Unpacking_n_Cracking_Petite_1.2_Packed_Apis32_v2.5_By_Ferrari.txt

                (BEST VIEWED WITH WORDWRAP ENABLED & FONT= COURIER , SIZE =10)

         @$@$#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@@$@ @#$#$@
        @@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@  @#$#$#$@
         @@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#$@ @#$#$@
          @#$@                             
          @#$@       @$@$@$@$@ @$@$@ $@$@$ @$@$@ $@$@$   @#@#@#@#@@ @$@$@ $@$@$ @$#$#$#@
          @#$@      @#$#$#$#$@@ @#$#$#$#$#$ @#$#$#$#$#$ @$#$#$#$#@@@ @#$#$#$#$#$ @#$#$@
          @#$@    @ @#@#@#@#@#@ @#$@$#$#@@@ @#$@$#$#@@@ @#@@    @#$@ @#$@$#$#@@@  @$#@
          @#$@#$#$@ @#@#   #@#@ @#$@   @@@  @#$@   @@@  @$@     @#$@ @#$@   @@@   @$#@
          @#$@@#@#@ @#@#@#@#@#@ @#$@   @@   @#$@   @@         @#@#$@ @#$@   @@    @$#@   
          @#$@#$#$@ @$@$@$@$@$@ @#$@        @#$@         @@#@@#@#@#@ @#$@         @$#@
          @#$@    @ @$@#        @#$@        @#$@        @#$#$#$#$#$@ @#$@         @$#@
          @#$@      @$@#        @#$@        @#$@        @#$@    @#$@ @#$@         @$#@
          @#$@      @#@#@#@#@#@ @#$@        @#$@        @#$@#$#$#$#@ @#$@         @$#@
          @#$#@     @$@$@$@$@$@ @#$#@       @#$#@       @#$@#@#@#@#@ @#$#@       @#$#$@
        @#@#@#@#@    @#@#@#@#@ @#@#@#@     @#@#@#@       @#@#@#@#@# @#@#@#@     @$#$#$#@


                                                                                
                                     :-)---> ARTeam <---(-:
                            Visit:-http://cracking.accessroot.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$       APIS32        $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$     API Spy 2.5     $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$                     $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@
@@@@@@@@@@@@@  AUTHOR         : FERRARI                                           @@@@@@@@@@@@@ 
@@@       @@@  PROTECTION     : Petite 1.2, NAG                                   @@@       @@@   @@ ferrari @@  TARGET FILE    : apis32.exe                                        @@ ferrari @@ 
@@@       @@@  TARGET URL     : http://grinders.withernsea.com/tools/apis3225.rar @@@       @@@   @@@@@@@@@@@@@  OS             : WINDOWS ALL                                       @@@@@@@@@@@@@   @@@@@@@@@@@@@  RELEASE DATE   : 5.03.2004                                         @@@@@@@@@@@@@
@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@                                TOOLS USED & TARGET SOFTWARE                                 @
@                                =============================                                @
@                                                                                             @
@ OllyDbg        :- http://grinders.withernsea.com/tools/odbg110b1.rar                        @
@ LordPE         :- http://grinders.withernsea.com/tools/LPE-DLX.rar                          @
@ PEiD           :- http://www.grinders.withernsea.com/tools/PEiD_v0.91.rar                   @
@ IMPrec         :- http://www.grinders.withernsea.com/tools/imprec_v1.6_final.rar            @
@ APIS32         :- http://grinders.withernsea.com/tools/apis3225.rar                         @  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

===============================================================================================
                    STEP 1: UNPACKING THE TARGET PACKED WITH PETITE 1.2 
===============================================================================================
 This is my first tut on unpacking a packed 'EXE'. I followed a tut by R@dier on unpacking
 a 'unpackme' packed with Petite 2.2 So the method is similar. Okay dude so lets start ;-)
PEID hardcore scan shows that its packed with PEtite 1.2 
Open the target 'apis32.exe' in our favourite Debugger OllyDbg :-) You'll get an Entry Point Alert. So click OK. Now u will land here.We have to locate the OEP(Outside Entry Point.

00418000 > 66:9C            PUSHFW<----------------You are here
00418002   60               PUSHAD
00418003   E8 CA000000      CALL apis32.004180D2

Hit F7 twice to step into the CALL above. You will land here.

004180D2   58               POP EAX           ; apis32.00418008<------land here 
004180D3   2C 08            SUB AL,8
004180D5   50               PUSH EAX

Okay now again hit F7 twice and execute the above PUSH. Now note down the values of 'ESP' and 'EDI' in the right hand side 'Register(FPU)' window

EAX 00418000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA2<----------------------------->Note down
EBP 0012FFF0
ESI FFFFFFFF
EDI 77D5B720 USER32.77D5B720<-------------->Note down

Now click in the HEX dump window at the bottom left hand side. Hit 'Ctrl G' and enter the ESP value-->0012FFA2 click OK.
          == == 
0012FFA2 |20 B7| D5 77 FF FF FF FF   ??w????
          == ==
                                                                   ====
Now only select '20 B7' since u can see the last two of EDI = 77D5|B720| 
                                                                   ====
Okay now after selecting right click on it-->Breakpoint-->Hardware on Access-->Word. 
Now hit 'Shift+F9' and u will land here. We are now near the OEP :-)

004195D0   66:9D            POPFW
004195D2  -E9 89CDFEFF      JMP apis32.00406360<------This is our OEP
004195D7  -E9 5BE3FEFF      JMP apis32.00407937

You may ask how I know this is the OEP. Okay now while at 004195D0 if u Hit F7 and execute the JMP u will land here.

00406360     55             DB 55                                    ;  CHAR 'U'
00406361     8B             DB 8B
00406362     EC             DB EC
00406363     6A             DB 6A                                    ;  CHAR 'j'
00406364     FF             DB FF
00406365     68             DB 68                                    ;  CHAR 'h'

Hey what is this. Okay dude don't get excited Olly has not analyzed this code. So hit 'Ctrl A' to analyze and u should see this. 

00406360  /. 55             PUSH EBP<-------see this
00406361  |. 8BEC           MOV EBP,ESP<----see this
00406363  |. 6A FF          PUSH -1
00406365  |. 68 08924000    PUSH apis32.00409208
0040636A  |. 68 88624000    PUSH apis32.00406288                     ;  SE handler installation

OEP's are recognized by:
PUSH EBP
MOV EBP,ESP

Okay now get back to 004195D0   66:9D      POPFW by pressing the minus key.
While at this address minimize(don't close) Olly open LordPE. Scroll down and Select program-->right click-->Full Dump-->Save.

Now we have to fix the IAT(Import Allocation Table) of our dumped.exe 
So now run Imprec-->ImportREC.exe-->At the top u see Attach to Active Process-->Drop down menu and select our program.
Now at the bootom u see OEP. So enter this value in the box  OEP - Base = 406360-400000 = 6360
 Now click 'IAT AutoSearch' --> Get Imports. Now u see that all the Imported Functions are Valid so no invalid functions to fix here :-) .If there were any invalid functions u have to click 'Auto Trace' to fix them. But in this case there are none. So now click 'Fix Dump'-->Select our 'dumped.exe' that we dumped with LordPE-->Clcik Open-->It will be saved as 'dumped_.exe'-->Done :-)

Finally to reduce the dumped_.exe size you can use LordPE's rebuild PE feature.

Congrats your target is now unpacked. So lets move on to crack it ;-)


===============================================================================================
                    STEP 2: PATCHING OUR TARGET TO REMOVE REGISTER NAG
===============================================================================================

 
   Okay rename our packed target-->apis32.bak  and rename dumped_.exe -->apis32.exe
Load the target in Olly and this time no Entry Point messages :-) Ok now hit F9 to run the program. You see a Shareware reminder NAG screen. Ok we'll use the CALL Stack method. So back in olly hit F12 and then 'Alt K' You see this 



Call stack of main thread
Address    Stack      Procedure / arguments                                                                     Called from                   Frame
0012F728   77D43FBE   Includes 7FFE0304                                                                         USER32.77D43FBC               0012F75C
0012F72C   77D487A7   USER32.WaitMessage                                                                        USER32.77D487A2               0012F75C
0012F760   77D4F58C   USER32.77D48607                                                                           USER32.77D4F587               0012F75C
0012F788   77D6AAAE   USER32.77D4F4D8                                                                           USER32.77D6AAA9               0012F784
0012FA40   77D6AC40   ? USER32.SoftModalMessageBox                                                              USER32.77D6AC3B               0012F9C8
0012FB88   77D6ADCC   ? USER32.77D6AB06                                                                         USER32.77D6ADC7               0012FB10
0012FBDC   77D6AE8A   USER32.MessageBoxTimeoutW                                                                 USER32.77D6AE85               0012FBD8
0012FC10   77D6AE17   ? USER32.MessageBoxTimeoutA                               ...