Unpacking WebEXE

have someone came accross the wonderful application Webexe. Like chm help files, it will also embed the user html files in a single exe file. The generated exe files is packed with aspack2.12. Its quite easy to unpack that packer, but i am not able to run the unpacked apps. It will pop error message that the file is corrupted. I think that its due to html data. How can i manage to run that packed file...
np

[taos]

The extract process is done reading the offset from packed EXE, if you unpack the EXE the offset changes, and maybe the unpacked EXE uses a CRC/lenght check.

[gabri3l]

I just downloaded this and played around with it. Dumping as you said is simple.

Load in Olly
Execute the PUSHAD
Follow ESP register in Dump
Set Hardware breakpoint on first four bytes in the dump
When Olly breaks follow JNZ
And then RETN to OEP
Write down OEP and then dump with Ollydump
Rebuild imports with Imprec using your discovered OEP

I did not recieve any error messages about corruption.
The interesting thing is that the WEX (compiled HTML) is not included in the dump. And the dumped program asks for it. If you compile your own WEX you can easily open it. However, are you wanting to also dump the WEX file?

Edit: Dumping the WEX isnt as hard as i thought, just time consuming. Turns out Webexe saves each file in the archive as a PKzip and then puts them all together and gives the file a new signature. For example I was able to compress the recent int smashing tutorial by Shub-Nigurrath into an exe and manually extract each resource. Here's how:

1. Get to the OEP using the information above.
2. Remove the hardware breakpoint.
3. Search for all intermodular calls
4. Set a breakpoint on all calls to kernel32.ReadFile
5. Press Run you will break at the first ReadFile.
6. Look at the address you are at. This readfile is executed a few times however it is not the one you want. Continue to press Run until you break on a new readfile. My address was 00407DAC
7. Look at the stack and you will see the arguments being passed to ReadFile
Write down the Buffer address and the BytestoRead value.
8. In your dump window; right click and select go-to->Expression
9. In the box that comes up type in the Buffer address from the stack window. Press Okay
10. Press the StepOver button on Ollys toolbar, you will see the information being written to the memory address.
11. Now select the first byte in the dump window.
12. Right click and go-to->Expression again. In the box type in the value of (Buffer Address + BytestoRead). Press Okay
13. *Important* Press and HOLD SHIFT and choose the first byte you see in the dump window. This will select all the data from the beginning of the buffer to the end.
14. Right Click and choose Binary Copy
15. Paste in notepad (word wrap off) and save as file1.txt
16. Press Run again and start over from #7
17. When you have all the files saved. Open up HexWorkshop and make a new file. Paste the copied hex from file1 (Edit->Paste Special->CF_TEXT And make sure Interpret as hexadecimal string is checked)
18. Save the file with a .zip extension and repeat for all the files.
19. Extract the data from the newly saved pkzip files (they will not have any extension) Check their signatures in HexWorkshop to figure out what extension they need.
20. Long time later... You are done...