Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Unpackme (https://forum.exetools.com/showthread.php?t=7412)

KaGra 04-22-2005 14:04
Unpackme
 
1 Attachment(s)
just an unpackme from me,read the rules in zip...U may post the solution here,or just tell us the link to find it...

difficulty:2/10

KaGra 04-22-2005 14:09
and something more...
 
I packed it in XP SP1 English and not tested in any other...But normally would run fine...

stephenteh 04-22-2005 20:24
1 Attachment(s)
ok done...but i never post a solution because it packed with telock...u can find a lot of tutorials on this packer and u can even find an unpacker for it...

KaGra 04-23-2005 01:50
well done
 
thankz for the time man...
but didin't really got it when saying packed with telock so no quide...anyway,easilly made easilly Dumped ;)

KaGra 04-23-2005 02:09
...
 
and cause i'm never sure if u solved it right using your mind,would u tell us a small quide to follow and make our dump?if u would of course...

codeX 04-23-2005 02:31
Quote:
Originally Posted by stephenteh
ok done...but i never post a solution becuase it packed with telock...
Ok nice work.

But what is wrong with a guide 'bout telock .

Anyway
Quote:
if u would of course....

_veDc 04-23-2005 06:32
Its not packed with teLock .. i guess its UPolyX ...

Looks like UPX and UPolyX scrambles the stub a bit ...

KaGra correct me if i am wrong ...

_veDc

MaRKuS-DJM 04-25-2005 00:13
it is tElock. KaGra, you should have deleted the real OEP-bytes, else you just need to set correct EP and fix one call ;)

_veDc 04-26-2005 01:39
You start here:
Code:
01007D80 >  9C              PUSHFD
01007D81    60              PUSHAD
01007D82    B8 E4190001    MOV EAX,final.010019E4
01007D87    8030 66        XOR BYTE PTR DS:[EAX],66
01007D8A    40              INC EAX
01007D8B    3D 8B6A0001    CMP EAX,final.01006A8B
01007D90  ^ 75 F5          JNZ SHORT final.01007D87                  ; Set BP after this JNZ to exit the loop
01007D92    BB 00800001    MOV EBX,final.01008000
01007D97    8033 77        XOR BYTE PTR DS:[EBX],77
01007D9A    43              INC EBX
01007D9B    81FB F09F0001  CMP EBX,final.01009FF0
01007DA1  ^ 75 F4          JNZ SHORT final.01007D97                  ; Set BP after this JNZ to exit the loop
01007DA3    36:C705 FCFF060>MOV DWORD PTR SS:[6FFFC],final.01002801    ; Keep in mind the address which is MOV to Stack address 0006FFFC...
01007DAE    68 BA7D0001    PUSH final.01007DBA                        ; ASCII "hÆ}"
01007DB3    E8 01000000    CALL final.01007DB9
01007DB8    C3              RETN
01007DB9    C3              RETN
01007DBA    68 C67D0001    PUSH final.01007DC6                        ; ASCII "hÒ}"
01007DBF    E8 01000000    CALL final.01007DC5
01007DC4    C3              RETN
01007DC5    C3              RETN
01007DC6    68 D27D0001    PUSH final.01007DD2                        ; ASCII "hÞ}"
01007DCB    E8 01000000    CALL final.01007DD1
01007DD0    C3              RETN
01007DD1    C3              RETN
01007DD2    68 DE7D0001    PUSH final.01007DDE                        ; ASCII "h��}"
01007DD7    E8 01000000    CALL final.01007DDD
01007DDC    C3              RETN
01007DDD    C3              RETN
01007DDE    68 EA7D0001    PUSH final.01007DEA                        ; ASCII "hö}"
01007DE3    E8 01000000    CALL final.01007DE9
01007DE8    C3              RETN
01007DE9    C3              RETN
01007DEA    68 F67D0001    PUSH final.01007DF6                        ; ASCII "a?h��j"
01007DEF    E8 01000000    CALL final.01007DF5
01007DF4    C3              RETN
01007DF5    C3              RETN
01007DF6    61              POPAD
01007DF7    9D              POPFD
01007DF8    68 E06A0001    PUSH final.01006AE0
01007DFD    C3              RETN                                      ; After this RETN you are on OEP
- Just step with F8 in Ollydbg until you arrive @ OEP (exit the loops with F2/Shift+F9)
- Dump with your favorite dumper (lord pe / dump full)
- Use OEP 01006AE0 sub ImageBase (1000000) and fill your ImpRec with it
- Fix the dump with it

Fix the not starting dump:

Remember the Address which was MOV onto Stack at the beginning? This is the reason why our dump is not working ..

find this in your dump:
Code:
01006C45  > \6A 0A        PUSH 0A
01006C47  .  58            POP EAX
01006C48  >  50            PUSH EAX
01006C49  .  56            PUSH ESI
01006C4A  .  53            PUSH EBX
01006C4B  .  53            PUSH EBX
01006C4C  .  FFD7          CALL EDI
01006C4E  .  50            PUSH EAX
01006C4F  .  E8 9C130000  CALL dumped_.01007FF0
The marked CALL leads to this jump ..
Code:
01007FF0  $  36:FF25 FCFF0>JMP DWORD PTR SS:[6FFFC]
You should now understand why it is not working .. @ 0006FFFC is only 00000000 so it crashed ..

What we have to do now? We fix the CALL to the real Destination and have a working dump...

Change
Code:
01006C4F  .  E8 9C130000  CALL dumped_.01007FF0
to
Code:
01006C4F      E8 ADBBFFFF  CALL dumped_.01002801
and save with right click -> Copy to executable -> All modifications now save file and enjoy this great application .. :D

thx to KaGra for this .. i hope this is the solution you wanted to hear .. and its the same unpackme you send me ..

have a nice day


All times are GMT +8. The time now is 16:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX