Thread: Unpackme
View Single Post
  #9  
Old 04-26-2005, 01:39
_veDc
 
Posts: n/a
You start here:
Code:
01007D80 >  9C              PUSHFD
01007D81    60              PUSHAD
01007D82    B8 E4190001     MOV EAX,final.010019E4
01007D87    8030 66         XOR BYTE PTR DS:[EAX],66
01007D8A    40              INC EAX
01007D8B    3D 8B6A0001     CMP EAX,final.01006A8B
01007D90  ^ 75 F5           JNZ SHORT final.01007D87                   ; Set BP after this JNZ to exit the loop
01007D92    BB 00800001     MOV EBX,final.01008000
01007D97    8033 77         XOR BYTE PTR DS:[EBX],77
01007D9A    43              INC EBX
01007D9B    81FB F09F0001   CMP EBX,final.01009FF0
01007DA1  ^ 75 F4           JNZ SHORT final.01007D97                   ; Set BP after this JNZ to exit the loop
01007DA3    36:C705 FCFF060>MOV DWORD PTR SS:[6FFFC],final.01002801    ; Keep in mind the address which is MOV to Stack address 0006FFFC...
01007DAE    68 BA7D0001     PUSH final.01007DBA                        ; ASCII "hÆ}"
01007DB3    E8 01000000     CALL final.01007DB9
01007DB8    C3              RETN
01007DB9    C3              RETN
01007DBA    68 C67D0001     PUSH final.01007DC6                        ; ASCII "hÒ}"
01007DBF    E8 01000000     CALL final.01007DC5
01007DC4    C3              RETN
01007DC5    C3              RETN
01007DC6    68 D27D0001     PUSH final.01007DD2                        ; ASCII "hÞ}"
01007DCB    E8 01000000     CALL final.01007DD1
01007DD0    C3              RETN
01007DD1    C3              RETN
01007DD2    68 DE7D0001     PUSH final.01007DDE                        ; ASCII "h��}"
01007DD7    E8 01000000     CALL final.01007DDD
01007DDC    C3              RETN
01007DDD    C3              RETN
01007DDE    68 EA7D0001     PUSH final.01007DEA                        ; ASCII "hö}"
01007DE3    E8 01000000     CALL final.01007DE9
01007DE8    C3              RETN
01007DE9    C3              RETN
01007DEA    68 F67D0001     PUSH final.01007DF6                        ; ASCII "a?h��j"
01007DEF    E8 01000000     CALL final.01007DF5
01007DF4    C3              RETN
01007DF5    C3              RETN
01007DF6    61              POPAD
01007DF7    9D              POPFD
01007DF8    68 E06A0001     PUSH final.01006AE0
01007DFD    C3              RETN                                       ; After this RETN you are on OEP
- Just step with F8 in Ollydbg until you arrive @ OEP (exit the loops with F2/Shift+F9)
- Dump with your favorite dumper (lord pe / dump full)
- Use OEP 01006AE0 sub ImageBase (1000000) and fill your ImpRec with it
- Fix the dump with it

Fix the not starting dump:

Remember the Address which was MOV onto Stack at the beginning? This is the reason why our dump is not working ..

find this in your dump:
Code:
01006C45   > \6A 0A         PUSH 0A
01006C47   .  58            POP EAX
01006C48   >  50            PUSH EAX
01006C49   .  56            PUSH ESI
01006C4A   .  53            PUSH EBX
01006C4B   .  53            PUSH EBX
01006C4C   .  FFD7          CALL EDI
01006C4E   .  50            PUSH EAX
01006C4F   .  E8 9C130000   CALL dumped_.01007FF0
The marked CALL leads to this jump ..
Code:
01007FF0   $  36:FF25 FCFF0>JMP DWORD PTR SS:[6FFFC]
You should now understand why it is not working .. @ 0006FFFC is only 00000000 so it crashed ..

What we have to do now? We fix the CALL to the real Destination and have a working dump...

Change
Code:
01006C4F   .  E8 9C130000   CALL dumped_.01007FF0
to
Code:
01006C4F      E8 ADBBFFFF   CALL dumped_.01002801
and save with right click -> Copy to executable -> All modifications now save file and enjoy this great application ..

thx to KaGra for this .. i hope this is the solution you wanted to hear .. and its the same unpackme you send me ..

have a nice day
Reply With Quote