Log in

View Full Version : give some advice


cooper
November 22nd, 2003, 10:48
Hi!
I need some experienced guys to correct me or give some advice.
Its all about unpacking files packed with FSG 1.33
as a target I took this crackme coded in Asm http://biw.rult.at/crackmes/magic.zip?PHPSESSID=97b76669a143df580a19484e66e8737c
so i first i packed it with FSG 1.33
open packed file with Ollydbg and stop at 459F1F
here I sipmly scrolled down and found cond jump above at 00459FC1
je 00401000 it is OEP for sure

so 1st querstion is there a better way 2 find this jump
then scrolling down and looking for it?

breakpoint at this line and run program until jump is taken
then step into and at this moment full dump eith LordPe
change dump EP to RVA 1000
next fixing Import - I used ImportREC
change OEP 2 1000 =>IAT AutoSearch=>Get Imports
It found all functions with No problems
I dont like creating new section so unchecked this option
looking at dump with Lordpe Import Table at RVA 00059FE5
but its almost the end of file - not enough space for import

i decided to change RVA of Import table to 00002280(where I found empty space)
and size to 23C

now the import is fixed!
But..
is there smth I ve done wrong or lets say smth that could b done better?
Btw what is the better way to make size of dump less?
What bout making dump cleaner and neater - like it was bfore packing?
Thank You.

Liquid
November 27th, 2003, 06:13
Quote:
[Originally Posted by cooper]
Btw what is the better way to make size of dump less?
What bout making dump cleaner and neater - like it was bfore packing?


I wrote an unpacker for FSG some time ago, and for me it still works fine, just need to change one jump by myself, coz i was too lazy to remove one version checking. This little tool i made is loading target into memory and using my own 'unpacking' routine on it. I wrote code to full rebuilt of imports using those FSG's tables, and It rebuilts resources too. I was trying to 'guess' where the original imports were before packing, but it didnt worked everytime. If youre interested, i can show you source for it so you can few, maybe usefull for you ideas...

cooper
November 27th, 2003, 10:25
yeah
sure you are welcome

Liquid
November 29th, 2003, 14:21
hxxp://crks.sytes.net/~liquid/fsgunpacker/unpacker.rar

To decompile files packed with new versions of fsg remove line 201/202:
cmp dword ptr [eax], 0000000AE8h
jnz _return_1

Any comments would be nice.