an automatik script for Procdump (PECompact) by Samsoul
5 of 8 files
samsoul
- Browsers may flag this download as unwanted or malicious. If unsure, scan it with VirusTotal.
-
Last modified Oct 11, 2023 9:12:02 PM
MD5 checksum 757e7af8d48d31a9755aad6f2a95e074
Mime type
Download pecompact.zip
Size 4 kB
1 item in the archive
- pecompact.txt
How to write an automatik script for Procdump?
Tools: Procdump 1.5 (http://Procdump32.cjb.net)
: Softice 4.1 (http://crackfr.cjb.net)
: PECompact 0.975b (http://Protools.com or http://Pecompact.cjb.net)
: Brain/Ganja (yup ! if u like it!)
Today we will see how to write a script for ProDUMP.If you already read my tutorials for Procdump (PCSHRINK 0.71 Beta...),
the technique employed to write this script is similar. I already traced, with Softice, the routine of unpacking from PECompact to
see how this latter worked... So I located in this same routine, the places where I could use the Breakpoints for Procdump.
Step 1
Take Symbol loader and open PECompact. Trace the proggy by pressing F10. Quickly, we arrive at this:
un-assembling 1
15f:0040aab1 repz movsd
15f:0040aab3 pop EDI
15f:0040aab4 jmp EDI
We are at the beginning of the routine . Consequently, jmp EDI (40aab4) will not make a jump towards the unpacked prog . It is
necessary to continue the unpacking of the proggy. But we note the address where is jmp EDI coze we will need it... While conti-
nuing the trace with the F10 key, we arrive at this:
un-assembling 2
15f:0040c57f call 40c617
15f:0040c584 xchg eax,ecx
15f:0040c585 pop esi
15f:0040c586 pop EDI
15f:0040c587 repz movsb
15f:0040c589 jmp 40c6f8
After the call 40c617 (in 40c57f), the routine will make a jump to another place of the code. This call 40c617 makes a handling of
bytes (move some bytes of the proggy to another place of the code): the unpacking started... We note also this place of the code.
We still did not see something which resembled our point of entered (400000...). We continue the trace and we fall on that:
un-assembling 3
15f:0040c6f8 pop edi
15f:0040c6f9 lea esi,[ebp+004075ed]
15f:0040c6ff mov eax,[ebp+0040728b]
15f:0040c705 add [ebp+004074ae],eax
15f:0040c70b push edi ----------- beginning of the loop
15f:0040c70c lodsd
15f:0040c70d or eax,eax --------- loop end ?
15f:0040c70f jz 0040c72e --------- Year ! we jump to 40c72e
------ cuted ! -------
15f:0040c72a pop esi
15f:0040c72b pop edi
15f:0040c72c jmp 0040c70b ---- return to beginning of loop
While arriving at this part of the code, you will be taken in a loop. It starts in 40c70b and finishes in 40c72c. Like this loop is rat-
her long, put a breakpoint in 40c7Φ (which corresponds to the end of the loop, see comments): under softice, type BPX 40c7Φ and
start again with F5. Softice is blocked well in 40c7Φ. we continue has unpacking the proggy while continuing the trace with F10.
And finally, we arrive at this:
un-assembling 4
15f:0040c72e pop eax
15f:0040c72f lea esi,[ebp+0040766d]
15f:0040c735 lodsd---------- loop beginning
15f:0040c736 or eax,eax
15f:0040c738 jz 0040c779 ----- go to unpacking end...
15f:0040c73a add eax,[ebp+0040728b]
--------- cuted ! ------------
15f:0040c776 pop edi
15f:0040c777 jmp 0040c735----- end of loop
15f:0040c779 call 0040c848 ----- decrunching end!
15f:0040c77e call 0040c7be ----- idem
15f:0040c783 jae 40c7b6 -------- go to Entry point...
--------- cuted ! ------------
15f:0040c7b6 popad ------ recover register
15f:0040c7b7 popfd ------ idem
15f:0040c7b8 push 00401867 ------ ENTRY POINT !
15f:0040c7bd ret
By tracing the proggy with the key F10, we still find oneself in a loop which starts in 40c735 and finishes in 40c777. In 40c738,
there is a conditional jump: it is this jump which marks the end of the loop (when the loop is finished, we jump in 40c7b6). To
avoid tracing all the loop, under softice you type: BPX 40c779 and start again with F5. 40c779 corresponds to the address of the jz
40c779... And while arriving in 40c779, we fall on two calls (call 40c848 and call 40c7be) followed by a conditional jump. This
conditional jump is carried out and send us in 40c7b6. And at this place of the code, we recover the registers piled up in the pile,
and we notice Push 401867 followed by a Ret: do not seek further, here it is your original entry point ... How I know that? I have
quite simply continued the trace of the prog after this push and this ret, who brought me into 401867, where I could note some calls
with various APIs like GetModuleHandleA. This last API is always present at the beginning of the proggys turning under Zindau-
be... We can deduce easily that Push 401867 is well the original entry point... To check it ,we will to dump our proggy. BEFORE
carrying out Push 401867, type under Softice: A 40c7b8. We are in the ASM editor of Softice, at the address memory correspon-
ding to Push 401867. Type in ASM editor of softice, JMP EIP ,and escape to leave. Normally your Push 401867 has to leave its
place to a JMP 40c7b8... Take procdump 1.5. Start by changing an option in Procdump: choose in ' Options', ' Rebuild New Import
Table'. We easily locate our proggy in the principal screen of Procdump. Make a right-click above and choose the option ' Dump
(Full) '. Give a name for our dump (dump.exe for example). But like our proggy is unpacked, it is necessary to give him the origi-
nal entry point which was 401867,I recall. Always with Procdump, go in ' PE Editor' and open our ' dump.exe'. Procdump indicates
to you ' Image Base ' : 400000. Therefore our entry point is equal to: 401867-400000=1867. In the box ' Entry Point' of
Procdump enter 1867. To check your dump, launch it: it should run without problem... Now you have got an exe from 57Ko in-
stead of the original 17Ko...
Step 2
We will write the script, to automate all that with Procdump... If you remember the routine of decrunching , it several should be
posed Breakpoints for that Procdump can unpacked PECompact. Indeed, if you make one ' LOOK' on last hexa chain of the routine
from unpacking (on the popfd and the push 00401867, in 40c7b7 (see last desassembling)), Procdump will not find this chain bea-
cause PECompact unpacks the proggyz gradually: it is the same technique as for PCSHRINK 0.71 beta script ... Some recalls on
the various orders which I have used for this script:
LOOK: it is with this order that procdump reference the signature of the cryptor or of the compressor .This command search a
hexadecimal chain in the exe . If the chain is found, that means it is the good script.
BP: with this command,you put a breakpoint (even principle that Softice) on the current memory address. This order is preceded
by LOOK.You'll understand in few minutes.
STEP: it is with this instruction that you will finish your script. STEP starts a step by step analysis of the code, which explains
sometimes the slowness of the dump.
WALK: this command executes an instruction (in the proggy that you dump).
When we trace the unpacking routine of PECompact, we arrive in 0040aab4 jmp EDI. (see No1 desassembling) . I think it's a good
place to make a first Breakpoint with Procdump .We will make a ' LOOK' on the chain which interress us. We will take pop EDI
who precedes jmp EDI , to be sure that Procdump finds the good hexa chain . In hexa, pop EDI and jmp edi= 5F,FF,E7. So, the
beginning of the script is :
L1=LOOK 5F,FF,E7 ---- Seeks the chains hexa 5F,FF,E7
L2=WALK ------------- carries out an instruction
L3=WALK ------------- idem
L4=BP --------------- Put a breakpoint
I used the order ' WALK' to execute two instructions. Indeed, as we took one instruction in more (pop EDI), we must execute 2
walks to be themselves after jmp EDI and to put our breakpoint at the good place. I mentioned above that at this time,the proggy is
not unpacked yet. It should be necessary to put others breakpoints.
Step 3
For the second breakpoint, the second desassembling will be useful for us (see step 1). It is important to put our breakpoint after the
call 40c617 (in 40c57f) because this call unpacks or moves some bytes. I chose to put my second breakpoint on the repz movsb (in
40c587) and on the jmp 40c6f8 (in 40c589). This instructions are equal in hexa to F3,A4,E9. The continuation of script is thus:
L5=LOOK F3,A4,E9 ------ Seeks in hexa F3,A4,E9
L6=WALK --------------- Carries out an instruction
L7=WALK --------------- idem
L8=BP ----------------- Met a breakpoint
I don't return on the 'walks', if you don't understand, return to the school... If you read my tutorial on PCSHRINK 0.71, you think
that we did not make yet the ' LOOK' on the last instruction of the unpacking routine (0040c7b8 push 00401867), to find our origi-
nal entry point. But Procdump is incredible : it's not necessary to make another 'LOOK' or 'BP'....To recover the original entry point,
just launch the step by step analysis (STEP) after the second BP...
Final script is :
--------------------------------------- cut here------------------------
CAUTION! REMOVE ALL THE COMMENTS SO THAT SCRIPT RUN ! (-----blablabla...)
P1E=PECompact 0.975 b--- give a name and a number (P1E) to script
[P1E=PECompact 0.975 b]----- name of script
L1=LOOK 5F,FF,E7 ------ seek in hexa 5F,FF,E7
L2=WALK --------------- execute one instruction
L3=WALK --------------- idem
L4=BP ----------------- Put a breakpoint
L5=LOOK F3,A4,E9 ------ seek in hexa F3,A4,E9
L6=WALK --------------- Execute one instruction
L7=WALK --------------- idem
L8=BP ----------------- Put breakpoint
L9=STEP --------------- step by step analysis
OPTL2=01010001----------- options put
OPTL3=01010001----------- by default for
OPTL4=00030000----------- this script ('Rebuild New
OPTL5=00000000----------- Import Table' ,etc...
--------------------------------------- cut here------------------------
It is to be added in ' script.ini' in the directory of Procdump 1.5. Now, you can unpack PECompact itself : it goes very well! It
should be noted that this software is updated regularly but scripts are not completely the same ones for various versions. For ex-
ample here the script of the version 0.971 b:
--------------------------------------- cut here------------------------
P1F=PECompact 0.971 b
[P1F=PECompact 0.971 b]
L1=LOOK 5A,FF,E2
L2=WALK
L3=WALK
L4=BP
L5=LOOK F3,A4,E9
L6=WALK
L7=WALK
L8=BP
L9=STEP
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000
I have well used the same technique as for the script of the version 0.975 B...
If you have any questions, remarKs or criticiKs,or just contaKts, you can send me a mail : the link is in bottom left...
I profit from this moment to thank people who, as me, come from the ' OLd SChoOL': Xor,Syntax ERRoR,Virus,Dr Fe-
lix,AcE,Syndrome, the fanzines Disc Full, Micro Mag & Press Fire,DraPeAu NOiR, without forgetting my two friends FoRcE
ONe and ANtoinE... Amstrad CPC was a very cool word, especially the environment ! It was 11 years ago... CpC RuLL-
LEEEEEZZZZZZZZZZZ!
TaMaMBoLo/SamSouL CRackIng CReW