*************************************************************************************************
			Manually UnPacking of Yoda's Crypter v1.1
*************************************************************************************************

Author:		Yoda
Tools:		SoftICE v4.05
		Hex-Editor
		ProcDump v1.6.2


--->	Some Tips...

Let me tell you a few things that are important when you want to Unpack something :)

1.	Find the OEP (Original Entry Point, the starting location of the Original Program).
2.	Dump the File (Doh!).
3.	Check if the Import Table is corrupted (And then try to fix it offcourse ;).
4.	Remove the Encrypter Code (Not necessary, but fun and in some cases it decreases the
	size of the File ;).


--->	Some words...

I just want to say that i always break at the Entry Point of the Encrypted Program with Int3.
Why?
Simple, because then i can see exactly what is going on :)
If you want to break on an API, check the Info page of this Packer/Encrypter and then look for
what's the best API to break on.


--->	Special Note...

The Target File (Yc_v11_Notepad.exe) has been Encrypted with all the options enabled.
Maximum Protection ;)


--->	Let's MUP... (Manually UnPack)

This will be a pretty big Unpacking Tutorial ;)
Ok, let's follow a few steps again.

1.	First getting some Information with ProcDump and then breaking on Int 03 at the OEP of
	the Encrypted program.
2.	Tracing through the Decryption Code and defeating Protections (Or you can call it
	"Skipping" ;) .
3.	Dumping the File and fixing the Dump a little bit (OEP, kill Section etc...) :)
4.	Rebuilding the Import Table manually (No ImpRec or ReVirgin ;) .


					   Step 1

Open ProcDump and click on "PE Editor".
Then open our Encrypted File "Yc_v11_Notepad.exe" and you should see this:

Entry Point:	0000D060
Size of Image:	0000F000
Image Base:	00400000

Now click on the button "Sections" to see if "0000D060" is the Raw Offset.
Look at the last Section which is called "yC" :)
The Virtual Offset of that Section = 0000D000
And the Raw Offset of that Section = 0000D000
So they're the same and so our OEP = 0000D060

Now close ProcDump and open the Encrypted File into your Hex Editor.
Then go to the Offset "0000D060" and replace this for our Int 03 break:


60	(pushad - Remember this Opcode to change it back later)

into

CC	(Int 03)


Save the File and get into SoftICE (Ctrl+D).
Then type "bpint 3" followed by enter and press (Ctrl+D) to get out of SoftICE.
Now open the Encrypted File (Yc_v11_Notepad.exe) and SoftICE should break.
Your now standing on the "Int 03" we placed at the OEP.
And we need to change that back to "60" (pushad) so type/press this:


A EIP			- To edit the current location.
pushad			- "pushad" was the original Instruction at the OEP.
(enter)			- to change it back to "pushad".
(enter)			- To get out of the "A" command.


Now we can TAL (Trace And Learn ;) .


					   Step 2

First it'll Decrypt some necessary Information in the Decryption Code.
Then it'll make a little CRC out of the Decryption Code.
Later in the Decryption Routine it'll do again this CRC Routine and then Compares it with the
value it'll create now :)
That'll be done here:


-------------------------------------------------------------------------------------------------

lea eax, [ebp+00401C84]
mov ecx, 0000059D
call 0040D2E9				- Here's the little CRC routine.

-------------------------------------------------------------------------------------------------


After this call it'll save the CRC value in some place.
And then we get the first "Option Check" namely the "Exit if SoftIce is loaded" Option :)
But we can skip it by using "r fl z" to change the Zero Flag.
You'll see this piece of Code:


-------------------------------------------------------------------------------------------------

mov [ebp+0040235C], eax			- CRC value saved at [ebp+0040235C].
mov eax, [ebp+00402354]			- Move in eax the "Option" value ;) .
and eax, 00000001
jz 0040D0F9				- Use "r fl z" here to skip the SoftICE check.

-------------------------------------------------------------------------------------------------


Ok, on the instruction "jz 0040D0F9" you can type "r fl z" followed by enter to skip the SoftICE
check.
(Psssttt... you can also do something now to make it a bit easier later ;) but i'm not going to
tell that yet, i'll tell it when we arrive at the "Import Table F*ck Up" ;)
The method to detect SoftICE is the "BCHK" (BoundsCHecKer) method :)
That'll look like this:


mov ebp, 4243484B		- BCHK
mov ax, 0004
Int 03
cmp al, 04
jz No_SoftICE			- If al is still 04 then no SoftICE found.


To bypass this simply change the "Int 03" to "NOP" (90).

And after this (When we've jumped to 0040D0F9) we see that it gets some API Base Addresses and
puts them somewhere in the Decryption Code.
Then Trace till the end where you see this:


-------------------------------------------------------------------------------------------------

lea eax, [ebp+00401E10]			- ebp+00401E10 = eax
push eax				- push eax
ret					- and go to that Offset.

-------------------------------------------------------------------------------------------------


You'll see that after you Traced the "ret" you land on 0040D1EC ;)
and here's the next "Option" check "Anti Process Dumping" :)


-------------------------------------------------------------------------------------------------

test [ebp+00402354], 00000010		- Check if option has been enabled.
jz 0040D22F				- If not jump and skip this process.

-------------------------------------------------------------------------------------------------


So when your on the "jz 0040D22F" type "r fl z" to change the "Z" flag and so we jump
to 0040D22F :)
Ok at this Offset it'll first "protects" the file with VirtualProtect ;).
After this we get the next "Option" check "Exit in the case of a bad CRC" :)
So you'll see this:


-------------------------------------------------------------------------------------------------

test [ebp+00402354], 00000008		- Check if option has been enabled.
jz 0040D30E				- If not jump and skip this process.

-------------------------------------------------------------------------------------------------


On Offset 0040D30E we get to the Important stuff, the Decryption of the Sections :)
You can skip it or look in it if you want, you decide ;)
You'll see this at Offset 0040D30E:


-------------------------------------------------------------------------------------------------

mov eax, [ebp+0040234C]			- Move the Image Base of the current File in eax
mov ebx, 00000001			- Move 00000001 in ebx
call 0040D326				- Let the Decryption Begin ;)
lea eax, [ebp+00401FE9]			- ebp+00401FE9 = eax
push eax				- push eax
ret					- and go to that Offset.

-------------------------------------------------------------------------------------------------


When you've Traced over the "ret" you'll be at Offset 0040D3C5.
Then it searches in the PE Header if there is an TLS Table ;)
If there's none then it'll skip a little process else it executes that little process ;)
You'll see this:


-------------------------------------------------------------------------------------------------

mov edi, [ebp+0040234C]			- Move Image Base in edi.
add edi, [edi+3C]			- Point edi to the beginning of the PE Header.
mov ebx, [edi+000000C0]			- Move in ebx the RVA to the TLS Table (PE+000000C0).
cmp ebx, 00000000			- No TLS Table?
jz 0040D3E8				- If not jump and skip the next 3 lines.
add ebx, [ebp+0040234C]			- Add the Image Base to ebx.
mov eax, [ebx+08]			- Move [ebx+08] in eax.
mov [eax], 00000000			- Move 00000000 in [eax].

-------------------------------------------------------------------------------------------------


The next thing at Offset 0040D3E8 is the Comparison of the File CRC ;)
Since we skipped that process it'll jump now on "jz 0040D3FF (first one)" so just Trace further.
You'll see this:


-------------------------------------------------------------------------------------------------

mov eax, [ebp+00402358]			- Move Checksum created in eax.
or eax, eax				- Check if eax = 00000000.
jz 0040D3FF				- If so jump and continue (Good Boy).
cmp eax, [ebp+004025DE]			- Compare the real Checksum with the created Checksum.
jz 0040D3FF				- If equal jump and continue (Good Boy).
jmp 0040D58F				- Else jump (Bad Boy).

-------------------------------------------------------------------------------------------------


Ok, we jump to 0040D3FF because the first "jz" will jump (because we skipped the CRC
part ;).
Now we get to another "Option" check "API Redirection" :)
You'll see this:


-------------------------------------------------------------------------------------------------

lea esi, [ebp+00402388]			- Point esi to some table containing Offsets to the IT.
test [ebp+00402354], 00000020		- Test if "API Redirection" Option has been enabled.
jz 0040D45A				- If not jump and skip this process.

