|
|
#16
08-03-2012, 01:46
|
|||
|
|||
|
@axl936
AFAIK registration at tuts4you is open. Unpacking different targets are well covered there. The post was a little long with having to solve a problem with olly setup, etc. Here is a shortened version of what I posted with some selective editing. mpress is easy to unpack as there is very little to prevent unpacking. There is a generic pattern that can be used RET JMP, step, POPAD JMP = OEP There are olly scripts that will do this. Load the packed file in Olly. Scroll down in Olly until the code goes to all null bytes, scroll back up and you will see RET followed by JMP C3E9. Break on JMP and run. Step in after break. Scroll down in Olly again looking for the POPAD followed by JMP 61E9. Break on JMP and run. The JMP destination is your OEP. Step once and you are at OEP. Dump and rebuild your taget. It should run but this app is compiled with MS VC++ and uses floating point literal constants. Your dump will have a R6002 error msg. The problem of R6002 error can be seen across other packers also. If UPX was used to pack the same file and you dumped it, the same error would occur in your dump. Just like Mpress your dump would have all the sections placed into the first section .UPX0 If you used UPX -d flag or a program like PE Explorer the unpacked UPX file would not have the error. This is because a copy of the original PE would be used to rebuild it back to the origial sections. Mpress doesn't include this so you would have to rebuild the original sections manualy. This blog posting covers the problem of MSVC++ floating point that packers will have to deal with. It has an example not packed to demostrate the problem and how to track it. Read this to get an understanding of the R6002. http://nezumi-lab.org/blog/?p=73 Ghandi posted some more indepth details on the tuts4you thread with other code list examples. I'm only quoting a small portion of ghandi's post. Quote Ghandi But it is sufficient to say that the following check is performed and if the call to IsNonWiteableInCurrentImage returns FALSE, it will throw that error. The fix is simple when the sections haven't been mangled, just change the permissions of '.rdata' to read only and if the sections have been mangled you can always patch the code itself to bypass this check. PHP Code:
Mpress takes all the sections and places them into one, the resource mappings are kept in their own section but the raw resources are placed into mpress1 section. .mpress2 section is packer code. If you change permissions to read only on .mpress1 of your dump, you are changing it for all the original sections and the app will crash with different error. The packer is dealing with the same problem of the rdata section, this is why the app doesn't crash while packed. Basically a section of the file PE header will be read and checked for what permission attributes it has. It does not verify the permissions of the section as it is actually loaded in memory, just the PE. If the attributes of the section is read only then EAX = 00000001 on the RET to the call. When TEST EAX, EAX is performed, the next conditional jump JE SHORT will not jump. If EAX = 00000000 JE SHORT will JMP causing the R6002 msg. You can see this in the same code above from Ghandi @013E30D6. In testing with other examples of this, the result is the same. So how you patch it is up to you. Just so the call causing the error msg is not the next instruction at JE SHORT. Using the packed demo and the break point method from the blog, I added some observation notes. Follow the same method with your Gearotic target and you will come to the same solution. PHP Code:
Credits to Ghandi (ARTeam) and KPNC blog post explaining the R6002 error. 
|
| The Following 3 Users Gave Reputation+1 to RedBlkJck For This Useful Post: | ||
|
|
Threaded Mode