AntiCrk
May 30th, 2003, 21:06
Hi!
I'm new member in this forrum.
Please help to to Unpack this Unpackme.
Thank!
Best regard.
I'm new member in this forrum.
Please help to to Unpack this Unpackme.
Thank!
Best regard.
View Full Version : Help me Unpack this Packer!!!
artik
May 31st, 2003, 06:30
hehe, it's just
UPX 0.89.6 - 1.02 / 1.05 - 1.22 (Delphi) stub -> Markus & Lazlo
so don't worry there are many tutorials about unpacking UPX
i think you can find what you need at hxxp://new2cracking.cjb.net or hxxp://zor.org/krobar
good luck!
UPX 0.89.6 - 1.02 / 1.05 - 1.22 (Delphi) stub -> Markus & Lazlo
so don't worry there are many tutorials about unpacking UPX
i think you can find what you need at hxxp://new2cracking.cjb.net or hxxp://zor.org/krobar
good luck!
r4g3
May 31st, 2003, 07:05
CALL Unpackme.00463CD6: in - edi points to function name, on return its addr in eax.
00463C9D FF95 80744000 CALL DWORD PTR SS:[EBP+407480] ; kernel32.CreateThread
at this point go to stack window:
0012FF94 00462370 Unpackme.00462370
its a callback function for new thread, bpx on it. Then run the target with F9. Once u land on new bpx you are at the start of unpacking code.
IAT is constructed at the end:
00462492 LEA EDI,DWORD PTR DS:[ESI+5F000] import table
00462498 MOV EAX,DWORD PTR DS:[EDI]
0046249A OR EAX,EAX
0046249C JE SHORT Unpackme.004624DA
0046249E MOV EBX,DWORD PTR DS:[EDI+4]
004624A1 LEA EAX,DWORD PTR DS:[EAX+ESI+62A04]
004624A8 ADD EBX,ESI
004624AA PUSH EAX
004624AB ADD EDI,8
004624AE CALL DWORD PTR DS:[ESI+62AA4] ; kernel32.LoadLibraryA
004624B4 XCHG EAX,EBP
004624B5 MOV AL,BYTE PTR DS:[EDI]
004624B7 INC EDI
004624B8 OR AL,AL
004624BA JE SHORT Unpackme.00462498
004624BC MOV ECX,EDI
004624BE PUSH EDI
004624BF DEC EAX
004624C REPNE SCAS BYTE PTR ES:[EDI]
004624C2 PUSH EBP
004624C3 CALL DWORD PTR DS:[ESI+62AA8] ; kernel32.GetProcAddress
004624C9 OR EAX,EAX
004624CB JE SHORT Unpackme.004624D4
004624CD MOV DWORD PTR DS:[EBX],EAX Write function addr
004624CF ADD EBX,4
004624D2 JMP SHORT Unpackme.004624B5
004624D4 CALL DWORD PTR DS:[ESI+62AAC]
004624DA POPAD
004624DB JMP Unpackme.0044DD50 jmp to OEP
dump it on oep. reconstruct imports. thats all.
nothing special, but is it really upx as hardcore peid scan says ?
00463C9D FF95 80744000 CALL DWORD PTR SS:[EBP+407480] ; kernel32.CreateThread
at this point go to stack window:
0012FF94 00462370 Unpackme.00462370
its a callback function for new thread, bpx on it. Then run the target with F9. Once u land on new bpx you are at the start of unpacking code.
IAT is constructed at the end:
00462492 LEA EDI,DWORD PTR DS:[ESI+5F000] import table
00462498 MOV EAX,DWORD PTR DS:[EDI]
0046249A OR EAX,EAX
0046249C JE SHORT Unpackme.004624DA
0046249E MOV EBX,DWORD PTR DS:[EDI+4]
004624A1 LEA EAX,DWORD PTR DS:[EAX+ESI+62A04]
004624A8 ADD EBX,ESI
004624AA PUSH EAX
004624AB ADD EDI,8
004624AE CALL DWORD PTR DS:[ESI+62AA4] ; kernel32.LoadLibraryA
004624B4 XCHG EAX,EBP
004624B5 MOV AL,BYTE PTR DS:[EDI]
004624B7 INC EDI
004624B8 OR AL,AL
004624BA JE SHORT Unpackme.00462498
004624BC MOV ECX,EDI
004624BE PUSH EDI
004624BF DEC EAX
004624C REPNE SCAS BYTE PTR ES:[EDI]
004624C2 PUSH EBP
004624C3 CALL DWORD PTR DS:[ESI+62AA8] ; kernel32.GetProcAddress
004624C9 OR EAX,EAX
004624CB JE SHORT Unpackme.004624D4
004624CD MOV DWORD PTR DS:[EBX],EAX Write function addr
004624CF ADD EBX,4
004624D2 JMP SHORT Unpackme.004624B5
004624D4 CALL DWORD PTR DS:[ESI+62AAC]
004624DA POPAD
004624DB JMP Unpackme.0044DD50 jmp to OEP
dump it on oep. reconstruct imports. thats all.
nothing special, but is it really upx as hardcore peid scan says ?