-------------------------------------------------------------------------------------------------


Ok, you can skip this process again by typing "r fl z" on the "jz 0040D45A" instruction :)
At Offset 0040D45A we have a Jump that'll lead us to Offset 0040D582.
And now the "Import Table F*ck Up" has began ;)

Do you remember that i said above in this file "(Psssttt... you can also do something now to
make it a bit easier later ;)".
I was talking about the "Option" value, we're going to change that now so we don't have to worry
about it otherwise we need to type too much "r fl z" ;)
Ok, those "Option" Checks, checks a value at Offset [ebp+00402354].
[ebp+00402354] = Offset 0040D730.
So type "d 0040D730", then press "ALT+D" to edit the Data Window, then press "00" to replace the
value "3F" and then "ALT+D" again to return to the Command Window.
Now you can easily Trace through the "Import Table F*ck Up" ;)
But there's one little other thing you need to change ;)
I'm not going to show the whole Import Table Routine.
But keep an eye on this instruction:


mov [edx], eax		(Opcodes 8902)


With this instruction it's trying to replace the RVA's in the IAT with their corresponding
Base Addresses of the API's :)
So to make things easy we're gonna NOP (90) this instruction ;)
When your on the instruction type/press this:


A EIP			- To change the current instruction
nop [enter]		- This will put a NOP (90) at the current location.
nop [enter]		- The second NOP because the instruction "mov [edx], eax" is 2 Bytes.
[enter]			- This will end the "A" command :)


now you can simply Trace through it or skip it with a "bpx [address]" ;)
The "Import Table F*ck Up" Routine is finished when you'll be on these Instructions:


-------------------------------------------------------------------------------------------------

xor eax, eax				- eax = 00
inc eax					- eax + 1
cmp eax, 00000001			- Compare eax with 00000001
jz 0040D596				- If equal jump and continue, else...
popad					- Pop all Registers back...
ret					- And quit ;)

-------------------------------------------------------------------------------------------------


Maybe the "cmp eax, 00000001" looks dumb ;) but there are going 4 call's to it :P
Btw, don't forget to change the 2 NOP's back into "8902" ;)
It isn't necessary but now the CRC Check will think it's alright, what am i talking about we
skipped that CRC Check :P
Err... never mind let's continue at 0040D596 ;)
Ok, so next you'll see the next "Option" check "Erase PE Header" :)
You'll see this:


-------------------------------------------------------------------------------------------------

test [ebp+00402354], 00000002		- Test if "Erase PE Header" Option has been enabled.
jz 0040D5BA				- If not jump and skip this process.

-------------------------------------------------------------------------------------------------


Now it'll jump unless you haven't changed that "Option" value ;)
If you haven't changed it then type "r fl z" at the Instruction "jz 0040D5BA" :)
Now we come to where it does that little CRC Check again to Compare it with the previous CRC ;)
He tries to confuse it a little bit with Instructions like:


Jmp +1
Junk Byte


;)
But anyway run through it and you can skip the "call 0040D2E9" because that's where it makes the
CRC value ;)
Ok, Trace till your here:


-------------------------------------------------------------------------------------------------

mov ebx, [ebp+0040235C]			- Get the earlier made CRC value and put it in ebx.
xor eax, ebx				- xor ebx with eax.
jz 0040D5E2				- if the value in eax is 00 then jump and continue.
jmp 0040D5DD				- else bad CRC and quit.

-------------------------------------------------------------------------------------------------


So it xor's the new CRC with the old CRC.
If they're the same, eax will be 00 and the "Z" flag will be enabled.
Otherwise the "Z" flag is disabled and we don't jump ;)
So if anything's alright we jump at the Instruction "jz 0040D5E2".
If your not jumping then type "r fl z" at this Instruction ;)
Well, we continue at Offset "0040D5E2".
There it'll Decrypt some Code in the Decryption Routine itself :)
Then after this little Decryption Routine we are on Offset "0040D5FD".
Now it'll use the API "IsDebuggerPresent" to see if there's a Debugger present, heh ;)
So you'll see this:


-------------------------------------------------------------------------------------------------

lea eax, [ebp+004025B0]			- Point eax to the API's name.
push eax				- Push the API Offset.
push [ebp+00402511]			- Push the ImageBase of Kernel32.
call [ebp+00402500]			- Get the BaseAddress of "IsDebuggerPresent".
call eax				- Call the API.
or eax, eax				- If eax is 00...
jz 0040D618				- We jump and continue as good boy else...
popad					- It pops all Registers back...
ret					- And quits.

-------------------------------------------------------------------------------------------------


I think (But i don't know sure :) that the API "IsDebuggerPresent" only works on NT/2K.
In my case (Im running Win98SE ;) it returns 00 so that's good.
If your on the Instruction "jz 0040D618" and you don't jump then simply type "r fl z".
Ok, the next thing is an important one and we also come to the last "Option" check
"Exit if SoftICE is loaded" (Hmm, this Option is used twice in the Decryption Routine :).
You'll see this:


-------------------------------------------------------------------------------------------------

mov eax, [ebp+00402350]			- Move the OEP in eax (Without ImageBase).
add eax, [ebp+0040234C]			- Add the ImageBase to eax
mov ebx, 004022D4			- Put some...
add ebx, ebp				- Offset in...
inc ebx					- ebx.
mov [ebx], eax				- Move the OEP in [ebx].
test [ebp+00402354], 00000001		- Test if the Option is enabled.
jz 0040D691				- If not we jump and skip the next Process.

-------------------------------------------------------------------------------------------------


So first it moves the OEP in some Offset (To be exactly it's the Offset "0040D6B1").
Then it checks if the Option "Exit if SoftICE is loaded" is enabled.
If not we jump else it checks for SoftICE :)
So when your on the Instruction "jz 0040D691" type "r fl z" to skip this Process.
This SoftICE check puts the value 00440000 in eax and executes "Int 68".
Then there will be a value returned in EDI if SoftICE is active.
It looks like this:


mov eax, 00004400
int 68
cmp edi, 12970000
jz SoftICE
cmp edi, 12770000
jz SoftICE
cmp edi, 13300000
jz SoftICE
jmp No_SoftICE


On my system (Win98SE) the returned value in edi is always 13300000 :)
I think those other values are depending on Versions.
(Btw these value checks i got from Yoda's Crypter ;).
If you want to get past this just type "r fl z" on these "jz" Instructions :)
Let's continue at Offset "0040D691".
This is the final stuff, Jumping to the OEP and cleaning the Decryption Code ;)
You'll see this:


-------------------------------------------------------------------------------------------------

xor al, al				- al = 00
lea edi, [ebp+00401C84]			- Point edi to the beginning of the Decryption Routine.
mov ecx, 0000063E			- Move 0000063E in ecx
stosb					- And remove...
loop 0040D69E				- 1598 (63E) Bytes (He could also use "repz stosb" ;).
lea edi, [ebp+004022DE]			- Point edi to the end of the Decryption Routine.
mov ecx, 000002E8			- Move 000002E8 in ecx
stosb					- And remove...
loop 0040D6AC				- 744 (2E8) Bytes (He could also use "repz stosb" ;).
popad					- Pop all Registers back.
mov eax, FFFFFFFF			- Move FFFFFFFF (It'll be the OEP) in eax.
push eax				- Push eax onto the Stack.
jmp 0040D6B9				- Jump to 0040D6B9 (Skip the Junk Byte ;).
Junk Byte (87)
ret					- And go to the OEP.

-------------------------------------------------------------------------------------------------


So first it removes the Decryption Routine (Ofcourse not this little Process ;).
And instead of the Instruction "mov eax, FFFFFFFF", this will be "mov eax, OEP".
Remember that the OEP was placed at some Offset, well that's here ;)
So this is the end now we need to Dump it ;)


					   Step 3

Ok, so when your over the "ret" Instruction you'll be on the OEP (This case the OEP is 004010CC).
We're going to use the "EBFE" trick to make the Program run in a loop and then we can Dump it ;)
So type/press this:


D EIP			- To get to the current location.
ALT+D			- To edit the Data Window.
EBFE			- to change the original Opcodes "558B" into an infinite loop "EBFE".
ALT+D			- To return to the Command Window.


You could also type/press this, but then you don't know the original Opcodes ;)


A EIP			- To edit the current Instruction.
jmp eip [return]	- to change it into "EBFE" (jmp eip).
[return]		- To exit the "A" Command.


Ok, now type "BC *" to clear any Breakpoints and press "Ctrl+D" to exit SoftICE.
Open ProcDump and look in the main window for some entry like this:


"C:\windows\desktop\yC_v11_Notepad.exe"


Right click on it and select "Dump (full)". Then save it anywhere you want.
Now right click again on it and select "Kill Task" to Terminate the Process.
We got our Dump now ;) and now we need to fix some stuff.
So click on the button "PE Editor" and select your Dump and open it.
Change the Entry Point to "000010CC" (Without ImageBase).
You'll see 2 Options in this window namely:


Only to PE Header
To PE File


Select the second Option and click on the Button "Sections".
Right click on the last Section called "yC" and select "Kill Section".
Now we're going to update the "Size of Image".
So take the Virtual Offset + Virtual Size of the last Section (Which is now .reloc).


Virtual Offset	+ Virtual Size	= Size of Image
0000C000	+ 00000A9C	= 0000CA9C


Hmm, not really a rounded value ;)
Check the Raw Size it's 00001000, so for the "Size of Image" we take 0000D000 :)
So click on "Ok" of the "Sections Editor" window and then change the "Size of Image" to 0000D000.
Now click on "Ok" again and now the only thing left is to rebuild the Import Table :P
Oh wait, we need to change back the "EBFE" trick ofcourse ;)
So close ProcDump and open the Dumped file in your Hex Editor.
Then go to Offset "000010CC" and change this:


EBFE		(We change our "Infinite Loop"...)

into

558B		(The original Opcodes ;)


Save the file now, but don't run it, we need to rebuild the Import Table now ;)


					   Step 4

Ok, well this is pretty tough too explain so please don't blame me if you don't know what i'm
talking about ;)
We're going to fix the "Import Directory Tables" of the IT (Import Table).
Because the rest of the IT is in it's normal state :)
If you don't succeed you can always use ReVirgin or ImpRec ;)
Ok, now the first thing i'll show you is the Structure of these "Import Directory Tables" :)
It looks like this:


1 Dword		- Import Lookup Table (ILT)
2 Dword		- Time/Date Stamp
3 Dword		- Forwarder Chain
4 Dword		- Name (Of *.DLL or *.EXE)
5 Dword		- Import Address Table (IAT)


Little explaination:


-	Import Lookup Table (ILT)

An RVA (Relative Virtual Address) to an Table that contains RVA's to the names of the API's that
belong to the *.DLL :)
So for example an RVA in this Table is pointing to the API "ExitProcess", so then you know that
the Name of the *.DLL must be KERNEL32.DLL :)
The Import Lookup Table RVA can be left empty.

-	Time/Date Stamp

The Time/Date the IT was created by the Compiler.
The Time/Date Stamp RVA can be left empty.

-	Forwarder Chain

Index of first forwarder reference.
The Forwarder Chain RVA can be left empty.

-	Name (Of *.DLL or *.EXE)

This is an RVA that points to the Name of an *.DLL or *.EXE where this "Import Directory Table"
belongs to.
The Name doesn't have to contain .DLL or .EXE (For example it can be KERNEL32).
The Name (Of *.DLL or *.EXE) RVA cannot be left empty (It can be left empty but then it means
the IT has finished, because there are no more *.DLL or *.EXE to be Imported ;).

-	Import Address Table (IAT)

This is an RVA that points to an Table almost identical to the "Import Lookup Table".
But the difference is that in this Table the RVA's will be replaced with the corresponding
"Base Addresses" of the API's.
The Import Address Table RVA cannot be left empty.


Now we can begin Rebuilding ;)
I suggest also that you open Win32.hlp to quickly check which API belongs to which *.DLL .
Maybe you know them all out of your head but maybe not...? ;)
Ok, the IT starts at 00006000 (Minus ImageBase) you could find that out when you were in the
Decryption Routine :)
It's now a little bit easier to Rebuild because the Virtual Offsets are the same as the
Raw Offsets (Because we dumped the File from Memory).
Take a look at Offset 00006000, you'll see there all kind of values like this:


DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 DF EC 31 00 DF EC 31 00
DF EC 31 00 DF EC 31 00 00 00 00 00


These are supposed to be the "Import Directory Tables" i was talking about, but it looks like
crap to me now ;)
Ok, first we're going to find out how much *.DLL's have to be Imported.
You can do that by counting how much Bytes these values have, i mean till you reach "00000000".
It's 78h Bytes ;)
And an "Import Directory Table" is 14h Bytes so:

78/14 = 6 *.DLL's :)

Btw, you can also find out how much *.DLL's there are by simply looking a little bit lower
(Around 00006520) and then count the *.DLL's ;)
After these values (DFEC3100) there are a bunch of 00's, this means that the IT stops there.
But if you look further you'll come accross the first RVA that leads to the API "RegSetValueExA".
Hmm, that belongs to ADVAPI32.DLL (You can find that in Win32.hlp and then looking at the Info
of the API and pressing the button "Quick Info" you'll see there advapi32.lib).
Ok, where the RVA to this API is there are 4 more RVA's because after that it's getting
Terminated with 00000000.
So you'll see this at Offset 000060A0:


88 6D 00 00 9A 6D 00 00 AE 6D 00 00 CC 6D 00 00
BC 6D 00 00 00 00 00 00


(Btw, Notepad uses both ILT and IAT ;).
Ok, now we could fill in the "Import Directory Table" of ADVAPI32.DLL .
But one problem is this the ILT or the IAT ? :)
Well, you can think now "Ah that doesn't matter so much" hehe :)
Now comes a difficult part for me too explain, i think you need a little bit of Knowledge about
recognization ;)
Look at Offset "000062E0", there are the same amount of Dwords Terminated by 00000000.
These values looks like "Base Addresses" to me.
You can try to type in SoftICE "d (whatever the first Dword is)" and look if it matches the API
"RegSetValueExA" in my case it matches but i don't know if it's the same on every System ;)
Ok, these "Base Addresses" at Offset 000062E0 can't be the ILT, because it doesn't hold an RVA to
the API's Name in the file, so this must be the IAT and that other one (At Offset 000060A0) must
be the ILT of ADVAPI32.DLL :)
Now we can fill the "Import Directory Table" of ADVAPI32.DLL ;)
We have this now for ADVAPI32.DLL:


1 Dword		- 000060A0	= Import Lookup Table (ILT)
2 Dword		- 00000000	= Time/Date Stamp
3 Dword		- 00000000	= Forwarder Chain
4 Dword		- 00006DDA	= Name (Of *.DLL or *.EXE)
5 Dword		- 000062E0	= Import Address Table (IAT)


We don't give a Damn about the Time/Date Stamp and the Forwarder Chain, they can be left empty ;)
Ok, because of almost a little lack of Memory because of this big Tutorial (Ok i can go on in
Wordpad ;) i'm gonna show the complete "Import Directory Tables" now but i think you can find it
out yourself now ;)
Here's the complete "Import Directory Tables":


A0 60 00 00 00 00 00 00 00 00 00 00 DA 6D 00 00
E0 62 00 00 B8 60 00 00 00 00 00 00 00 00 00 00
F6 6C 00 00 F8 62 00 00 18 61 00 00 00 00 00 00
00 00 00 00 9C 67 00 00 58 63 00 00 B0 61 00 00
00 00 00 00 00 00 00 00 8A 65 00 00 F0 63 00 00
CC 61 00 00 00 00 00 00 00 00 00 00 92 6B 00 00
0C 64 00 00 C0 62 00 00 00 00 00 00 00 00 00 00
7A 6D 00 00 00 65 00 00 00 00 00 00


I hope that the Offsets are the same as in your File ;)
If you changed it to this then we need to change one more thing.
We need to change the RVA of the IT in the PE Header otherwise Win has no idea where the IT is ;)
So the RVA of the IT is located (PE+80h).
It says now "00D00000" (0000D000 was the IT for the Decryption Routine) change it into "00600000"
(00006000 where the real IT is ;) .
Now save the File and run it, it works :P
Ok, finally i came to the end of this Manually Unpacking Tutorial *phew* ;)


--->	Last Words...

Pretty damn big Tutorial and i hope you learned something from it ;)
It was difficult to explain the Rebuilding Part and i hope you understand what i'm saying.
If you didn't succeed you can always use ReVirgin or ImpRec, or you can try again ;)
I don't like to use ReVirgin or ImpRec (They're great Tools no doubt about that ;) but i just
like to do it myself Manually :)
Remember that the Offsets can be different throughout this Tutorial, if so then you need to find
it out yourself a little more and i think you'll learn more from that ;)
Ok, i'm gonna quit now on to the next Tutorial ;)


--->	Greetings...

				"You know who you are !!!" :P


			Don't trust the Outside, Trust the InSiDe !!!

					  Cya...

					CoDe_InSiDe

Email: code.inside@home.nl