Unpacking WebEXE

[gabri3l]

I just downloaded this and played around with it. Dumping as you said is simple.

Load in Olly
Execute the PUSHAD
Follow ESP register in Dump
Set Hardware breakpoint on first four bytes in the dump
When Olly breaks follow JNZ
And then RETN to OEP
Write down OEP and then dump with Ollydump
Rebuild imports with Imprec using your discovered OEP

I did not recieve any error messages about corruption.
The interesting thing is that the WEX (compiled HTML) is not included in the dump. And the dumped program asks for it. If you compile your own WEX you can easily open it. However, are you wanting to also dump the WEX file?

Edit: Dumping the WEX isnt as hard as i thought, just time consuming. Turns out Webexe saves each file in the archive as a PKzip and then puts them all together and gives the file a new signature. For example I was able to compress the recent int smashing tutorial by Shub-Nigurrath into an exe and manually extract each resource. Here's how:

1. Get to the OEP using the information above.
2. Remove the hardware breakpoint.
3. Search for all intermodular calls
4. Set a breakpoint on all calls to kernel32.ReadFile
5. Press Run you will break at the first ReadFile.
6. Look at the address you are at. This readfile is executed a few times however it is not the one you want. Continue to press Run until you break on a new readfile. My address was 00407DAC
7. Look at the stack and you will see the arguments being passed to ReadFile
Write down the Buffer address and the BytestoRead value.
8. In your dump window; right click and select go-to->Expression
9. In the box that comes up type in the Buffer address from the stack window. Press Okay
10. Press the StepOver button on Ollys toolbar, you will see the information being written to the memory address.
11. Now select the first byte in the dump window.
12. Right click and go-to->Expression again. In the box type in the value of (Buffer Address + BytestoRead). Press Okay
13. *Important* Press and HOLD SHIFT and choose the first byte you see in the dump window. This will select all the data from the beginning of the buffer to the end.
14. Right Click and choose Binary Copy
15. Paste in notepad (word wrap off) and save as file1.txt
16. Press Run again and start over from #7
17. When you have all the files saved. Open up HexWorkshop and make a new file. Paste the copied hex from file1 (Edit->Paste Special->CF_TEXT And make sure Interpret as hexadecimal string is checked)
18. Save the file with a .zip extension and repeat for all the files.
19. Extract the data from the newly saved pkzip files (they will not have any extension) Check their signatures in HexWorkshop to figure out what extension they need.
20. Long time later... You are done...