ. we continue has unpacking the proggy while continuing the trace with F10. And finally, we arrive at this: un-assembling 4 15f:0040c72e pop eax 15f:0040c72f lea esi,[ebp+0040766d] 15f:0040c735 lodsd---------- loop beginning 15f:0040c736 or eax,eax 15f:0040c738 jz 0040c779 ----- go to unpacking end... 15f:0040c73a add eax,[ebp+0040728b] --------- cuted ! ------------ 15f:0040c776 pop edi 15f:0040c777 jmp 0040c735----- end of loop 15f:0040c779 call 0040c848 ----- decrunching end! 15f:0040c77e call 0040c7be ----- idem 15f:0040c783 jae 40c7b6 -------- go to Entry point... --------- cuted ! ------------ 15f:0040c7b6 popad ------ recover register 15f:0040c7b7 popfd ------ idem 15f:0040c7b8 push 00401867 ------ ENTRY POINT ! 15f:0040c7bd ret By tracing the proggy with the key F10, we still find oneself in a loop which starts in 40c735 and finishes in 40c777. In 40c738, there is a conditional jump: it is this jump which marks the end of the loop (when the loop is finished, we jump in 40c7b6). To avoid tracing all the loop, under softice you type: BPX 40c779 and start again with F5. 40c779 corresponds to the address of the jz 40c779... And while arriving in 40c779, we fall on two calls (call 40c848 and call 40c7be) followed by a conditional jump. This conditional jump is carried out and send us in 40c7b6. And at this place of the code, we recover the registers piled up in the pile, and we notice Push 401867 followed by a Ret: do not seek further, here it is your original entry point ... How I know that? I have quite simply continued the trace of the prog after this push and this ret, who brought me into 401867, where I could note some calls with various APIs like GetModuleHandleA. This last API is always present at the beginning of the proggys turning under Zindau- be... We can deduce easily that Push 401867 is well the original entry point... To check it ,we will to dump our proggy. BEFORE carrying out Push 401867, type under Softice: A 40c7b8. We are in the ASM editor of Softice, at the address memory correspon- ding to Push 401867. Type in ASM editor of softice, JMP EIP ,and escape to leave. Normally your Push 401867 has to leave its place to a JMP 40c7b8... Take procdump 1.5. Start by changing an option in Procdump: choose in ' Options', ' Rebuild New Import Table'. We easily locate our proggy in the principal screen of Procdump. Make a right-click above and choose the option ' Dump (Full) '. Give a name for our dump (dump.exe for example). But like our proggy is unpacked, it is necessary to give him the origi- nal entry point which was 401867,I recall. Always with Procdump, go in ' PE Editor' and open our ' dump.exe'. Procdump indicates to you ' Image Base ' : 400000. Therefore our entry point is equal to: 401867-400000=1867. In the box ' Entry Point' of Procdump enter 1867. To check your dump, launch it: it should run without problem... Now you have got an exe from 57Ko in- stead of the original 17Ko... Step 2 We will write the script, to automate all that with Procdump... If you remember the routine of decrunching , it several should be posed Breakpoints for that Procdump can unpacked PECompact. Indeed, if you make one ' LOOK' on last hexa chain of the routine from unpacking (on the popfd and the push 00401867, in 40c7b7 (see last desassembling)), Procdump will not find this chain bea- cause PECompact unpacks the proggyz gradually: it is the same technique as for PCSHRINK 0.71 beta script ... Some recalls on the various orders which I have used for this script: LOOK: it is with this order that procdump reference the signature of the cryptor or of the compressor .This command search a hexadecimal chain in the exe . If the chain is found, that means it is the good script. BP: with this command,you put a breakpoint (even principle that Softice) on the current memory address. This order is preceded by LOOK.You'll understand in few minutes. STEP: it is with this instruction that you will finish your script. STEP starts a step by step analysis of the code, which explains sometimes the slowness of the