    
        ____                     __       __           
       /  _/_ _  __ _  ___  ____/ /____ _/ /            
      _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /              
     /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/               
       ____                          __          __           
      / __ \___ ___ _______ ___  ___/ /__ ____  / /____   
     / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<  
    /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/  
                                                         
          Web: http://www.ImmortalDescendants.com        
                    Author: Volatility                   
                      Date: 08/17/99                     
            Topic: Quequero's Patience CrackMe           
                   (Manually Unpacking)                  
                Level: Beginner/Intermediate             
                                                         
      
       
        

INTRODUCTION:

This is a very simple crackme, as Quequero states in his readme file, but I chose to manually unpack 
it, because I had never tried unpacking a file packed with the Petite packer.  I'm not going to go 
into great detail about unpacking, and PE information... for more information, I suggest you read my 
essay "Manually Unpacking - ASPack v1.08.03" available at my website 
(http://www.ImmortalDescendants.com).

TOOLS NEEDED:

1. NuMega Soft-Ice (any version for windows)
2. uCF's ProcDump
3. GetTyp

THE ESSAY:

By reading the readme file included with the crackme, we know the program is packed (not by which 
packer yet).  We also know that we can't patch or disassemble the program.  We know we need to look 
for valid serial numbers, and some kind of "surprise" :)

With that information, our first step should be determining which packer the program is packed with, 
and then to manually unpack it.

GetTyp is a nice little program that determines which packer a program is packed with.  You can find 
it readily available on the web.  After opening the crackme with GetTyp, we get the following infor-
mation: "Packer: Petite 1.2".  Now we know which packer is used.

I had never tried to manually unpack a program packed with this packer, but was sure I could achieve 
it using the same methods I use to unpack ASPack packed programs.  I tested unpacking this program 
using ProcDump, and it works just fine... but I choose to manually unpack, as it's more interesting.

To manually unpack this program, we need to load it with Soft-Ice's Symbol Loader.  Choose "File", 
"Open Module" then "Module", "Load". Click "Yes" on the message box, then Soft-Ice will break.  The 
following is my Soft-Ice log.  I've commented all the lines you'll need to note:

BEGIN LOG FILE

015F:00405000  FFFF                INVALID  ** Break here
015F:00405002  60                  PUSHAD
015F:00405003  E8CA000000          CALL    004050D2

** Trace into above call (F8) to get into the unpacking routine

015F:004050D2  58                  POP     EAX  ** Land here inside call
015F:004050D3  2C08                SUB     AL,08
015F:004050D5  50                  PUSH    EAX
015F:004050D6  8BC8                MOV     ECX,EAX
015F:004050D8  8BD0                MOV     EDX,EAX
015F:004050DA  81C1C0D20000        ADD     ECX,0000D2C0
015F:004050E0  81C22F160000        ADD     EDX,0000162F
015F:004050E6  8920                MOV     [EAX],ESP
015F:004050E8  8BE1                MOV     ESP,ECX
015F:004050EA  50                  PUSH    EAX
015F:004050EB  812C2400500000      SUB     DWORD PTR [ESP],00005000
015F:004050F2  FF30                PUSH    DWORD PTR [EAX]
015F:004050F4  50                  PUSH    EAX
015F:004050F5  80042408            ADD     BYTE PTR [ESP],08
015F:004050F9  50                  PUSH    EAX
015F:004050FA  80042446            ADD     BYTE PTR [ESP],46
015F:004050FE  50                  PUSH    EAX
015F:004050FF  80042465            ADD     BYTE PTR [ESP],65
015F:00405103  50                  PUSH    EAX
015F:00405104  800424A1            ADD     BYTE PTR [ESP],A1
015F:00405108  50                  PUSH    EAX
015F:00405109  800424BF            ADD     BYTE PTR [ESP],BF
015F:0040510D  833A00              CMP     DWORD PTR [EDX],00
015F:00405110  0F84A7140000        JZ      004065BD             (NO JUMP)
015F:00405116  F70200000080        TEST    DWORD PTR [EDX],80000000
015F:0040511C  741B                JZ      00405139             (JUMP _)
015F:00405139  52                  PUSH    EDX
015F:0040513A  FF32                PUSH    DWORD PTR [EDX]
015F:0040513C  8B5A08              MOV     EBX,[EDX+08]
015F:0040513F  035C2420            ADD     EBX,[ESP+20]

** Get OEP from above line after looping once (explained later)

015F:00405143  53                  PUSH    EBX
015F:00405144  8B5A04              MOV     EBX,[EDX+04]
015F:00405147  035C2424            ADD     EBX,[ESP+24]
015F:0040514B  53                  PUSH    EBX
015F:0040514C  E84A000000          CALL    0040519B
015F:00405151  85C0                TEST    EAX,EAX
015F:00405153  741F                JZ      00405174             (NO JUMP)
015F:00405155  8B7C2404            MOV     EDI,[ESP+04]
015F:00405159  83C40C              ADD     ESP,0C
015F:0040515C  5A                  POP     EDX
015F:0040515D  8B4A0C              MOV     ECX,[EDX+0C]
015F:00405160  C1F902              SAR     ECX,02
015F:00405163  33C0                XOR     EAX,EAX
015F:00405165  F3AB                REPZ STOSD
015F:00405167  8B4A0C              MOV     ECX,[EDX+0C]
015F:0040516A  83E103              AND     ECX,03
015F:0040516D  F3AA                REPZ STOSB
015F:0040516F  83C210              ADD     EDX,10
015F:00405172  EB99                JMP     0040510D             (JUMP _)

** Stop here!

END LOG FILE

As you can see from the code above, we need to trace into the call at 00405003 to get into the un-
packing routine.  Once inside the call, simply trace through it, until you get to the final jump at 
00405172.  Execute this jump, and you'll be back at the beginning of the routine again. Trace again 
until you get to 0040513F.  Note the value of EBX here (should be 00401000).  This is the OEP (read 
the essay I mentioned for more info on this).

Now that we have the OEP, trace to the jump again, execute it again, and trace one final time to it.  
Now everything is unpacked in memory, so at 00405172 type:

a eip (hit enter)
jmp eip (hit enter)
(hit enter again)

Now we can Cntrl+D to get out of Soft-Ice.  Our program is unpacked in memory, so run ProcDump, find 
the program in the list of tasks, right click on it and choose "Dump (Full)".  Choose a new filena-
me, and save the dump.  Now right click on it again, and choose "Kill Task".  We now have an unpak-
ked copy of the program.  Check the file size of the original, and unpacked copy to verify this.

If you try to run the unpacked copy now, you'll get an error and the program will crash.  We need to 
change the entry point.  So, run ProcDump again, and choose "PE Editor".  Open the unpacked program, 
and change "Entry Point" to the value you wrote down from EBX.  This is calculated from OEP - Image 
Base... so, 00401000 - 00400000 = 00001000.  Change the Entry Point to 00001000, and the program 
runs!

The rest of the crack is simple, so I won't list that part of it here. Simply break on GetWindowTex-
tA and display the registers or open the program up in a hex editor, and look at the text :)