ZaiRoN
May 31st, 2003, 07:57
Hi!
AntiCrk, you have found a very interesting target, it would represent a nice project on 'manual unpacking for newbies'. :-)
Rage has conceptually said all but I would like to encourage newbies to ask questions about:
1. tools to be used
2. how to find oep
3. how to dump the exe
4. how to reconstruct imports
and so on...
Ciao,
ZaiRoN
AntiCrk, you have found a very interesting target, it would represent a nice project on 'manual unpacking for newbies'. :-)
Rage has conceptually said all but I would like to encourage newbies to ask questions about:
1. tools to be used
2. how to find oep
3. how to dump the exe
4. how to reconstruct imports
and so on...
Ciao,
ZaiRoN
hobferret
May 31st, 2003, 14:45
Hi AntiCrk
A useful suggestion for this, having read what others have said about it, would be to "bpx GetModuleHandleA". When it breaks press F12 2 or 3 times to return to the program thread. There should be a call above where you land!
The OEP is usually 10h to 15h above where you are, if you can't see it by scrolling up do a u [address-10h] e.t.c and you should find it.
The reason for you not being able to see it directly is because the code gets obfuscated i.e. the address you look at is not necessarily the correct instruction!
/hobferret
A useful suggestion for this, having read what others have said about it, would be to "bpx GetModuleHandleA". When it breaks press F12 2 or 3 times to return to the program thread. There should be a call above where you land!
The OEP is usually 10h to 15h above where you are, if you can't see it by scrolling up do a u [address-10h] e.t.c and you should find it.
The reason for you not being able to see it directly is because the code gets obfuscated i.e. the address you look at is not necessarily the correct instruction!
/hobferret
AntiCrk
June 2nd, 2003, 19:58
Hi There!
That's a good Idea!
I tried it very long time, I Unpacked it but it not run.
I think after unpack this unpackme We must patch some where in the CODE section.
Can you help me? If you Unpacked it, Please upload to the forum
Thank very much!
I'm Vietnamese so I speak English not well, I'm sorry!!!
Best regard!
That's a good Idea!
I tried it very long time, I Unpacked it but it not run.
I think after unpack this unpackme We must patch some where in the CODE section.
Can you help me? If you Unpacked it, Please upload to the forum
Thank very much!
I'm Vietnamese so I speak English not well, I'm sorry!!!
Best regard!
sv
June 3rd, 2003, 02:18
Hi all
'I think after unpack this unpackme We must patch some where in the CODE section.
'
Look at :
0044DB1B A1 44ED4400 MOV EAX, DWORD PTR [44ED44]
0044DB20 66:8338 03 CMP WORD PTR [EAX], 3
0044DB24 75 1B JNZ SHORT 0044DB41
0044DB26 A1 48ED4400 MOV EAX, DWORD PTR [44ED48]
0044DB2B 8138 043C0600 CMP DWORD PTR [EAX], 63C04
0044DB31 75 0E JNZ SHORT 0044DB41
0044DB33 EB 02 JMP SHORT 0044DB37
Try to find what is checked
Regards
SV
'I think after unpack this unpackme We must patch some where in the CODE section.
'
Look at :
0044DB1B A1 44ED4400 MOV EAX, DWORD PTR [44ED44]
0044DB20 66:8338 03 CMP WORD PTR [EAX], 3
0044DB24 75 1B JNZ SHORT 0044DB41
0044DB26 A1 48ED4400 MOV EAX, DWORD PTR [44ED48]
0044DB2B 8138 043C0600 CMP DWORD PTR [EAX], 63C04
0044DB31 75 0E JNZ SHORT 0044DB41
0044DB33 EB 02 JMP SHORT 0044DB37
Try to find what is checked
Regards
SV
AntiCrk
June 4th, 2003, 19:39
Hi!
Great!!!!!!!!!!.
It's run very cool.
Thank!
Best regard!
Great!!!!!!!!!!.
It's run very cool.
Thank!
Best regard!
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.