Unpack mpress 1.2xx

[axl936]

Hi !
someone have info/tool/tutorial/other to unpack/reverse an executable protect with matcode mpress product ?
Bye

[zementmischer]

mpress doesn't use any tricks to make unpacking hard.
Hence any tutorial about manual unpacking upx also applies to mpress (just use the ESP trick).

[mm10121991]

as zementmischer said it is like upx
check this tut on tuts4you

PHP Code:

http://tuts4you.com/download.php?view.2227 


but if you want more help post your target and will try to help you

[giv]

Check this out.

From SunBeam

Quote:

Just a heads-up - from what I tested with latest version, all one needs to do is F7 over first PUSHAD, hardware breakpoint on ESP, on access, then Shift+F9. And you'll land at JMP to OEP T_T.. Reminds me of UPX..

[axl936]

Hi !
Many thanks to everyone reply me..
I'm a absolute beginner in exewarez , tracing and patching..

My target is this (the Development version..)

http://www.gearotic.com/downloads.html

Any help is greatly appreciated, and I can learn something ..

[giv]

Here is the OEP.
Just watch the video.

[RedBlkJck]

Quote:

Originally Posted by axl936

Hi !
Many thanks to everyone reply me..
I'm a absolute beginner in exewarez , tracing and patching..

My target is this (the Development version..)

http://www.gearotic.com/downloads.html

Any help is greatly appreciated, and I can learn something ..

This was the target that was just discusssed for a user on tuts4you.
..http://forum.tuts4you.com/topic/29562-i-have-a-rogue-program-i-cant-figure-out-what-it-is/

Your dumps will not run without some tweaking because all the code sections are located in .mpress1 unpacked. This causes an r6002 error msg for your dumps. You must patch the header check for .rdata or remap/rebuild the pe header mpress sections back .text .rdata .data. If you can't get access to the post let me know. - jack

[axl936]

Quote:

Originally Posted by RedBlkJck

This was the target that was just discusssed for a user on tuts4you.
..http://forum.tuts4you.com/topic/29562-i-have-a-rogue-program-i-cant-figure-out-what-it-is/

Your dumps will not run without some tweaking because all the code sections are located in .mpress1 unpacked. This causes an r6002 error msg for your dumps. You must patch the header check for .rdata or remap/rebuild the pe header mpress sections back .text .rdata .data. If you can't get access to the post let me know. - jack

Hi
effectively i can't access to the post..

@zementmischer
Thanks for the work done, but I'd like to understand how you did it ..
Can you explain me ?

[zementmischer]

And here's the unpacked exe:
hxxp://www.mediafire.com/download.php?g30hjuz8jdgkzlc

unpacking was a lil' bit harder than expected due to a darn R6002 exception

[axl936]

Hi !
WOW !!
not one, but 2, SUPER RAPID solutions !!

I would give the award ex-aequo to both.. giv and zementmischer

many thanks again..

now i can try to "cure" him !!
Can I get help if I need it?
Bye
Axel

[zementmischer]

Wow, choosing a target that depends on a digitally signed license is probably the most sophisticated way to start rce'ing
I guess the best way to break its protection would be to generate your own public/private key pair using MS' CSP and replace the public key BLOB inside the exe (resource id 163) with your own one.
Use the private key to code a simple keygen (you'll also need it to RE the license file format - but from what I saw the format isn't too complicated)
The main advantage of this approach is that you can crack future versions by just replacing its BLOB resource with your own one.
You'll quickly find the license handler if you look for references to CryptAcquireContextW, CryptImportKey and CryptDecrypt.

[zementmischer]

@axl936: Here's a link to an already patched version (proof-of-concept).
I did create my own RSA key pair, replaced the private key of the target with my own one and used my public key to make a valid license.
Btw. my first guess regarding DSA was a lil' bit wrong - the target actually uses an RSA cipher with 1024bit.

@RedBlkJck: I opted for the first method - splitting sections and rebuilding the PE image is a far more time consuming task than setting a hwbp at the section flags inside the PE header

[RedBlkJck]

@zementmischer I hear ya. I spent a little time looking to rebuild it. The packer code start point has been the end of the text section in my testing with other mpress files. IE betwen the 2 JMPs routines, packer code. I was looking for some patterns to identify it easier. Sometimes there is a pointer of the amount of bytes to the next section from the .text section. mpress2 is all packer code can be removed. You can easily see where the resource mapping was moved from the original code. But it isn't as convenient as UPX including a copy of the original PE section. Anyway here is my mapping of my dump for this target if you are interested.

Name VirtSize VirtAddr SizeRaw PtrRaw Flags Pointing Directories
-------------------------------------------------------------------------------------------
.text 001E3000h 00401000h 001E2200h 00000200h E00000E0h
.rdata 00063000h 005E4000h 00062000h 001E2400h 40000040h Delay Import Descriptor
.data 00009000h 00647000h 00009000h 00244400h C0000040h
.rsrc 005A0000h 00650000h 0059F200h 0024D400h C0000040h Resource Table
.ImpFix 00005000h 00BF0000h 00004400h 007EC600h C0000040h Import Table

[giv]

I thought to make a loader....but your sollution was excelent.

[WilliamElts]

If the application is written on .NET, you can use de4dot version 1.9.0 to deobfuscate.