|
|
#3
12-11-2005, 23:27
|
|||
|
|||
|
UnPacking : Crunch/PE -> Bit-Arts .OCX
Target : osenxpsuite2005.ocx - hxxp://www.osenxpsuite.net Difficulty : Easy Tools needed : WinXP sp2 - Olly - LordPE - ImpRec ImageBase : 22810000 EP : 229F6000 open target in olly : /*229F6000*/ PUSH EBP /*229F6001*/ CALL 229F6006 /*229F6006*/ POP EBP /*229F6007*/ SUB EBP,6 /*229F600A*/ MOV EAX,EBP /*229F600C*/ PUSH EBP /*229F600D*/ PUSHAD /*229F600E*/ MOV DWORD PTR SS:[EBP+3410],EBP // Set BP on this line /*229F6014*/ SUB EAX,DWORD PTR SS:[EBP+33EB] /*229F601A*/ MOV DWORD PTR SS:[EBP+249F],EAX Set BP on : 229F600E press F9 ==> Dump ESP ==> select 4 byte from dump ==> Set Hard BP on access DWORD ==> press Shift+F9 ==> Olly stop here : /*229F60E5*/ POP EBP /*229F60E6*/ MOV EAX,DWORD PTR SS:[EBP+340C] /*229F60EC*/ POP EBP /*229F60ED*/ JMP EAX // Jmp to OEP /*229F60EF*/ MOV ESI,340C /*229F60F4*/ ADD ESI,EBP Press F7 F7 F7 F7 ==> now we are in OEP : /*22811360*/ POP EDX // OEP /*22811361*/ PUSH osenxpsu.2296C9B4 /*22811366*/ PUSH osenxpsu.2296C9B8 /*2281136B*/ PUSH EDX /*2281136C*/ JMP osenxpsu.22811358 /*22811371*/ ADD BYTE PTR DS:[EAX],AL /*22811373*/ ADD BYTE PTR DS:[EAX+30000000],AH Run LordPE ==> Select Loaddll.exe ==> Select osenxpsuite2005.ocx ==> Full Dump. Run ImpRec ==> Select Loaddll.exe from process ==> Pick DLL ==> Select osenxpsuite2005.ocx OEP = 22811360-ImageBase = 22811360-22810000 = 1360 ==> IAT Auto Search ==> Get Imports ==>Fix Dump. target compiled with VB6(Pcode) & cracking easy. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Need help with Crunch/PE 3.0.0.x 4.0.0.x >Bitarts | ysco | General Discussion | 21 | 11-27-2003 06:48 |
| BITArts | IWarez | General Discussion | 2 | 08-05-2003 03:26 |
Threaded Mode