Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, September 28 2021 @ 03:04 AM CEST
Thinstall 2.5 - manually unpacking | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Thinstall 2.5 - manually unpacking
Authored by: haggar on Sunday, January 15 2006 @ 09:58 PM CET
Hi and greetings!


This small tutorial is just update for my Thinstall unpacking tutorial , but this text can be usefull for lot of other packers/protectors (ASPack, UPX, NsPack, Neolite...) that doesn't destroy IAT information. It's very simple, there is way how to repair IAT without using ImpREC. It takes little more time , but you get smaller and cleaner dump.


Actually, in Thinstall it takes much less time for fixing since we doesn't have to trace and find imports. Thinstall uses WriteProcessMemory API to write values in thunks and I didn't found that when I was unpacking it for the first time.

But, this is not subject of this small tutorial. Let's see that on example. Check that mine tutorial to see how to kill Debug Blocker and how to find OEP. When you read that (or if you already know that) continue with this text. Are you ready? Yes, OK: Whole point is that Thinstall desn't destroy import information (thunks, ordinals and image descriptors) and if we prevent filling thunks with imports, we can get perfect dump. Let's see:


In our example, we kill debug blocker. Before that we sow that one import jump is pointing to his thunk:

004016F6 JMP DWORD PTR DS:[4050AC] ; USER32.CallWindowProcA

Place memory bp on access on 4050AC and run untill you stop at code that is filling that block with bytes:

7FF89FF3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> <------ This one is filling!!!
7FF89FF5 FF2495 08A1F87F JMP DWORD PTR DS:[EDX*4+7FF8A108]
7FF89FFC 8BC7 MOV EAX,EDI ; Thinstal.004050AC
7FF89FFE BA 03000000 MOV EDX,3
7FF8A003 83E9 04 SUB ECX,4
7FF8A006 72 0C JB SHORT 7FF8A014
7FF8A008 83E0 03 AND EAX,3
7FF8A00B 03C8 ADD ECX,EAX
7FF8A00D FF2485 20A0F87F JMP DWORD PTR DS:[EAX*4+7FF8A020]
7FF8A014 FF248D 18A1F87F JMP DWORD PTR DS:[ECX*4+7FF8A118]
7FF8A01B 90 NOP
7FF8A01C -FF248D 9CA0F87F JMP DWORD PTR DS:[ECX*4+7FF8A09C]
7FF8A023 90 NOP
7FF8A024 30A0 F87F5CA0 XOR BYTE PTR DS:[EAX+A05C7FF8],AH
7FF8A02A F8 CLC


Place bp below and run then check dump. You will see whole virgin IAT block that is waiting for filling thunks with API's:

