mmhckb
January 29th, 2004, 16:20
I'm attempting to unpack a program packed with SVKP 1.3X. I'll walk you through as far as I've gotten. If anyone can make it further, plz lemme know 
. If you wanna know the target, say here, and i'll give in pm.
Load up in Olly.
From OEP of the packed exe, trace until you reach the first LOOPD.
Several lines below, there should be:
00619051 75 3C JNZ SHORT .0061908F
00619053 803E 00 CMP BYTE PTR DS:[ESI],0
00619056 74 03 JE SHORT .0061905B
00619058 46 INC ESI
00619059 ^EB F8 JMP SHORT .00619053
0061905B 46 INC ESI
0061905C ^E2 E3 LOOPD SHORT .00619041
As you can see, it is testing for the common cracking tools, so NOP out the JNZ.
Go to Options -> Debugging Options -> Events Tab and check
break on new module
Allow the program to run. Continue hitting F9 until another Entry Point Alert
box pops up. Hit OK. Then hit the Memory Map button ( M ). Find the target
and on the section below the PE HEADER of your target, put a breakpoint on
memory access. F9 again and you should break at or near the OEP. Locate your
OEP, write its address down and restart the app in Olly. Bypass the debug
check again and make it to the Entry Point Alert popup window. Hit ok, and
go to View -> Executable Modules . Double click on your targets exe name
and go to the address for your OEP and set a break point (F2). Hit F9 and you
should break on your OEP. Write down what the first opcode is at your OEP.
Load up LordPE and dump. You will have to use the IntelliDump instead of
the standard LordPE dumper. When I did this, a box popped up and said that
4000h of the 22d000h bytes could not be dumped and would be padded with zeros.
Anyways, I dont think this is a problem... but maybe :/
Start up imprec, enter the OEP, iat autosearch, get imports, show invalid,
trace level 1, show invalid, cut thunks, fix dump.
The intellidump left an int3 at my OEP, so, replace that with the opcode you
wrote down. Now, the program should appears fully unpacked, but it still
crashes, this is where I'm stuck. If anyone has any ideas, please get back
to me.
thanks,
mMhCkB
. If you wanna know the target, say here, and i'll give in pm.Load up in Olly.
From OEP of the packed exe, trace until you reach the first LOOPD.
Several lines below, there should be:
00619051 75 3C JNZ SHORT .0061908F
00619053 803E 00 CMP BYTE PTR DS:[ESI],0
00619056 74 03 JE SHORT .0061905B
00619058 46 INC ESI
00619059 ^EB F8 JMP SHORT .00619053
0061905B 46 INC ESI
0061905C ^E2 E3 LOOPD SHORT .00619041
As you can see, it is testing for the common cracking tools, so NOP out the JNZ.
Go to Options -> Debugging Options -> Events Tab and check
break on new module
Allow the program to run. Continue hitting F9 until another Entry Point Alert
box pops up. Hit OK. Then hit the Memory Map button ( M ). Find the target
and on the section below the PE HEADER of your target, put a breakpoint on
memory access. F9 again and you should break at or near the OEP. Locate your
OEP, write its address down and restart the app in Olly. Bypass the debug
check again and make it to the Entry Point Alert popup window. Hit ok, and
go to View -> Executable Modules . Double click on your targets exe name
and go to the address for your OEP and set a break point (F2). Hit F9 and you
should break on your OEP. Write down what the first opcode is at your OEP.
Load up LordPE and dump. You will have to use the IntelliDump instead of
the standard LordPE dumper. When I did this, a box popped up and said that
4000h of the 22d000h bytes could not be dumped and would be padded with zeros.
Anyways, I dont think this is a problem... but maybe :/
Start up imprec, enter the OEP, iat autosearch, get imports, show invalid,
trace level 1, show invalid, cut thunks, fix dump.
The intellidump left an int3 at my OEP, so, replace that with the opcode you
wrote down. Now, the program should appears fully unpacked, but it still
crashes, this is where I'm stuck. If anyone has any ideas, please get back
to me.
thanks,
mMhCkB
read some ricardo tuts like everyone must who can't go on with it.