I am trying to figure out how this features work.For example I have tried tracex on upxed exe file and after 2-3 minutes program run but softice didnt popup.However when I try with trw2k pnewsec it stopped after unpacking.I have problems with hydra too.Could someone document how yo use this features(tracex and hydra -unbox.dll ) with I am so dumb to understand without example
Thanks

it would have helped if you had told us at least what you exactly tried to do - i'm
trying to guess for now.


1. tracex/upx (or anything else):


1. loader32/iceload your target
2. when winice pops up, you're ready to start tracing with


/tracex <low> <high>


where <low> and <high> define the area you think the OEP will be. if your app
starts up without winice popping up at all then it means that either the tracer
was somehow defeated or you made the wrong guess regarding that range. for
upx it will be the latter ;-). a good guess is (usually) the first section (map32 or
a PE editor can tell you where it is), eg. the command will be something
like /tracex 401000 456000. i suggest you try to experiment with it on simple apps
like notepad, then go look up all the other features/options of the tracer engine
(although the default settings rarely need to be changed).


2. hydra


to tell /pedump to use a specific hydra plugin during imports rebuilding you simply use


/hydra unvbox.dll


before you invoke /pedump. note that you need to use /hydra only once, not
each time you /pedump as the .dll will stay in memory until you explicitly unload it
or load another one. for /hydra to work you have to copy all the hydra .dll files
into %windir%\system\hydra\ (this means kernel.dll and at least unvbox.dll in your case).

Sorry for repling late but I was away for a while here is my problems and detailde info you want

Problem 1:
I am trying to unpack Adobe LiveMotion with the help of hydra.I can unpack without hydra and with trw2k easily.As far as i understand this hydra deals with import rebuilding.Therefore I didnt bypassed the "encyrpt function call" in vbox dll.I have bpx on getprocadress.

0167:0700BCF5 FF15C8310407 CALL [KERNEL32!GetProcAddress]
0167:0700BCFB 8BF8 MOV EDI,EAX
0167:0700BCFD 3BFB CMP EDI,EBX
0167:0700BCFF 0F849D010000 JZ 0700BEA2
0167:0700BD05 8B7616 MOV ESI,[ESI+16]
0167:0700BD08 037508 ADD ESI,[EBP+08]
0167:0700BD0B 395DDC CMP [EBP-24],EBX <-- encyrpt function call
0167:0700BD0E 7435 JZ 0700BD45 <-- jump if not
0167:0700BD10 8D85ECFEFFFF LEA EAX,[EBP-0114]
0167:0700BD16 50 PUSH EAX
0167:0700BD17 FF75E0 PUSH DWORD PTR [EBP-20]
0167:0700BD1A 57 PUSH EDI
0167:0700BD1B E8FD030000 CALL 0700C11D
0167:0700BD20 83C40C ADD ESP,0C
0167:0700BD23 85C0 TEST EAX,EAX
0167:0700BD25 741E JZ 0700BD45
0167:0700BD27 FF7528 PUSH DWORD PTR [EBP+28]
0167:0700BD2A 57 PUSH EDI
0167:0700BD2B FF7524 PUSH DWORD PTR [EBP+24]
0167:0700BD2E FF7520 PUSH DWORD PTR [EBP+20]
0167:0700BD31 E884020000 CALL 0700BFBA
0167:0700BD36 83C410 ADD ESP,10
0167:0700BD39 3BC3 CMP EAX,EBX
0167:0700BD3B 0F8451020000 JZ 0700BF92
0167:0700BD41 8906 MOV [ESI],EAX <-- eax=encrypted
0167:0700BD43 EB02 JMP 0700BD47
0167:0700BD45 893E MOV [ESI],EDI <-- eax=not encrypted
0167:0700BD47 FF45D8 INC DWORD PTR [EBP-28]
0167:0700BD4A 8B45D8 MOV EAX,[EBP-28]
0167:0700BD4D 3B45B4 CMP EAX,[EBP-4C]
0167:0700BD50 0F8C49FEFFFF JL 0700BB9F

I have F5 and F11 couple of times and finally I came to here
015F:011604E0 MOV EDX,[EBP-08]
015F:011604E3 MOV EAX,[EDX+14] <-- get app entry point
015F:011604E6 MOV [EBP-10],EAX
015F:011604E9 MOV EBX,[EBP-10] <-- app entry point to EBX
015F:011604EC JMP EBX <-- jump to real entry point

at this point ebx was 8A1D68 so OEP is 8A1D68-400000=4A1D68
I typed
/hydra unvbox.dll
/pedump 400000 4a1d68 C:\dumped.exe

Windows98 SE (4.10.2222 A) gives fatal exception and it doesnt dump exe.
However if I bypass "encyrpt function call" with jmp 0700BD45 in vbox dll I can dump with pedump or any other dumpers and it works.I have writen /OPTION P in sice but it says import rebuilding meyhod is 3 which i guess should be 4 because I have run hydra and unvbox.dll stub.exe and kernel.dll in my C:\windows\system\hydra directory.
What is wrong here ? I couldnt manage to understand

Problem 2:
Here is my second question I am trying to understand how this trace engine works.I have packed notepad exe as Owl said and tried to trace it with tracex function.I have loaded my packed notepad.exe and when sice pops I have writen
/tracex 400000 402000
After 2 sec Softice poped again.Yes it found OEP

0167:004010CC 55 PUSH EBP
0167:004010CD 8BEC MOV EBP,ESP
0167:004010CF 83EC44 SUB ESP,44
0167:004010D2 56 PUSH ESI
0167:004010D3 FF15E0634000 CALL [KERNEL32!GetCommandLineA]
0167:004010D9 8BF0 MOV ESI,EAX
0167:004010DB 8A00 MOV AL,[EAX]
Then in order to dump it i have writen
/pedump 400000 4010cc C:\dumped.exe
ICEDUMP: Phoenix engine v2.13 (C) G-RoM 1998/2000

ICEDUMP: Phoenix : Exception handlers installed
ICEDUMP: Phoenix : PEInfos Collected [1]
ICEDUMP: Phoenix : PE Buffer allocated
ICEDUMP: Phoenix : PE Image replicated
ICEDUMP: Phoenix : PEInfos Collected [2]
ICEDUMP: Phoenix : Current TaskDB: 00004086
ICEDUMP: Phoenix : DLL List allocated
ICEDUMP: Phoenix : Failed to rebuild Import table ;Error
ICEDUMP: Phoenix : DLL list deallocated
ICEDUMP: Phoenix : PE buffer deallocated
ICEDUMP: Phoenix : Exception Handlers uninstalled
import table rebuild method was default mode.What is wrong ?
Thanks for any response and sorry for my bad language and knowledge.

Unvbox plugin was designed for a specific APIWrapper of VBOX 4.3. I do not attest it works on any VBOX 4.3 (even if it worked on all VBOX 4.3 we had), they can have change it slightly in order to make plugin fails. IE if version was upgraded u can be sure it won't work anymore.

This is actually the only reason I can find why it fails. If u could paste the APIWrapper code it could give me some hints.

Cheers,

first of all, the OEP in the /PEDUMP command line is an RVA, although you can always fix that later.

import rebuilding is a kinda complex process, unfortunately we'll probably never have the time to document every bit of it (actually G-RoM should since he wrote that part ;-), but i'll try to give some generic guidelines (some of which is already in the manual btw). as you already know, the default import rebuilder mode is 3 which tries to detect IAT thunks and resolve them to DLL exports. the first step is to find said thunks in the process's address space, and the 2nd one is to resolve them.

the former is fully automated, however it does rely on 2 fields in the PE header that should be valid: code base and size (this was a design decision, one may debate it in fact, maybe it will be replaced with some other logic in a future version). not all wrappers restore them properly, so better take a look at them before dumping. as a sidenote, it is normally worth changing some fields in the PE header in order to reduce the dumped image size (this often means that one makes a dump without any special tweaks in the PE header and then examines the dump, figures out what should have been set to what and then makes a 2nd dump).

the 2nd step is semi-automated, for resolving a given IAT slot it can make use of an external helper DLL, the hydra plugin (reminds me, did you make sure that you did not have anything loaded when you dumped notepad? unless it was aspack for which there is some simple support in unwrap.dll). this step cannot really fail (unless there is a bug in a hydra plugin that causes page faults and the like), but nor is it guaranteed to produce a meaningful result, ie. once you manage to 'successfully' dump a PE file with 'rebuilt' imports, it's more than wise to check them. of course for known/simple schemes you can trust the result, but for unknown ones you have to double check it (you'll notice bad imports anyway when you first try to run such an exe ;-).

in short, no matter how hard one tries, import rebuilding will always be an 'art', ie. something that cannot really be fully automated, it's (yet) another endless cat/mouse game. icedump/hydra gives you just a tool and framework to 'fight' your side of the battle, how you make use of it is always up to you.

For ur second pb... i'd suggest u check PE header codebase, codelen fields as Phoenix relies on them. UPX got the bad habit to kill those (manually fix this in mem). This is specified in the documentation somewhere.

Cheers,

But when I type /OPTION P why it says import rebuilding method is 3 according to I understand from document it should be 4 ?

Sigh...

Mode 4 is for full plugin mode, it means u provide an IAT detector (ProcessIAT or whatever is the name). UnwrapThunk plugin is able to act in mode 1,2,3,4. U haven't read the documentation correctly or more precisely u didn't read SDK doc . However... if u select mode 4 and that there is no ProcessIAT function in plugin, it behaves like in mode 3. So set mode 4 if u wish to.

Regards,