Log in

View Full Version : Need help with unpacking

sailor_eda
December 24th, 2002, 07:07
1)What is the problem....
Need help unpacking a small program, actually a keygen. I'm curious to know how it works.

2)What is the protection.....
Dont know exactly and all the manual ways to unpack dont work. I'm sure I'm not doing this properly.

3)What tools are you using....
- Procdump 1.6
- PEditor 1.7
- Unpack
- IDA Pro 4.01
- Revirgin

4)What tutorials have you read....
Tutorial written by Predator [PC/pGC]
Unpacking: a generic approach, including IT rebuilding.
+ several others

5)Show your output listing WITH comments....
- They are bunch of dump files, dont know how to include those here.

6)NOW ask your question....
sailor_eda
December 24th, 2002, 07:10
Sorry, forgot to ask my questions

- I'm not sure if the dump from procdump is correct or not.
- Using PEditor to fix the section tables just gives me an error messages saying that "this file in not in win32 format."
- What am I doing wrong? Or is my whole approach wrong?

Any clues, tutorials that explain this particular kind of packing would appreciated.
Woodmann
December 24th, 2002, 07:32
Hi,

You are unpacking a keygen ?

This confuses me

If you are trying to unpack a program try pe-scan to find out
what it is packed with.

Actually start over again with what you are trying to do.
(prog name, what is the packer, what are your problems)


Peace, Woodmann

Thank you for reading the FAQ
Kayaker
December 24th, 2002, 08:08
Lol, someone's been reading the FAQ You'll get help. Procdump is a bit old and may not be able to handle certain packers, at least without a script. You may be better to manually trace to what you are sure is the OEP and do an Icedump /PEDUMP, or (my personal preference) a raw /DUMP and rebuild with PEditor (VS=RS, VO=RO and maybe rebuild the imports).

If you want to use Procdump or LordPE/PEditor instead you should suspend the process at the OEP with 'jmp eip' and do a full dump with the minimum number of "fix-it" options until you are sure you're getting a reasonably good dump. Some other members may know the best settings to use say for some of the new features of LordPE. If you got an error message that the dump is not in Win32 format, take a look at the PE header in a hex editor and make sure it looks at least somewhat similar to a regular PE header, PEditor likely only looks for the presence of "MZ" and "PE" before kicking out that error message.

Could be a number of things, depending on the packer, but this is a start without more info.

Cheers,
Kayaker
sailor_eda
December 25th, 2002, 07:44
Thanks for the simple pointer. I've been trying to unpack a keygen - I was curious to see how they generated the serial number.

For the past 5 days I've been trying different ways to unpack this little program and its almost too easy with PE-Scan.

Thanks for your help. It is really appreciated.

You guys are awesome.

Sailor