PDA

View Full Version : unpacking nonexecutable files


qferret
June 2nd, 2001, 15:32
I have a file packed with upx .84 (version doesn't support unpacking) Is there a tool available that can unpack files other than .exe's and .com's? (tried to dump process with Procdump, no dice)

If I try manually.....it's an activeX control...would breaking on LoadLibrary and then proceeding with "normal" UPX procedure work?

gonna play with it, but if anyone has any suggestions, insight, it would save some of my diminishing hair LOL

Kayaker
June 3rd, 2001, 00:33
Hi ?ferret,

How about putting a CC at the OEP of the ocx and setting a bpint3, change the code back with the 'a' command, and as you say, unpack upx as usual?

I've done this on Neolite packed dll's and it's worked well. Never tried it on an ocx though.

Kayaker

qferret
June 3rd, 2001, 22:06
thanks for the tip Kayaker....now I just need to find the CRC check LOL....this guy went all out.

I haven't run across any SoftIce tricks yet, but when I change the opcode at the PEP to CC and run the program even if all I do is use the a command to replace the original byte and then cntrl-d out of Sice.....program crashes. I think it's reading from the file itself, not the copy in memory (for a CRC)...if I'm way off base, kick me in the head, I'm just speculating at this point ;-)

well, back to my tracing.

btw....what VB6 API is used to load an .ocx? ...then I wouldn't have to patch to break ;-)

Ryan
June 4th, 2001, 02:49
Hehe,
didn't I say it is fun and tricky? I have been trying to get you guys to try it. Million thanks to you qferret. Hope you crack it, that will mean it sucks and I won't charge users money next time.

Thanks again
Ryan

noname
June 4th, 2001, 11:19
Quote:
qferret (06-03-2001 20:06):
thanks for the tip Kayaker....now I just need to find the CRC check LOL....this guy went all out.

I haven't run across any SoftIce tricks yet, but when I change the opcode at the PEP to CC and run the program even if all I do is use the a command to replace the original byte and then cntrl-d out of Sice.....program crashes. I think it's reading from the file itself, not the copy in memory (for a CRC)...if I'm way off base, kick me in the head, I'm just speculating at this point ;-)

well, back to my tracing.

btw....what VB6 API is used to load an .ocx? ...then I wouldn't have to patch to break ;-)


Hey ?ferret,
my way is to add a line in winice.dat
exp=c:\thename\the.ocx

Then reboot your windows and load the exe again
the next thing is set a break point in the memory on the ocx entrypoint.
bpm xxxxx x
you will able to break in the ocx ;=)
theres a exitprocess api which close the exe strange ...

noname

qferret
June 4th, 2001, 23:54
OK, quick update b4 I go to bed and slip into a 4 1/2 hour coma ;-)

I finally found where to dump. Took a while today.

1.) I suck at unpacking

2.) My PC has decided it hates SoftIce after more than 5 minutes or so of debugging

Kinda cool though, I used to have to shut down for an hour or so, b4 I could get it to boot w/o an exception in VMM (01) ....now I'm running a dual boot....W98 won't let me in, I boot into W2k & let it "check the drive for consistencey" ;-) ....then I can reboot into W98 & all is well, until I debug anything for more than 5 minutes again LOL.

anyway...I found the spot....ProcDump still won't let me dump the process though.....could I get someone to explain in plain terms how to dump using IceDump? (I suck worse at deciphering commandline style examples w/ the brackets & shit than I do at unpacking LOL)

I' ll try to figure it out tomorrow afternoon, but I'll accept any help offered ;-)

Look out Ryan, here I come hehe

qferret
June 5th, 2001, 00:00
btw...I finally found the end of the routine when I quit pissin around & figured out how to use /tracex w/ /option t L

(BIG thx to the IceDump team....btw, the CD player & tetris are cool, even if I can't stay in Softice long enough to enjoy them LOL)

Kayaker
June 5th, 2001, 01:24
Hi ?ferret,

Strange problem you've got there with SI crapping out on you after 5 minutes. You got a temperature monitor on your CPU or something that goes apeshit if it's not getting feedback while in SI?

Anyway, for what it's worth, I usually do raw dumps with Icedumps /DUMP command, rather than using /PEDUMP, because I like to have the Raw Offsets and Sizes of the sections in the dumped file match up with those of the Virtual image I just dumped from. Addresses as seen in W32Dasm or SI directly match up with the offsets in a hex editor, and it's easy to find the IAT and other sections. Not such a big deal if you know a /PEDUMP will produce a working exe, but if the Import table is mucked up I just find it easier to work with this way. After making any necessary changes with a hex editor you can always rebuild the PE file to get rid of excess padding and reduce its size.

I usually start by noting the Size of Image of the file with PEditor, then when I find the OEP and the place to dump use
/DUMP [image base] [image size] [c:\filename]

[image base] is usually 400000 for exe files, but for your dll would be 10000000 I guess. [image size] is the size you saw with PEditor.

