A Quick Guide To Using IceDump/Bhrama
by Ghiribizzo ~ 16 July 1999
Courtesy of fravia's page of reverse engineeringA very interesting "quick guide" by Ghiri, that I found to-day on my messageboard...
Sice afecionados will love (and enjoy) this essay.
A Quick Guide To Using IceDump/Bhrama by Ghiribizzo [OR&L/uKC]
1999 ===================================================================
The following
is a quick guide to help those who want to use IceDump5 and Bhrama to unpack PE
files.
What is IceDump/Bhrama? -----------------------
Icedump is the
SoftICE tool created by the Owl which allows you to dump memory from SoftICE into a file.
Icedump 5 has Bhrama support. Bhrama is a server in Procdump that allows clients to instruct
procdump when to dump. When Procdump is unable to automatically unpack a file, you can
semi-automatically unpack it by tracing the code manually in SoftICE then telling Bhrama when
it is a good time to dump.
An Example (ASPacked
Calc.exe) ------------------------------
I shall give you an example of how to use
Icedump/Bhrama to semi-automatically unpack calc.exe when packed with
ASPack.
Ingredients -----------
SoftICE (any version from 3.22 to 4.00) - I
use 4.00 in this example
Icedump5 BETA - I use a slightly modified version of the 928
byte icedump image in this example
ProcDump - I use pd149d4 in this
example
calc.exe - find it in your windows directory
ASPack 1.08.03 - download it
from www.entechtaiwan.com/aspack.htm
IceDump Patcher - download it from
www.chocbar.demon.co.uk/ghiribizzo/id.zip
Preparing the
Ingredients -------------------------
1. Icedump
Firstly, we must install
IceDump. You can use HIEW to do this manually, or use my patcher. Note that to use the
patcher you must either obtain an image supporting this, recompile an image with the offset
info, or add the 8 byte offset information yourself. All future icedump images should contain
the offset information. The icedump image for the patcher should look like the
following:
dd INIT_CALL dd PAGEIN_PATCH_ORIGIN [rest of icedump image]
See icedump.asm for more details. To build this 8 byte stub yourself, you need
the offset information from icedump.inc. e.g. the part corresponding to SoftICE 4.0 is as
follows:
Create the 8 byte stub file, in hiew, and use a
binary copy to prepend it to the rest of the icedump image. Alternatively, use a hexeditor
which allows insertion of bytes. Once you have the prepared image file, copy it to your
softice directory with the patcher and run the patcher, it will then automatically patch
icedump into softice for you.
2. Calc.exe
Find calc.exe in your \windows
directory and run ASPack on it, to compress it. Open up calc.exe with hiew and switch hiew to
hex mode. Go to the entry point (F8,F5) and alter the first byte there to CCh. We do this so
that SoftICE will break at the first instruction.
Cooking -------
Start
up SoftICE and procdump. Start the Bhrama server by clicking on the 'Bhrama Server' button.
Open the packed calc.exe with the symbol loader but do not load yet. Open the SoftICE console
window and 'set i3here on'. Now load calc.exe. SoftICE will break on the int3. You now need
to set back eip by one and reassemble the PUSHAD instruction we overwrote with the
CCh.
Now trace through all the unpacking junk until just before the packer returns
control to the program. This is done via a PUSH EAX, RET combination in ASPack. Trace
into the RET and you arrive at the first instruction of the unpacked program. Now issue a
'PAGEIN p Bhrama' command. Icedump will then give control to procdump and you can then enter
the filename for the dump. That's it!
Serving
Suggestions -------------------
It's a good idea to assign the dump command to the F3
hotkey to save yourself some typing. Also, you should change the default Bhrama window name
to something else, if you're concerned about detection.
