Problem unpacking a Morphined .exe
 

Hi to all,
i have some problem to unpack an exe file that PEid tell me that is packed with:

Morphine 1.4 - 2.7 -> Holy_Father & Ratter/29A

So i follow the GOOD tutorial made by KaGra.
So after i find the "magic" jump "JMP EAX" to the OEP, i stop and dump using Ollydump putting the new OEP and uncheck "Rebuild Import".
After i use the PE Editor of LordPe and look to Sections.
I have 4 sections the bit .text section and 3 sections (with size 1000 each).
Automatically Ollydump put me the total size of the sections so i delete the 3 sections and utomatically i have the size - 3000 big (the 3 sections * 1000).
After i check the size of the .text section and VirtualSize = Rawsize = and is .text section size - 1000 (the PE header size).
I save all but the app not start (error: ReadProcessMemory or WriteProcessMemory partially complete).

Please can help to understand what i mistake?
Ah .. the ImageBase is a strange 19F0000 (not the usually 01000000 or 00400000).
THX
NaSTy

Try to see that, here is sources and executeble of Morphine 2.7:
wasm.ru/baixado.php?mode=tool&id=188

Thanks,
the problem is that i want to understand how to fix the original Image Base and the size .
Also why the Morphine can encrypt one file several times.
Please tell me advices about.
Thanks

NaSTy

Morphine packs all data file inside ".text" section. Try to find this file data inside ".text" section after passing second decrypting loop and find original PE header, then create your custom PE header according to its.

It use polymorphism encryption that cause to face every time different ways.

Yes Vodu,
i just resolved in way that you have explained.

To find this "original" value, i track the sections table information in Olly using the VirtualAlloc/return bp.
Then with the original values i have fixed the right RawOffset/Rawsize VirtualOffset/VirtualSize.

Thanks a lot for your advice too.

NaSTy