Then you need to change the OEP and code characteristics of the 1st section to E0000020 (usually). And most importantly, use the dumpfixer option of PEditor to make the ROff=VOff and RSize=VSize. If everything went well this last step will now show the icon of the file properly. If the Imports look good you're laughing. If not, you need Revirgin

A basic /PEDUMP would be
/PEDUMP [image base] [OEP] [c:\filename]
where [OEP] is a Relative value without the image base added. i.e. if you find the OEP is 401234 then you use 1234 here.

Hope this helps,

Kayaker

CoDe_InSiDe
June 5th, 2001, 02:03
Hi Kayaker,

"You got a temperature monitor on your CPU or something that goes apeshit if it's not getting feedback while in SI?"

This message doesn't really below to this subject but I'M having this damn problem
I can't stay in SoftICE very long (or in Games )
You know any solution for that problem, or anyone else?
Thanks in Advantage.

Cya...

CoDe_InSiDe

Kayaker
June 5th, 2001, 02:36
Hi Code_Inside,

Heh, bit of a digression here, eh? Maybe we should move it you know where.

I had this problem when I got my new 600 and started blasting in Quake (hard level, god mode, BFG cheat manic attack frenzy)

Computer shut down with sort of an "Are you Nuts?" immediacy to it. I bumped up the upper temp shutoff limit in BIOS by 5 or 10 degress and it was OK.

There's always installing extra fans, getting a better CPU heatsink, or "painting" your existing one with some kind of heat-dissipating goo (forget the name of it). Not sure why mild-mannered SoftIce would have this effect though.

Kayaker

Ryan
June 5th, 2001, 03:46
Quote:
qferret (06-04-2001 21:54):
OK, quick update b4 I go to bed and slip into a 4 1/2 hour coma ;-)

I finally found where to dump. Took a while today.

1.) I suck at unpacking

2.) My PC has decided it hates SoftIce after more than 5 minutes or so of debugging

Kinda cool though, I used to have to shut down for an hour or so, b4 I could get it to boot w/o an exception in VMM (01) ....now I'm running a dual boot....W98 won't let me in, I boot into W2k & let it "check the drive for consistencey" ;-) ....then I can reboot into W98 & all is well, until I debug anything for more than 5 minutes again LOL.

anyway...I found the spot....ProcDump still won't let me dump the process though.....could I get someone to explain in plain terms how to dump using IceDump? (I suck worse at deciphering commandline style examples w/ the brackets & shit than I do at unpacking LOL)

I' ll try to figure it out tomorrow afternoon, but I'll accept any help offered ;-)

Look out Ryan, here I come hehe


Hey,
congrats on unpacking it. Well, the packing using UPX is just to make it lame. The interesting stuff is after you unpacked it. I promise you more sleepless nights like what I had when I coded it.

I am sure someone will be able to crack it someday. hehe

Thanks for your interest again.
Ryan
PS. Treat it like a crack me.

Ryan
June 5th, 2001, 03:51
I forgot... Be sure to try the lastest version (26th May) and not a previous one.
www.rtsoftware.org

Thanks
Ryan

qferret
June 5th, 2001, 22:05
Sometimes I make more work for myself than I have to LOL

/dump worked beautifully w/o any PE mods necessary ;-) ...now the real fun begins hehe

umm....ryan, no offense, but please don't tell me which ver of your software to crack ;-)

the one I'm workin on is a couple of weeks older than that...but I'm not doing this to help you make $ (yes I know that it is [up to this point] freeware). I'm doing it to challenge myself (besides, once I figure this ver out, it's just a matter of figuring out the updates, unless you do a complete revamp)

Ryan
June 6th, 2001, 04:17
Quote:
qferret (06-05-2001 20:05):
Sometimes I make more work for myself than I have to LOL

/dump worked beautifully w/o any PE mods necessary ;-) ...now the real fun begins hehe

umm....ryan, no offense, but please don't tell me which ver of your software to crack ;-)

the one I'm workin on is a couple of weeks older than that...but I'm not doing this to help you make $ (yes I know that it is [up to this point] freeware). I'm doing it to challenge myself (besides, once I figure this ver out, it's just a matter of figuring out the updates, unless you do a complete revamp)


Hi,
believe it or not, I am writing softwares so that I have things to put on my CV and not for the money. In fact, I work in a totally different environment which is more technophobic than any others. Back to the software writing point of view, well, making money from it is in the lower priority. Besides, I will be writing totally different types of software soon and it will be for students assisting in their revisions. You will know when I release them.

The difference between the newer version and the older version... well, there is more things that will make your life more difficult (with a few interesting tricks), with a few bugs repair and I believe better way of coding. Promise you there will not be an update in the next two weeks or so because I have run out of ideas at the moment.

Thanks again
Ryan

NchantA
June 6th, 2001, 11:10
hiya qferret
ltns

yo also to ryan hehe

qferret, i was reading above and noticed that you keep say 'procdump wont work' with it. i too have noticed this before, procdump refuses to dump a .dll attatched to a process, no matter what u do

for a work around use PEEditor or equivelant from protools or suddendischarge, it should dump .ocx/.dll fine ( a nice tool )

icedump is imho the best way around it (yay for /pedump)

peace

NchantA