ARTeam Tutorial

Visit: http://cracking.accessroot.com | http://forum.accessroot.com

Unpacking NeoLite v2.0

Information

Unpacking NeoLite v2.0

Target

Smart Bomb PC Shutdown Demo v2.1

Available

http://grinders.withernsea.com/tools/smart_bomb_pc_shutdown_v2.1

Tools

OllyDbg 1.10, ImpRec, LordPE

Protection

Neolite v2.0

level

Beginner

Category

Unpacking

Author

Nilrem - 21st July 2004

Requirements

Windows XP, IE 5.5 and above for best viewing


0. Introduction

Hi, yes I know I have a lot of pending requests, hopefully I will get around to all of them. Remember I have a life too! Today was my first look at a packed Neolite v2.0 program.

Many concepts of this tutorial are very similar to Ferrari's unpacking and inline patching aspack tutorial. That is why I recommend reading that first as not only is it a good read, it is more importantly, relevant. 8-):

Download: http://grinders.withernsea.com/tutorials/aspack+system_mechanic.rar

There are four sections to this tutorial, they are:
1. Unpacking Neolite v2.0
2. Dumping the target
3. Rebuilding our import table
4. Conclusion

 


1. Unpacking Neolite v2.0

   The first step I took in unpacking Neolite was to find the first instance of PUSHAD (PUSHAD - Push all General Registers). To do this in Olly we set the condition to find, so hit 'Ctrl+T' and type PUSHAD, hit OK, then press 'Ctrl+F11' to trace.
 



Once the trace is complete you should see this:


For the next steps hit F7, then in the registers window right click the ESP value (for me it is 0012FFBC, for you it may be different), then click "Follow in Dump", select the first two bytes (word). Right click and choose, "Breakpoint->Hardware, on access->Word".

Now execute the program (F9). You will land on the retn command, execute this with F7, and one line just below where you land is a JMP EAX (JMP OEP) command. Execute this with F7 and you should be at the original entry point. Which is 00401000.


2. Dumping The Target

Dumping the target, just like unpacking it, is incredibly easy. With the target still loaded in Ollydbg, minimise Ollydbg and fire up LordPE. Once in LordPE right click smart bomb from the task viewer list, and select dump full and save the file as dumped.exe

 


3. Rebuilding the IAT

Execute the dumped file, it runs so it does not need the IAT rebuilding. Lucky us! 8-) Instead what we will do is decrease the size of the file. LordPE does this brilliantly by fixing the dumped executable. Open up LordPE, choose 'Rebuild PE' and select dumped.exe, make sure it isn't running.


 
4. Conclusion

Lesson Learnt

Yes this was rather easy, but hopefully you have learnt how to unpack NeoLite v2.0 quickly, yes you should try this method on other packed executables by NeoLite v2.0, because you will then realise all you have to do is find JMP EAX, set a BP on it, and hit F9, then F8.
I will write a tutorial on how to inline patch NeoLite v2.0, but until then why don't you try and do it yourself, a little hint, read my inline patching upx tutorial, and you should have already read Ferrari's tutorial on Aspack which will help a lot.


 
8. Greetingz

[MAIN TEAM]
| Nilrem | Enforcer | Ferrari | Pompeyfan(ex-member) | MaDMAn_H3rCuL3s | EJ12N | Kruger |
Shub-Nigurrath | Jdog45 | Teerayoot |

[TRIAL MEMBERS]
| R@Dier |

*****************************

Exetools | Woodmann | VCT | JMI | Britedream | Hacnho | cl0ud (Mephisto) | Zest | Everyone over at our forums, you make it what it is | Everyone we missed & you | and to Kyrstie for putting up with me!
Thanks to the authors of NeoLite, Ollydbg, LordPE, Imprec, and Smart Bomb
 

[Nilrem]