Cracking a packed exe. _packer: azpack: _program: AZPR 2.31.
by staier
(September 1999)

projunpa
Packers

Courtesy of reverser's pages of reverse engineering ~ slightly edited by reverser+
Cracking a packed exe. _packer: azpack: _program: AZPR 2.31.
	After  investigating the program with softice,procdump and IDA we  easily can find that
the program 'd be cracked at once  , (if unpacked).But what if we can not unpack the 
program?-Actually i could not-.The first  way is to make a  little program, and  patch the
target with WriteProcessMemory .

here i show you the source in Pascal, wich could be  compiled in any DELPHI32.

LISTING 1 "AZPRLOADER.DPR"


program azprloader; uses windows;// WIN32 API headers i:cardinal; const buf:array[0..4 ]of byte=($0,$0,$90,$90,$e3); {codes buffer BUF[0..1]- read bytes accumulator BUF[2..3]- NOP NOP -opcodes for writing BUF[4] -amother patch- jmp addr correction} const appname='azpr.exe';// target name var //structures ,defined in windows.pas(windows.h) sti:_startupinfoa; lpPi:_process_information; begin if not CreateProcess(nil,AppName,nil,nil,false, CREATE_NEW_CONSOLE or NORMAL_PRIORITY_CLASS,//attributes nil,nil,StartupInfo,//applications params lpPI)//returning attributes then begin messageboxa(0,'cannot find AZPR.exe','AZPRloader',0);//// no such a file exit; end; while (true )do//endless cycle if readprocessmemory(lppi.hprocess,pointer($40fbb5),@buf,2,i) then //read bytes if (buf[0]=$eb) and (buf[1]=5) then//if the bytes already unpacked(Jnz +5) begin writeprocessmemory(lppi.hProcess,pointer($40fbb5),@buf[2],2,i);//change to NOP NOP writeprocessmemory(lppi.hProcess,pointer($40fb78),@buf[4],1,i);//another patch closehandle(lppi.hprocess);//Close process handle exit; end; end.

EOLISTING .1
actually the skeleton of the program was decompiled from TNO loader for aspack packer
Now i will describe another approach ,rather universal too,It can be applied to huge quantity of programs either packet or not. The approach can be expressed in short as an "installation of new thread, wich controls target's thread(s)"

First
We need to find some detales :Imagebase, GetModuleHandleA @ GepProcAddress addresses and "kernel32.dll" string address.All these detales we can clearly see in IDA exellent disassembler.

Second
let us start hiew, and find entrypoint and some space for new code. the space can be fount at the end of file at .0016A96E so at the entrypoint, let us write a jump to our new code

.169000 jmp .0016A96E. -instead of pushad ; call 00000000;

Third
Now,let us be a compiler(assembler).

As the imagebase of program is 400000 , then the program will hardly be relocated to another address, so we can hardcode absolute addresses,in other case we'd have to ˛ţ extend relocation table after coding.

LISTING 2 "putch for the AZPR.exex"


.0016A96E: B860E80000 mov eax,00000E860 ; restore code .0016A973: A300905600 mov [000569000],eax ; at the .0016A978: C6050590560000 mov b,[000569005],000; entrypoint .0016A97F: 689C975600 push 00056979C ;'kernel32.dll'. .0016A984: 90 nop .0016A985: FF1590975600 call d,[000569790] ;GetModuleHandleA('kernel32.dll'). .0016A98B: 50 push eax ;save handle of kernel32.dll. .0016A98C: 6A44 push 044 ;ordinal 0x44-CreateThread. .0016A98E: 90 nop ; .0016A98F: 50 push eax ;'kernel32.dll'. .0016A990: FF158C975600 call d,[00056978C] ;GepProcAddress(kernlhandle,0x44L). .0016A996: A3C7A95600 mov [00056A9C7],eax ;save address of CreateThread. .0016A99B: 58 pop eax ;restore handle of kernel32.dll. .0016A99C: 6A6D push 06D ;ordinal 0x44-ExitThread. .0016A99E: 50 push eax ;kernel32.dll .0016A99F: FF158C975600 call d,[00056978C] ;GepProcAddress(kernlhandle,0x6dL); .0016A9A5: A3CBA95600 mov [00056A9CB],eax ;save ExitThread address. .0016A9AA: 68CF975600 push 0005697CF ;address for dword,returned from CreateThread; .0016A9AF: 6A00 push 000 .0016A9B1: 6A00 push 000 .0016A9B3: 68D3A95600 push 00056A9D3 ;our thread function .0016A9B8: 6A00 push 000 .0016A9BA: 6A00 push 000 .0016A9BC: FF15C7A95600 call d,[00056A9C7] ;CreateThread(0,0,threadhandler,0,0,&returned); .0016A9C2: E939E6FFFF jmp .000169000 ;jump to restored code at the entrypoint .0016A9C7: 1111 adc [ecx],edx ;this is not a command ,DWORD - CreateThread address .0016A9C9: 1111 adc [ecx],edx ; .0016A9CB: 2222 and ah,[edx] ;this is not a command ,DWORD - ExitThread address .0016A9CD: 2222 and ah,[edx] ; .0016A9CF: 3333 xor esi,[ebx] ;this is not a command,DWORD -returned .0016A9D1: 3333 xor esi,[ebx] ; ;new thread procedure DWORD winapi threadproc(void*); .0016A9D3: 66813DB5FB4000EB05 cmp w,[00040FBB5],005EB ;if bytes unpacked .0016A9DC: 75F5 jne .00016A9D3 ;no, repeat cmp .0016A9DE: 66C705B5FB40009090 mov w,[00040FBB5],09090 ;patch teh program jmp +05 to NOP NOP .0016A9E7: C60578FB40003E mov b,[00040FB78],03E ;another jmp address .0016A9EE: 6A00 push 000 .0016A9F0: FF15CBA95600 call d,[00056A9CB] ;Exit┼hread(0); .0016A9F6: C20400 retn 00004 ;return that's all,falks
(c) 1999 Staier from http://staier.cjb.net
You are deep inside reverser's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?