Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   A nice challenge.... (https://forum.exetools.com/showthread.php?t=9047)

hobgoblin 01-28-2006 03:46
A nice challenge....
 
Greetings to all you unpackers. :)
It's been quite a while since I posted something here. But now I have found a nice challenge for people interested in unpacking targets. Go to hxxp:\\www.autodebug.com and download Autodebug pro 3.6 for windows.
I have tried to unpack it, and seems to succeed but when I run it it crashes.
It is packed with both Aspack and PeCompact. First with pecompact then wrapped once more with Aspack. It is no problem solving this two things, but then the fun starts. There are calls to IsDebuggerPresent, and there are some other stuff that makes the program crash via int3 exceptions. But after solving these things, the program still don't run properly. It just excits after a few seconds. When you run the prorgam in Olly, it detects bp's (at least in the code section). When you succeed solving this in Olly, you will see that it crashes in a place where it seems that some code is overwritten when you try to run it in a debugger.
Anyone interrested in taking a look?
And for the record: I don't care in breaking the serialprotection. I'm just after unpacking it until it runs just fine.

regards,
hobgoblin

deroko 01-28-2006 11:00
well I've made a little walkaround and forced CreateFileA at 420155 to read DebugApiSpy.exe instead of dumped file itself.

Code:
.00400510: E91A000000                  jmp        .00040052F  ---�� (1)
.00400515: B88D85FCFB                  mov        eax,0FBFC858D
.0040051A: AB                          stosd
.0040051B: 66B8FFFF                    mov        ax,-1
.0040051F: 66AB                        stosw
.00400521: B050                        mov        al,050 ;'P'
.00400523: AA                          stosb
.00400524: 5F                          pop        edi
.00400525: 6800054000                  push        000400500 ;'DebugApiSpy.exe
.0040052A: E926FC0100                  jmp        .000420155  ---�� (3)
.0040052F: 57                          push        edi
.00400530: BF4E014200                  mov        edi,00042014E  ---�� (4)
.00400535: E9DBFFFFFF                  jmp        .000400515  ---�� (5)
.0040053A: 0000                        add        [eax],al
sorry for too many jmps in patch but I've forgot to save edi and didn't wanna write everything from the beginning ;)
you have to restore opcodes rewriten by jmp or progy will fail, or patch integrity check latter on :(

This is my fast solution probably someone will come up with better solution =)
Anyway you may use original exe and inject into last section with code that will dump file to disk and pass that fname to CreateFileA ;)

cheers


All times are GMT +8. The time now is 08:17.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX