[RedBlkJck]

@axl936
AFAIK registration at tuts4you is open. Unpacking different targets are well covered there. The post was a little long with having to solve a problem with olly setup, etc. Here is a shortened version of what I posted with some selective editing.


mpress is easy to unpack as there is very little to prevent unpacking. There is a generic pattern that can be used RET JMP, step, POPAD JMP = OEP There are olly scripts that will do this. Load the packed file in Olly. Scroll down in Olly until the code goes to all null bytes, scroll back up and you will see RET followed by JMP C3E9. Break on JMP and run. Step in after break. Scroll down in Olly again looking for the POPAD followed by JMP 61E9. Break on JMP and run. The JMP destination is your OEP. Step once and you are at OEP. Dump and rebuild your taget. It should run but this app is compiled with MS VC++ and uses floating point literal constants. Your dump will have a R6002 error msg.

The problem of R6002 error can be seen across other packers also. If UPX was used to pack the same file and you dumped it, the same error would occur in your dump. Just like Mpress your dump would have all the sections placed into the first section .UPX0 If you used UPX -d flag or a program like PE Explorer the unpacked UPX file would not have the error. This is because a copy of the original PE would be used to rebuild it back to the origial sections. Mpress doesn't include this so you would have to rebuild the original sections manualy.

This blog posting covers the problem of MSVC++ floating point that packers will have to deal with. It has an example not packed to demostrate the problem and how to track it. Read this to get an understanding of the R6002.
http://nezumi-lab.org/blog/?p=73

Ghandi posted some more indepth details on the tuts4you thread with other code list examples. I'm only quoting a small portion of ghandi's post.
Quote Ghandi
But it is sufficient to say that the following check is performed and if the call to IsNonWiteableInCurrentImage returns FALSE, it will throw that error. The fix is simple when the sections haven't been mangled, just change the permissions of '.rdata' to read only and if the sections have been mangled you can always patch the code itself to bypass this check.

PHP Code:

013E30C1                391D A8573E01    cmp dword ptr [__dyn_tls_init_callback],ebx
013E30C7                74 19                    je short 013E30E2
013E30C9                68 A8573E01        push offset __dyn_tls_init_callback
013E30CE                E8 BD040000        call _IsNonwritableInCurrentImage
013E30D3                59                              pop ecx
013E30D4                85C0                      test eax,eax
013E30D6                74 0A                    je short 013E30E2 


For a better understanding of what was going on, I used the example of r6002 bug from that blog posting and packed it with Mpress 2.17. Attached below with the original source.


Mpress takes all the sections and places them into one, the resource mappings are kept in their own section but the raw resources are placed into mpress1 section. .mpress2 section is packer code. If you change permissions to read only on .mpress1 of your dump, you are changing it for all the original sections and the app will crash with different error. The packer is dealing with the same problem of the rdata section, this is why the app doesn't crash while packed.

Basically a section of the file PE header will be read and checked for what permission attributes it has. It does not verify the permissions of the section as it is actually loaded in memory, just the PE. If the attributes of the section is read only then EAX = 00000001 on the RET to the call. When TEST EAX, EAX is performed, the next conditional jump JE SHORT will not jump. If EAX = 00000000 JE SHORT will JMP causing the R6002 msg. You can see this in the same code above from Ghandi @013E30D6. In testing with other examples of this, the result is the same.

So how you patch it is up to you. Just so the call causing the error msg is not the next instruction at JE SHORT. Using the packed demo and the break point method from the blog, I added some observation notes. Follow the same method with your Gearotic target and you will come to the same solution.

PHP Code:

0040719E        PUSH r6002dum.0041D680
004071A3        CALL r6002dum.0040E780

0040E780        MOV EDI, EDI
0040E782        PUSH EBP
......
......
0040E7D5        PUSH EAX
0040E7D6        PUSH r6002dum.00400000                  ; Image base
0040E7DB        CALL <r6002dum.ReadThePESections>       ;0040E730

0040E730        MOV EDI, EDI                            ;<ReadThePESections>
0040E732        PUSH EBP
0040E733        MOV EBP, ESP
0040E735        MOV EAX, DWORD PTR [EBP+8]              ; Stack SS:[0018FF0C]=00400000
0040E738        MOV ECX, DWORD PTR [EAX+3C              ; 0040003C ; Offset to PE signature
0040E73B        ADD ECX, EAX                            ; [00400054]
0040E73D        MOVZX EAX, WORD PTR [ECX+14]            ; 00400054 ; SizeOfOptionalHeader = E0 (224.)
0040E741        PUSH EBX
0040E742        PUSH ESI                                ; [00400046]
0040E743        MOVZX ESI, WORD PTR [ECX+6]             ; 00400046 ; NumberOfSections = 4
0040E747        XOR EDX, EDX
0040E749        PUSH EDI
0040E74A        LEA EAX, DWORD PTR [EAX+ECX+18]         ; 00400138 Address=00400138, (ASCII ".MPRESS1")
0040E74E        TEST ESI, ESI
0040E750        JBE SHORT r6002dum.0040E76D
0040E752        MOV EDI, DWORD PTR [EBP+C]
0040E755        MOV ECX, DWORD PTR [EAX+C]              ; 00400144 ; VirtualAddress = 1000
0040E758        CMP EDI, ECX
0040E75A        JB SHORT r6002dum.0040E765
0040E75C        MOV EBX, DWORD PTR [EAX+8]              ; 00400140 ; VirtualSize = 26000 (155648.)
0040E75F        ADD EBX, ECX                            ; ECX=00001000 EBX=00026000
....
....
0040E772        POP EBP
0040E773        RET                                     ; RET to 0040E7E0

0040E7E0        ADD ESP, 8
0040E7E3        TEST EAX, EAX
0040E7E5        JE SHORT r6002dum.0040E822              ; EAX+24 below is where your breakpoint should have brought you from blog post
0040E7E7        MOV EAX, DWORD PTR [EAX+24]             ; DS:[0040015C]=E00000E0; Characteristics = CODE|INITIALIZED_DATA|UNINITIALIZED_DATA|EXECUTE|READ|WRITE
0040E7EA        SHR EAX, 1F
0040E7ED        NOT EAX
0040E7EF        AND EAX, 1                              ; EAX becomes 00000000
0040E7F2        MOV DWORD PTR [EBP-4], -2
0040E7F9        MOV ECX, DWORD PTR [EBP-10]
0040E7FC        MOV DWORD PTR FS:[0], ECX
....
....
0040E809        POP EBP
0040E80A        RET                                     ; Return to 004071A8

004071A8        POP ECX                                 ; 
004071A9        TEST EAX, EAX                           ; Test EAX, if 0 we jump on JE to the error msg
004071AB        JE SHORT r6002dum.004071B7              ; If no jump the .section is read only, no error msg
004071AD        PUSH DWORD PTR [EBP+8]                  ; Patch JE to nop or inc eax before test so no jump
004071B0        CALL DWORD PTR [41D680]                 ; 


Anyway that is pretty much the posted summed up into one. Hope that explains it easier.
Credits to Ghandi (ARTeam) and KPNC blog post explaining the R6002 error.