Thread: BitArts Crunched target unpacked but only works on 2k?
View Single Post
  #3  
Old 12-11-2005, 23:27
Magic_h2001 Magic_h2001 is offline
Friend
  
Join Date: Oct 2005
Posts: 45
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 8 Times in 8 Posts
Magic_h2001 Reputation: 0
UnPacking : Crunch/PE -> Bit-Arts .OCX
Target : osenxpsuite2005.ocx - hxxp://www.osenxpsuite.net
Difficulty : Easy
Tools needed : WinXP sp2 - Olly - LordPE - ImpRec

ImageBase : 22810000
EP : 229F6000

open target in olly :

/*229F6000*/ PUSH EBP
/*229F6001*/ CALL 229F6006
/*229F6006*/ POP EBP
/*229F6007*/ SUB EBP,6
/*229F600A*/ MOV EAX,EBP
/*229F600C*/ PUSH EBP
/*229F600D*/ PUSHAD
/*229F600E*/ MOV DWORD PTR SS:[EBP+3410],EBP // Set BP on this line
/*229F6014*/ SUB EAX,DWORD PTR SS:[EBP+33EB]
/*229F601A*/ MOV DWORD PTR SS:[EBP+249F],EAX

Set BP on : 229F600E

press F9 ==> Dump ESP ==> select 4 byte from dump ==>
Set Hard BP on access DWORD ==> press Shift+F9 ==> Olly stop here :

/*229F60E5*/ POP EBP
/*229F60E6*/ MOV EAX,DWORD PTR SS:[EBP+340C]
/*229F60EC*/ POP EBP
/*229F60ED*/ JMP EAX // Jmp to OEP
/*229F60EF*/ MOV ESI,340C
/*229F60F4*/ ADD ESI,EBP

Press F7 F7 F7 F7 ==> now we are in OEP :

/*22811360*/ POP EDX // OEP
/*22811361*/ PUSH osenxpsu.2296C9B4
/*22811366*/ PUSH osenxpsu.2296C9B8
/*2281136B*/ PUSH EDX
/*2281136C*/ JMP osenxpsu.22811358
/*22811371*/ ADD BYTE PTR DS:[EAX],AL
/*22811373*/ ADD BYTE PTR DS:[EAX+30000000],AH

Run LordPE ==> Select Loaddll.exe ==> Select osenxpsuite2005.ocx ==> Full Dump.

Run ImpRec ==> Select Loaddll.exe from process ==> Pick DLL ==> Select osenxpsuite2005.ocx

OEP = 22811360-ImageBase = 22811360-22810000 = 1360 ==> IAT Auto Search ==>
Get Imports ==>Fix Dump.

target compiled with VB6(Pcode) & cracking easy.
Attached Files
File Type: zip OsenXpSuite2005-InlinePatch.zip (3.5 KB, 11 views)
Reply With Quote