00404FFC 14 55 00 00 00 00 00 00 DE 54 00 00 .U.......T..
0040500C EE 54 00 00 FA 54 00 00 CC 54 00 00 BE 54 00 00 .T...T...T...T..
0040501C A8 54 00 00 00 00 00 00 E8 55 00 00 F8 55 00 00 .T.......U...U..
0040502C 06 56 00 00 16 56 00 00 2A 56 00 00 66 54 00 00 .V...V..*V..fT..
0040503C 72 54 00 00 32 56 00 00 BC 53 00 00 CA 53 00 00 rT..2V...S...S..
0040504C D6 53 00 00 E4 53 00 00 F2 53 00 00 00 54 00 00 .S...S...S...T..
0040505C 14 54 00 00 22 54 00 00 30 54 00 00 3E 54 00 00 .T.."T..0T..>T..
0040506C 4E 54 00 00 5A 54 00 00 00 00 00 00 8C 54 00 00 NT..ZT.......T..
0040507C 00 00 00 00 8C 53 00 00 9E 53 00 00 7A 53 00 00 .....S...S..zS..
0040508C 6C 53 00 00 5C 53 00 00 4A 53 00 00 3E 53 00 00 lS..S..JS..>S..
0040509C 30 53 00 00 1E 53 00 00 0E 53 00 00 02 53 00 00 0S...S...S...S..
004050AC 84 52 00 00 96 52 00 00 A8 52 00 00 B4 52 00 00 .R...R...R...R..
004050BC C6 52 00 00 D4 52 00 00 E4 52 00 00 F4 52 00 00 .R...R...R...R..
004050CC 00 00 00 00 CE 55 00 00 B4 55 00 00 A2 55 00 00 .....U...U...U..
004050DC 92 55 00 00 7A 55 00 00 6A 55 00 00 46 55 00 00 .U..zU..jU..FU..
004050EC 36 55 00 00 5C 55 00 00 00 00 00 00 00 00 00 00 6U..U..........
004050FC 00 00 00 00 0C 52 00 00 00 00 00 00 00 00 00 00 .....R..........
0040510C B0 53 00 00 80 50 00 00 B0 51 00 00 00 00 00 00 .S...P...Q......
0040511C 00 00 00 00 7E 54 00 00 24 50 00 00 04 52 00 00 ....~T..$P...R..
0040512C 00 00 00 00 00 00 00 00 9C 54 00 00 78 50 00 00 .........T..xP..
0040513C 94 51 00 00 00 00 00 00 00 00 00 00 0A 55 00 00 .Q...........U..
0040514C 08 50 00 00 8C 51 00 00 00 00 00 00 00 00 00 00 .P...Q..........
0040515C 28 55 00 00 00 50 00 00 5C 52 00 00 00 00 00 00 (U...P..R......
0040516C 00 00 00 00 DE 55 00 00 D0 50 00 00 00 00 00 00 .....U...P......
0040517C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040518C 14 55 00 00 00 00 00 00 DE 54 00 00 EE 54 00 00 .U.......T...T..
0040519C FA 54 00 00 CC 54 00 00 BE 54 00 00 A8 54 00 00 .T...T...T...T..
004051AC 00 00 00 00 E8 55 00 00 F8 55 00 00 06 56 00 00 .....U...U...V..
004051BC 16 56 00 00 2A 56 00 00 66 54 00 00 72 54 00 00 .V..*V..fT..rT..
004051CC 32 56 00 00 BC 53 00 00 CA 53 00 00 D6 53 00 00 2V...S...S...S..
004051DC E4 53 00 00 F2 53 00 00 00 54 00 00 14 54 00 00 .S...S...T...T..
004051EC 22 54 00 00 30 54 00 00 3E 54 00 00 4E 54 00 00 "T..0T..>T..NT..
004051FC 5A 54 00 00 00 00 00 00 8C 54 00 00 00 00 00 00 ZT.......T......
0040520C 8C 53 00 00 9E 53 00 00 7A 53 00 00 6C 53 00 00 .S...S..zS..lS..
0040521C 5C 53 00 00 4A 53 00 00 3E 53 00 00 30 53 00 00 S..JS..>S..0S..
0040522C 1E 53 00 00 0E 53 00 00 02 53 00 00 84 52 00 00 .S...S...S...R..
0040523C 96 52 00 00 A8 52 00 00 B4 52 00 00 C6 52 00 00 .R...R...R...R..
0040524C D4 52 00 00 E4 52 00 00 F4 52 00 00 00 00 00 00 .R...R...R......
0040525C CE 55 00 00 B4 55 00 00 A2 55 00 00 92 55 00 00 .U...U...U...U..
0040526C 7A 55 00 00 6A 55 00 00 46 55 00 00 36 55 00 00 zU..jU..FU..6U..
0040527C 5C 55 00 00 00 00 00 00 13 00 43 61 6C 6C 57 69 U........CallWi
0040528C 6E 64 6F 77 50 72 6F 63 41 00 8A 00 44 69 61 6C ndowProcA...Dial
0040529C 6F 67 42 6F 78 50 61 72 61 6D 41 00 AD 00 45 6E ogBoxParamA...En
004052AC 64 44 69 61 6C 6F 67 00 D0 00 47 65 74 41 63 74 dDialog...GetAct
004052BC 69 76 65 57 69 6E 64 6F 77 00 D5 00 47 65 74 43 iveWindow...GetC
004052CC 61 70 74 75 72 65 00 00 EC 00 47 65 74 43 75 72 apture....GetCur
004052DC 73 6F 72 50 6F 73 00 00 F1 00 47 65 74 44 6C 67 sorPos....GetDlg
004052EC 43 74 72 6C 49 44 00 00 F2 00 47 65 74 44 6C 67 CtrlID....GetDlg
004052FC 49 74 65 6D 00 00 24 01 47 65 74 50 61 72 65 6E Item..$.GetParen
0040530C 74 00 48 01 47 65 74 57 69 6E 64 6F 77 52 65 63 t.H.GetWindowRec
0040531C 74 00 63 01 49 6E 76 61 6C 69 64 61 74 65 52 65 t.c.InvalidateRe
0040532C 63 74 00 00 9D 01 4D 65 73 73 61 67 65 42 6F 78 ct....MessageBox
0040533C 41 00 C2 01 50 74 49 6E 52 65 63 74 00 00 D2 01 A...PtInRect....
0040534C 52 65 6C 65 61 73 65 43 61 70 74 75 72 65 00 00 ReleaseCapture..
0040535C E2 01 53 65 6E 64 4D 65 73 73 61 67 65 41 00 00 ..SendMessageA..
0040536C EB 01 53 65 74 43 61 70 74 75 72 65 00 00 F8 01 ..SetCapture....
0040537C 53 65 74 44 6C 67 49 74 65 6D 54 65 78 74 41 00 SetDlgItemTextA.
0040538C 1D 02 53 65 74 57 69 6E 64 6F 77 4C 6F 6E 67 41 ..SetWindowLongA
0040539C 00 00 22 02 53 65 74 57 69 6E 64 6F 77 54 65 78 ..".SetWindowTex
004053AC 74 41 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 tA..user32.dll..
004053BC >1A 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 24 00 ..CloseHandle.$.
004053CC >43 6F 70 79 46 69 6C 65 41 00 30 00 43 72 65 61 CopyFileA.0.Crea
004053DC >74 65 46 69 6C 65 41 00 80 00 45 78 69 74 50 72 teFileA...ExitPr
004053EC >6F 63 65 73 73 00 F5 00 47 65 74 46 69 6C 65 53 ocess...GetFileS
004053FC 69 7A 65 00 09 01 47 65 74 4D 6F 64 75 6C 65 48 ize...GetModuleH
0040540C 61 6E 64 6C 65 41 00 00 67 01 47 6C 6F 62 61 6C andleA..g.Global
0040541C 41 6C 6C 6F 63 00 6E 01 47 6C 6F 62 61 6C 46 72 Alloc.n.GlobalFr
0040542C 65 65 00 00 72 01 47 6C 6F 62 61 6C 4C 6F 63 6B ee..r.GlobalLock
0040543C 00 00 79 01 47 6C 6F 62 61 6C 55 6E 6C 6F 63 6B ..y.GlobalUnlock
0040544C 00 00 F7 01 52 65 61 64 46 69 6C 65 00 00 9E 02 ....ReadFile....
0040545C 57 72 69 74 65 46 69 6C 65 00 BB 02 6C 73 74 72 WriteFile...lstr
0040546C 63 70 79 41 00 00 BF 02 6C 73 74 72 6C 65 6E 41 cpyA....lstrlenA
0040547C 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 ..kernel32.dll..
0040548C 67 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 g.ShellExecuteA.
0040549C 73 68 65 6C 6C 33 32 2E 64 6C 6C 00 2F 00 43 72 shell32.dll./.Cr
004054AC 65 61 74 65 46 6F 6E 74 49 6E 64 69 72 65 63 74 eateFontIndirect
004054BC 41 00 CD 00 47 65 74 4F 62 6A 65 63 74 41 00 00 A...GetObjectA..
004054CC DD 00 47 65 74 53 74 6F 63 6B 4F 62 6A 65 63 74 ..GetStockObject
004054DC 00 00 2E 01 53 65 6C 65 63 74 4F 62 6A 65 63 74 ....SelectObject
004054EC 00 00 35 01 53 65 74 42 6B 4D 6F 64 65 00 59 01 ..5.SetBkMode.Y.
004054FC 53 65 74 54 65 78 74 43 6F 6C 6F 72 00 00 67 64 SetTextColor..gd
0040550C 69 33 32 2E 64 6C 6C 00 0A 00 47 65 74 4F 70 65 i32.dll...GetOpe
0040551C 6E 46 69 6C 65 4E 61 6D 65 41 00 00 63 6F 6D 64 nFileNameA..comd
0040552C 6C 67 33 32 2E 64 6C 6C 00 00 AC 00 77 61 76 65 lg32.dll....wave
0040553C 4F 75 74 43 6C 6F 73 65 00 00 B5 00 77 61 76 65 OutClose....wave
0040554C 4F 75 74 47 65 74 50 6F 73 69 74 69 6F 6E 00 00 OutGetPosition..
0040555C B8 00 77 61 76 65 4F 75 74 4F 70 65 6E 00 B9 00 ..waveOutOpen...
0040556C 77 61 76 65 4F 75 74 50 61 75 73 65 00 00 BA 00 waveOutPause....
0040557C 77 61 76 65 4F 75 74 50 72 65 70 61 72 65 48 65 waveOutPrepareHe
0040558C 61 64 65 72 00 00 BB 00 77 61 76 65 4F 75 74 52 ader....waveOutR
0040559C 65 73 65 74 00 00 BC 00 77 61 76 65 4F 75 74 52 eset....waveOutR
004055AC 65 73 74 61 72 74 00 00 C0 00 77 61 76 65 4F 75 estart....waveOu
004055BC 74 55 6E 70 72 65 70 61 72 65 48 65 61 64 65 72 tUnprepareHeader
004055CC 00 00 C1 00 77 61 76 65 4F 75 74 57 72 69 74 65 ....waveOutWrite
004055DC 00 00 77 69 6E 6D 6D 2E 64 6C 6C 00 46 00 43 72 ..winmm.dll.F.Cr
004055EC 65 61 74 65 54 68 72 65 61 64 00 00 81 00 45 78 eateThread....Ex
004055FC 69 74 54 68 72 65 61 64 00 00 07 02 52 65 73 75 itThread....Resu
0040560C 6D 65 54 68 72 65 61 64 00 00 53 02 53 65 74 54 meThread..S.SetT
0040561C 68 72 65 61 64 50 72 69 6F 72 69 74 79 00 60 02 hreadPriority.`.
0040562C 53 6C 65 65 70 00 62 02 53 75 73 70 65 6E 64 54 Sleep.b.SuspendT
0040563C 68 72 65 61 64 hread

Now, binary copy all that block and find OEP. Check then that IAT block and you will see changes - API's are placed in thunks, also some pointers to protectors code (API's that we need to fix). In my tutorial I traced every single invalid import but I didn't thinking. There is easier way. Binary paste that block that you have copied before into same place, ei. IAT block must look again like virgin one, untached above. Then dump. Dump will crush. Reason of crushing is just that IAT information is incorrect in PE header because that is old info for Thinstall IAT. We just need to enter correct value with LordPE. Open LordPE and load dump in PE editor. Click directories button, check ImportTable, it has:

RVA: 0
Size: 0

We just need to enter correct values. Now you need to read some PE format tutorial (goppit wrote very good one) and you'll know what to do. RVA must point to image_import_descriptors and Size is size of all image_import_descriptors (plus zero terminating one). IAT is this:

004050FC 0C 52 00 00 00 00 00 00 00 00 00 00 .R..........
0040510C B0 53 00 00 80 50 00 00 B0 51 00 00 00 00 00 00 .S...P...Q......
0040511C 00 00 00 00 7E 54 00 00 24 50 00 00 04 52 00 00 ....~T..$P...R..
0040512C 00 00 00 00 00 00 00 00 9C 54 00 00 78 50 00 00 .........T..xP..
0040513C 94 51 00 00 00 00 00 00 00 00 00 00 0A 55 00 00 .Q...........U..
0040514C 08 50 00 00 8C 51 00 00 00 00 00 00 00 00 00 00 .P...Q..........
0040515C 28 55 00 00 00 50 00 00 5C 52 00 00 00 00 00 00 (U...P..R......
0040516C 00 00 00 00 DE 55 00 00 D0 50 00 00 00 00 00 00 .....U...P......
0040517C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

So enter in LordPE:

RVA: 00005100
Size: 0000008B

Save changes.


Run dump, it should work perfect :)


Ofcourse, average crackers know this, but I think that begginers could find this text usefull. Also, this will only work if Thinstall protected app doesn't have dependencies. In such case, we should extract them from package.


See you!



 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.85 seconds