Theme: manual unpacking
Packer: Petite v2.3 by Ian Luck
Author: SMoKE
Tools: OllyDbg, ImpRec, OllyDump (or some other dumper)
URL: dont remember :)
Target: Petite v2.3 (petgui.exe)


Hi, in this time i'll show you how to manualy unpack Petite v2.3 packed program.
I noticed about it few days ago, downloaded and tryed...
i dont do tutorials usually (lazyyyy....), but will today :)

As target we can take the packer itself, PEiD v0.93 says PEtite 2.2 -> Ian Luck,
but its version 2.3 packed (i hope at least :P)
Let's start... First load it in your olly and disable all checkboxes in exception
tab in debugger options...

004E3046 MOV     EAX, PETGUI.004E3000
004E304B PUSH    PETGUI.004164E3
004E3050 PUSH    DWORD PTR FS:[0]
004E3057 MOV     DWORD PTR FS:[0], ESP

Now we see that program sets exception handler at address 4164E3, let's check it out.
type D 4164E3 (or CTRL+G -> 4164E3 in code window)

004164E3 ADD     BYTE PTR DS:[EAX], AL
004164E5 ADD     BYTE PTR DS:[EAX], AL
004164E7 ADD     BYTE PTR DS:[EAX], AL
004164E9 ADD     BYTE PTR DS:[EAX], AL
004164EB ADD     BYTE PTR DS:[EAX], AL

its empty and that means loader will fill it later.
(if exception occurs before loader will fill it program will crash hehe :))
let's find where it get filled. go to 4164E3, right click -> breakpoint -> memory, on access
press F9, breakpoint occured here

004E3133 XOR     EDX, EDX
004E3135 XOR     ECX, ECX
004E3137 MOVS    BYTE PTR ES:[EDI], BYTE PTR DS:[ESI]  (writing to 4164E3 !)
004E3138 XOR     BYTE PTR DS:[EDI-1], BL
004E313B DEC     EBX

this is the first time, hit F9 several times (or just put simple breakpoint somewhere here)
and watch in hex dump window for address 4164E3, you will see how it gets filled.
so for a last time exception will occur at address

004E3137 MOVS    BYTE PTR ES:[EDI], BYTE PTR DS:[ESI]

and this exception program generates for jumping to exception handler, so at that line put
breakpoint on exception handler (goto to 4164E3 and press F2), then press SHIFT+F9 and
you are at the beginning of exception handler

004164E3 CALL    PETGUI.00416537

trace into (F7)...

00416537 XOR     EAX, EAX
00416539 POP     ESI
0041653A MOV     EBX, DWORD PTR FS:[EAX]
0041653D MOV     EBX, DWORD PTR DS:[EBX]
0041653F LEA     ESP, DWORD PTR DS:[EBX-2A]
00416542 POP     EBP
00416543 LEA     ECX, DWORD PTR DS:[ESI+2CB]
00416549 MOV     DWORD PTR DS:[EBX+4], ECX
0041654C MOV     DWORD PTR FS:[0], EBX

this code is very important, it restores the stack (ESP) and sets next SEH frame, so your next
exception handler will be at address which points ECX after LEA     ECX, DWORD PTR DS:[ESI+2CB]
command, its 4167B3, simply set breakpoint at that address.
trace... and here you are, where loader generates next exception

0041657B JMP     EAX ; EAX = 0 !

it trys to jump to address 00000000, press SHIFT+F9 again and you are at exception handler start...

004167B3 XOR     EAX, EAX
004167B5 MOV     EBX, DWORD PTR FS:[EAX]
004167B8 MOV     EBX, DWORD PTR DS:[EBX]
004167BA LEA     ESP, DWORD PTR DS:[EBX-52]
004167BD POPAD
004167BE CMP     DWORD PTR DS:[ESI], 0

trace again and you will finally jump here...

0041657D POP     EBX
0041657E POP     EDX
0041657F POP     DWORD PTR FS:[0]
00416586 POP     EAX
00416587 PUSH    3
00416589 PUSH    EBX
0041658A XOR     EBX, EBX

then you will see that here goes some kinda checksum calculation for code and PE header parts,
if there will be mismatch message will be shown with text
-------------------------------------
This file has been tampered with and
MAY BE INFECTED BY A VIRUS!
-------------------------------------

(btw, you can patch the checksum jumps, if ya gonna do some inline patch of your proggie)

after checksum pass goes import table patching, and finally we reach this code

0041682A POP     ECX
0041682B POP     ESI
0041682C STD
0041682D XOR     EAX, EAX
0041682F MOV     ECX, 357
00416834 CALL    petgui.004E303D

trace into the last call (its self modifying...)

004E303D POP     EDI
004E303E REP     STOS BYTE PTR ES:[EDI]
004E3040 POPAD
004E3041 POPFW
004E3043 ADD     ESP, 8
004E3046 JMP     petgui.0040D0D7

and here you go.... this is the jump to original entry point
in this case OEP = 40D0D7, jump to OEP and dump it without import rebuilding.
(now you can kill the last section in dumped file, coz its useless anymore,
and decrease output file size)

close ollydbg and run the packed file (petgui.exe), run ImpRec and choose that file,
in OEP edit box type D0D7 and press IAT AutoSearch then press GetImports, now
you will see some invalid imports, press Show Invalid, right click on invalid
function and select Trace Level1 (2 and 3 should work too i guess) from menu, until you
wont get any invalid functions, press Fix Dump and choose your dumped file...

congrats, you just manualy unpacked Petite v2.3 :)


thats it, i know that i explained all this process in very bad and quick english...
forgive me mastah i cant do tutorials very well :)

0:55 10.04.2005

freenet.am/~softland
smoke@freenet.am


P.S.
hey i found the URL, it was on Petite window :P
http://www.un4seen.com/petite/