dump. WALK: this command executes an instruction (in the proggy that you dump). When we trace the unpacking routine of PECompact, we arrive in 0040aab4 jmp EDI. (see No1 desassembling) . I think it's a good place to make a first Breakpoint with Procdump .We will make a ' LOOK' on the chain which interress us. We will take pop EDI who precedes jmp EDI , to be sure that Procdump finds the good hexa chain . In hexa, pop EDI and jmp edi= 5F,FF,E7. So, the beginning of the script is : L1=LOOK 5F,FF,E7 ---- Seeks the chains hexa 5F,FF,E7 L2=WALK ------------- carries out an instruction L3=WALK ------------- idem L4=BP --------------- Put a breakpoint I used the order ' WALK' to execute two instructions. Indeed, as we took one instruction in more (pop EDI), we must execute 2 walks to be themselves after jmp EDI and to put our breakpoint at the good place. I mentioned above that at this time,the proggy is not unpacked yet. It should be necessary to put others breakpoints. Step 3 For the second breakpoint, the second desassembling will be useful for us (see step 1). It is important to put our breakpoint after the call 40c617 (in 40c57f) because this call unpacks or moves some bytes. I chose to put my second breakpoint on the repz movsb (in 40c587) and on the jmp 40c6f8 (in 40c589). This instructions are equal in hexa to F3,A4,E9. The continuation of script is thus: L5=LOOK F3,A4,E9 ------ Seeks in hexa F3,A4,E9 L6=WALK --------------- Carries out an instruction L7=WALK --------------- idem L8=BP ----------------- Met a breakpoint I don't return on the 'walks', if you don't understand, return to the school... If you read my tutorial on PCSHRINK 0.71, you think that we did not make yet the ' LOOK' on the last instruction of the unpacking routine (0040c7b8 push 00401867), to find our origi- nal entry point. But Procdump is incredible : it's not necessary to make another 'LOOK' or 'BP'....To recover the original entry point, just launch the step by step analysis (STEP) after the second BP... Final script is : --------------------------------------- cut here------------------------ CAUTION! REMOVE ALL THE COMMENTS SO THAT SCRIPT RUN ! (-----blablabla...) P1E=PECompact 0.975 b--- give a name and a number (P1E) to script [P1E=PECompact 0.975 b]----- name of script L1=LOOK 5F,FF,E7 ------ seek in hexa 5F,FF,E7 L2=WALK --------------- execute one instruction L3=WALK --------------- idem L4=BP ----------------- Put a breakpoint L5=LOOK F3,A4,E9 ------ seek in hexa F3,A4,E9 L6=WALK --------------- Execute one instruction L7=WALK --------------- idem L8=BP ----------------- Put breakpoint L9=STEP --------------- step by step analysis OPTL2=01010001----------- options put OPTL3=01010001----------- by default for OPTL4=00030000----------- this script ('Rebuild New OPTL5=00000000----------- Import Table' ,etc... --------------------------------------- cut here------------------------ It is to be added in ' script.ini' in the directory of Procdump 1.5. Now, you can unpack PECompact itself : it goes very well! It should be noted that this software is updated regularly but scripts are not completely the same ones for various versions. For ex- ample here the script of the version 0.971 b: --------------------------------------- cut here------------------------ P1F=PECompact 0.971 b [P1F=PECompact 0.971 b] L1=LOOK 5A,FF,E2 L2=WALK L3=WALK L4=BP L5=LOOK F3,A4,E9 L6=WALK L7=WALK L8=BP L9=STEP OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 I have well used the same technique as for the script of the version 0.975 B... If you have any questions, remarKs or criticiKs,or just contaKts, you can send me a mail : the link is in bottom left... I profit from this moment to thank people who, as me, come from the ' OLd SChoOL': Xor,Syntax ERRoR,Virus,Dr Fe- lix,AcE,Syndrome, the fanzines Disc Full, Micro Mag & Press Fire,DraPeAu NOiR, without forgetting my two friends FoRcE ONe and ANtoinE... Amstrad CPC was a very cool word, especially the environment ! It was 11 years ago... CpC RuLL- LEEEEEZZZZZZZZZZZ! TaMaMBoLo/SamSouL CRackIng CReW