Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 11-21-2004, 12:33 PM
LoGiCa LoGiCa is offline
Junior Member
 
Join Date: Nov 2004
Posts: 2
Default Unpacking a Microsoft Visual C++ 6.0 compiled file

I have a Microsoft Visual C++ 6.0 file (An Unreal Tournament Update) I want to unpack to get to the files inside it.

What tools do I need?

Thanks for your help

This is the file.

ftp://ftp.bluesnews.com/ut/UTPatch436.exe
Reply With Quote
  #2  
Old 11-21-2004, 10:47 PM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default Installer fun

Hi.

The executable you linked to is a self-extracting Winzip archive. Having either Winzip or WinRAR installed (with shell extensions registered) you can right click on it and choose "extract to...".

The installer/updater is possibly home brewn but if you look inside it you'll notice that none of its data is compressed. The executable itself is a generically built installer/updater that carries overlay data, past the .rsrc section. There is a table with file information starting at/near offset 0x01189D29.

Actually, it might be offset 0x01189D27 (0x0347 entries).

If you look at the individual entries you will begin to recognise a pattern. The first byte is the length of the target path of the file (including null terminator), relative to base path. Then comes the actual target path as a string, again relative to base path. Next after that is a dword with the raw offset of the source file inside the installer executable. Then there's a dword specifying the size of the file and following that there are five bytes of unknown purpose.

Code:
OFFSET * * - SIZE * * * - TARGET



0x00008000 - 0x000059B3 - SystemManifest.ini

0x0000D9B3 - 0x0000026B - SystemManifest.int



etc...
There are more structures near the end of the image. You'll find a reference to already mentioned offset 0x01189D27 around here.

Happy reversing! Regards, sna
Reply With Quote
  #3  
Old 11-23-2004, 01:34 PM
LoGiCa LoGiCa is offline
Junior Member
 
Join Date: Nov 2004
Posts: 2
Default

Thanks for your help mate
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.